One of your Mac’s built-in malware detection tools may not be working quite as well as you think. At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings today about vulnerabilities in Apple’s macOS Background Task Management mechanism, which could be exploited to bypass and, therefore, defeat the company’s recently added monitoring tool.
There’s no foolproof method for catching malware on computers with perfect accuracy because, at their core, malicious programs are just software, like your web browser or chat app. It can be difficult to tell the legitimate programs from the transgressors. So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can spot potentially malicious software behavior in new ways.
Apple’s Background Task Management tool focuses on watching for software “persistence.” Malware can be designed to be ephemeral and operate only briefly on a device or until the computer restarts. But it can also be built to establish itself more deeply and “persist” on a target even when the computer is shut down and rebooted. Lots of legitimate software needs persistence so all of your apps and data and preferences will show up as you left them every time you turn on your device. But if software establishes persistence unexpectedly or out of the blue, it could be a sign of something malicious.
With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a “persistence event” occurs. This way, if you know you just downloaded and installed a new application, you can disregard the message. But if you didn’t, you can investigate the possibility that you’ve been compromised.
“There should be a tool [that notifies you] when something persistently installs itself, it’s a good thing for Apple to have added, but the implementation was done so poorly that any malware that’s somewhat sophisticated can trivially bypass the monitoring,” Wardle says about his Defcon findings.
Apple could not immediately be reached for comment.
As part of his Objective-See Foundation, which offers free and open source macOS security tools, Wardle has offered a similar persistence event notification tool known as BlockBlock for years. “Because I’ve written similar tools, I know the challenges my tools have faced, and I wondered if Apple’s tools and frameworks would have the same issues to work through—and they do,” he says. “Malware can still persist in a manner that is completely invisible.”
When Background Task Manager first debuted, Wardle discovered some more basic issues with the tool that caused persistence event notifications to fail. He reported them to Apple, and the company fixed the error. But the company didn’t identify deeper issues with the tool.
“We went back and forth, and eventually, they fixed that issue, but it was like putting some tape on an airplane as it’s crashing,” Wardle says. “They didn’t realize that the feature needed a lot of work.”
One of the bypasses Wardle presented on Saturday requires root access to a target’s device, meaning that attackers need to have full control before they can stop users from receiving persistence alerts. The bug related to this potential attack is important to patch because hackers can sometimes gain this level of access to a target and might be motivated to stop notifications so they can install as much malware as they want on a system.
More concerning is that Wardle also found two paths that don’t require root access to disable the persistence notifications Background Task Manager is supposed to send to the user and to security monitoring products. One of these exploits takes advantage of a bug in how the alerting system communicates with the core of a computer’s operating system known as the kernel. The other capitalizes on a capability that allows users, even those without deep system privileges, to put processes to sleep. Wardle found that this capability can be manipulated to disrupt persistence notifications before they can get to the user.
Wardle says he chose to release these bugs at Defcon without first notifying Apple because he had already notified the company about flaws in Background Task Manager that could have led it to improve the tool’s overall quality more comprehensively. He adds, too, that bypassing this monitoring simply brings the state of macOS security back to what it was a year ago, before this feature debuted. But he notes that it’s problematic when Apple releases monitoring tools that seem rushed or need more testing, because it can give users and security vendors a false sense of security.
