To much fanfare, Apple has levelled up its iPhone and iMac operating systems to boost users’ privacy protection, but have mostly kept mum about how the macOS 11.3 update also serves the dual purpose of patching a serious cybersecurity vulnerability.
Users not updating their computers could run the risk of having cybercrooks sneak past Apple’s Gatekeeper antivirus program and rig malware inside their systems, according to security researcher Cedric Owens who discovered the bug.
The vulnerability enables attackers to easily craft a macOS payload that is not checked by Gatekeeper, putting users at risk of inadvertently installing viruses by simply clicking a link in an email.
“This payload can be used in phishing and all the victim has to do is double-click to open the .dmg and double-click the fake app inside of the .dmg – no pop ups or warnings from macOS are generated,” he wrote in a Medium post explaining the vulnerability
The bug is caused by an unnamed subroutine that misclassifies an Info.plist file as “not a bundle”, meaning it could run without Gatekeeper bringing out the normal bells and whistles to prevent users from downloading malicious software.
Owens first reported the digital defence weakness to Apple on 25 March. Five days later Apple made the macOS 11.3 update available, which included a patch designed to prevent laptop-wielding larcenists from exploiting the bug.
Security researcher Patrick Wardle warned in a subsequent blog that digital thugs are already exploiting the patched hole in Apple’s digital defences. He discovered this after contacting friends at cybersecurity firm Jamf, who used their Jamf Protect tool to confirm that a new malware variant was already using the weakness to mount malicious code.
“This bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk [and] especially worrisome, turns out malware authors are already exploiting it in the wild as a zero.day. Yikes!” wrote Wardle.
The news about Apple’s macOS 11.3 update preventing the embarrassing cybersecurity flaw comes as the Cupertino-headquartered tech goliath rolled out its iOS 14.5 update to its smartphones. The iPhone software includes a hotly anticipated new feature that empowers users to restrict apps’ ability to track their journeys across the web.
The new rule would force third-party app developers to introduce pop-up notifications to ensure they have permission to track users’ data.
Companies like Facebook have aggressively contested the new rule, fearing that it would cut a massive hole in their advertisement revenues as most users are expected to opt out of being tracked. Facebook recently announced changes to its advertiser business to conform with the new rules.
Apple has essentially replied that it is up to developers to prove that their service is good enough for users to accept them being tracked.
“A lot of it is based on the case that the developer makes,” Erik Neuenschwander, user privacy manager at Apple, told Reuters. “What we have found through all the other permissions that have been coming into iOS over the years, is that [communication] is the major contribution the developer can make to making sure the user gets an informed choice.”
Market experts and analysts have welcomed the change, hoping that it would lead to a stronger focus on privacy across the tech industry.
“Despite Facebook being the most vocal opponent of Apple’s planned privacy changes, its decision to trial ‘opt in’ notifications for tracking activity shows that Apple’s move will be the catalyst for wider industry change,” said Lynne Capozzi, chief marketing officer at digital experience company Acquia.
“And with 57% of marketers adopting more consent-driven personalisation strategies as a result of privacy-led changes by Apple and Google, it’s clear that the landscape is fundamentally altered. The sooner brands recognise that giving consumers back control of their data benefits both the business and its users, the sooner trust can be restored.”
However, some have questioned how much say Apple should really have on privacy issues.
“The real question here is if Apple, or any company for that matter, should have so much influence in privacy-related matters,” said Heather Federman, VP of privacy & policy at data management company BigID. “Other stakeholders – like regulators and legislators – should have the largest say in the process but it’s clear that market forces currently dominate.
“While Apple’s opt-in model can be considered pro-privacy and forward thinking, we have a situation where one company has decided for the rest of us exactly how our personal data can or should be used – without real input from other industry players, privacy advocates, the public and the government.”