Apple security at DEF CON 2022

The DEF CON 2022 cybersecurity conference was held in mid-August, and as usual there were some great Apple-focused presentations at the event. DEF CON is a convention put on by security experts, for security experts. As such, the talks tend to be highly technical. Nevertheless, they always contain important information for everyday computer users and people with a general interest in cybersecurity. Here are some highlights from the Apple security talks at this year’s DEF CON — along with key takeaways from SecureMac’s leadership team:

Process injection vulnerabilities on macOS

Security researcher Thijs Alkemade gave a talk entitled “Process injection: breaking all macOS security layers with a single vulnerability.” 

The focus of the presentation was CVE-2021-30873, a vulnerability discovered by Alkemade and patched by Apple as of macOS Monterey 12.0.1.

The vulnerability has to do with the way macOS apps save their state when a user shuts down their system or when an app has been inactive for some time.

As macOS users are no doubt aware, when you shut down a Mac, it gives you the option to reopen all of your app windows when you log back in again. To make this possible, the OS has a functionality that saves the current state of each app whenever a user selects this option. 

That state data gets stored in several locations on macOS. But as Alkemade discovered, one of those locations was still using a vulnerable method of data encoding that could have allowed a malicious actor to execute a “process injection” attack. Glossing the details a little, process injection is when a process is allowed to run code inside of another process.

The saved state vulnerability meant that a bad actor could save a bit of malicious code in the vulnerable data storage location and then have it run by a trusted process—with that process’s privileges. As Alkemade demonstrated, this could have led to a macOS App Sandbox escape, privilege escalation, or a System Integrity Protection bypass. A bad guy with a high level of access, noted Alkemade, would be able to read protected files, access the webcam and microphone, or install persistent malware on the system.

The takeaway

“The lesson here is that given enough time and resources, there will almost always be a way for an attacker to get a machine to do their bidding,” says SecureMac’s Principal Malware Research Engineer Israel Torres. “That’s why it’s so necessary to have dedicated third-party oversight to watch for these types of attacks — and to help alert the system and its users of attempted compromises.” 

PACMAN and the M1 Mac 

Joseph Ravichandran, a PhD student from MIT, presented “The PACMAN Attack: Breaking PAC on the Apple M1 with Hardware Attacks.” The talk was based on a paper published by Ravichandran and his co-researchers at MIT’s Computer Science & Artificial Intelligence Laboratory (Weon Taek Na, Jay Lang, and Mengjia Yan).

Introduced in 2020, Apple’s M1 processor was the beginning of a new era for macOS users — one marked by fast, high-performance chips purpose built for the Mac.

But as Ravichandran and his fellow researchers discovered, even a very well-designed processor can have security vulnerabilities.

The team from MIT devised a method to bypass a fundamental security protection of the M1 processor: pointer authentication. In this context, a “pointer” is a variable that references a location in computer memory. Pointer authentication is a security feature of ARM-based processors like the M1. It prevents bad actors from tampering with pointers and using them to convince a computer to go somewhere in memory that it shouldn’t. 

Pointer authentication relies on cryptography to produce pointer authentication codes, or PACs, that are used to verify that a pointer is genuine. Ravichandran and his colleagues discovered that if an M1 system is already running software with a memory corruption bug, it’s possible to guess the correct PAC for a pointer that you want to exploit using brute-force techniques. 

Normally, that wouldn’t work: Guessing an incorrect PAC would just trigger a system crash. But the MIT researchers found that they could use speculative execution to make as many PAC guesses as they liked, and check the results of their guesses by looking for the telltale side effects that showed up in a memory buffer. 

While the team’s work is highly theoretical, and the real-world effects of such an attack would depend on a number of factors, PACMAN is similar to the serious Spectre and Meltdown vulnerabilities — and like Spectre and Meltdown, cannot be addressed by software patches. 

The takeaway

“It’s always amazing to see how researchers get into so many nooks and crannies that engineering may have missed after a new chip has been developed,” says Torres. “It looks like Apple’s solution is going to be the M2 — and letting planned obsolescence do the rest!”

Zoom updater vulnerabilities

Apple security researcher Patrick Wardle gave a talk called “You’re Muted Rooted” on the subject of Zoom vulnerabilities.

Wardle wanted to investigate the security of the Zoom automatic update process. He began digging deeper — and found not one, but two potentially serious vulnerabilities.

The first vulnerability had to do with the way Zoom’s updater app checks update packages for safety. By design, the Zoom updater will only run an update package that has been cryptographically signed by Zoom. However, there was a flaw in the way that Zoom was using an internal macOS tool to validate cryptographic signatures. Essentially, the tool was set to consider too much output from the package under inspection … including the name of the package itself!

The upshot is that a bad actor could have simply named a malicious package something that would then be interpreted as a valid signature. The cryptographic check could thus be bypassed trivially, allowing them to substitute an update package with something malicious.

A second bug would have allowed a bad actor to bypass a different Zoom security check: one that ensures an update package contains the most current version of the app. Because of this vulnerability, it would have been possible to “downgrade” the Zoom app on a target machine to a less secure version using Zoom’s own updater tool. The result could be a bad actor gaining root access to the Mac.

The takeaway

“This just goes to show, yet again, how essential third-party researchers are in today’s security landscape,” remarked Torres. “They fight for the users — and help protect organizations and users alike.”

SecureMac founder and CEO Nicholas Raba agrees, saying, “The more eyes and minds you have poking and prodding and looking for weaknesses, the safer an environment you create. Researchers will keep finding vulnerabilities — and ways to exploit them — but ultimately that helps bring these issues to light and makes everyone more secure.”

Learning more about Apple security:

If you’d like to go deeper into the world of Apple security, we recommend reading the complete write-ups and/or presentation slides of the research highlighted in this article:

• Thijs Alkemade’s blog post on macOS process injection
• The PACMAN attack FAQ website and full research paper
• Patrick Wardle’s DEF CON presentation slides

To learn more about the cybersecurity issues raised by these talks — and about best practices for staying safe — check out the following podcast episodes and blog posts:

• Setting up a new Mac for security introduces best practices for macOS security
• Checklist 73: Meltdown, Spectre and You! discusses hardware-based security vulnerabilities
• Checklist 216: Zooming in 2021 covers Zoom security issues and best practices