Macs have been a consumer favorite for years, but it wasn’t until recently that they began to appear on the desks of executives, developers, and researchers. Now Apple regularly patches macOS vulnerabilities while nation-states and cybercriminals increasingly take aim at the platform, prompting security teams to assess: How should they secure macOS devices within the enterprise?
Organizations have long dealt with Mac security, but it has historically played a smaller role than Windows security because fewer people used Apple products in the workplace. With more people using Mac devices at work, the threat landscape has changed.
“There’s definitely a huge uptick in the use of Macs, especially in the enterprise,” says Patrick Wardle, founder of Objective-See and author of “The Art of Mac Malware: The Guide to Analyzing Malicious Software.”
It’s not surprising, given the ease of use in Apple products and the design of its ecosystem, that many employees request a Mac as their corporate machine. But it does increase the enterprise attack surface.
“We’ve seen, in lockstep, this kind of increase of Mac threats,” Wardle continues. “And there’s always nuances to cause and effect but … overall, as a technology becomes more prevalent in the enterprise, you’re going to see adversaries, both cybercriminals and nation-states, similarly increase their interest in that.”
Security researchers have also shown greater interest in the Mac platform, adds Jon Clay, vice president of threat intelligence at Trend Micro, who points to the company’s Zero-Day Initiative as an example.
“When you have a much more popular platform, you get researchers who become more interested in that platform and they will start diving in, trying to identify and find the bugs.”
And what they’re finding is macOS, like any other operating system, has vulnerabilities — an idea that runs counter to a still-prevailing mindset among many Mac users that Macs are more secure than Windows and less likely to be attacked.
In the late 1990s and early 2000s, Windows systems were getting wrecked with viruses and worms. A main reason for this, Wardle says, is Windows had several services exposed to the Internet, many of which were exploitable. Macs had a much smaller user base, and as a result, weren’t often targeted by adversaries. It was also, relatively speaking, more locked down as the operating system didn’t have the same number of protocols and services listening for connections as Windows did.
“The analogy I like to use, that other security researchers mention, was Windows was like the house in the rough neighborhood in the city whereas Mac was like the cottage in the countryside,” he explains.
Over time, Microsoft added more security mechanisms to its OS to fight the threats; it created a bug bounty program and worked with the security community. But Apple didn’t do much. At the time, it didn’t need to — nobody was paying attention, and there weren’t many Mac-focused threats out there. But its marketing verbiage that said Macs didn’t get Windows viruses was “nuanced and not really true because cross-platform viruses can infect both,” Wardle says.
“So you have this really interesting conundrum, this paradox where a lot of Mac users are actually overconfident of the security of their systems, both because of Apple’s marketing and because, in the past, Macs were arguably more secure than Windows or at least targeted less,” he says.
This mentality put Mac users at higher risk, as attackers may have perceived them as more likely to click a link or download a suspicious file, Wardle notes. Now, however, this mentality is changing as Macs become a focus for researchers and cybercriminals alike. More vulnerabilities are discovered and patched, and the attacks targeting macOS are growing more sophisticated. What do the threats look like, and what is Apple doing to respond?
Keeping Up with the Criminals: Eye-Catching Vulns & Threats
Five years ago, Mac malware “really wasn’t that interesting,” says Wardle. Now researchers see attackers porting Windows or Linux capabilities to run natively on macOS including adware, as well as criminal tools, backdoors, and implants from nation-state actors like Lazarus Group, he says.
“To me, the most interesting thing — besides adversaries porting their Windows and Linux capabilities to run on macOS — is the sophistication of these threats,” he explains. “We see zero-days being used as infection vectors; we see more sophisticated techniques.” Mac malware will leverage zero-day flaws to escalate privileges or bypass Apple’s built-in security mechanisms.
Researchers and attackers have poked countless holes in the platform in recent years. Examples of notable bugs include CVE-2021-30657, a recently discovered logic flaw
in macOS Big Sur 11.3 that allowed attackers to launch a payload that was unchecked by Gatekeeper, File Quarantine, and Application Notarization and was used to deploy
Shlayer malware onto target machines.
Around the same time this was disclosed, researchers with Trend Micro reported
the macOS-focused XCSSET malware campaign had adapted to target macOS 11 and machines running the M1, Apple’s own processor for its newer Macs. While macOS 11 came with new security features to better detect code modifications, attackers soon found a way around the measures.
“The challenge we have out there is these criminals are very well-funded these days, they’re very motivated, and they have good coding experts on staff,” says Trend Micro’s Clay. “The likelihood we will continue to see exploited vulnerabilities is probably pretty high.” He also points to the recently disclosed AirTag flaw as an example of how criminals quickly innovate.
Windows malware is still ahead in terms of sophistication, says Wardle, for a couple of reasons. Attackers didn’t have much experience writing Mac malware until recently, and writing complex malware requires a fundamental understanding of the operating system and its nuances. It’s only recently researchers have seen attackers find creative ways to persist on Mac, for example.
Another reason is there was simply no need for sophisticated Mac malware. The reason why attackers build complex malware is to remain undetected by the user or security tools — and until lately, Mac security tools weren’t very strong.
“Security vendors didn’t have a very in-depth understanding of the operating system, so the security tools they were making were trivial to bypass,” Wardle says. “Malware didn’t really have to do anything slick or stealthy.”
Apple has upped its security in new iterations of macOS, forcing criminals to work harder to breach Mac defenses. What has it done in the latest version, and what gaps remain?
Apple’s Response: Progress and Pitfalls in Mac Security
Apple started taking security “much more seriously” in macOS 10.15 (Catalina), says T. Student, a developer with Malwarebytes who recently authored a technical blog post on the new security tools available in macOS 11. Before then, Apple mostly provided vendors with observability features and “a very spare offering of enforcement features,” they note. Catalina brought with it Network Extensions, a feature borrowed from iOS, and Endpoint Security, an “impressively comprehensive and well-designed framework” for developing endpoint security applications.
One of the most noteworthy security features in macOS 11 is the M1, Apple’s own processor for its newer Macs, says Student. The M1 is fast and power-efficient, they explain, but it was also designed for security: “Almost all of the most significant macOS 11 security improvements rely on features unique to the M1 and are only available on M1-powered (“Apple silicon”) Macs,” Student says. The M1 goes beyond addressing so-called microarchitectural flaws in the CPU’s internal code, they continue. Features such as Pointer Authentication Code aim to tackle software issues as well.
Apple has also revolutionized its policy on third-party software, says Student, noting “virtually overnight, they went from considering them obsolete boondoggles and maintenance burdens to legit first-class applications.”
The company’s approach with third-party software has long been tricky, experts say, but Apple has improved here. Wardle points to its release of new frameworks built for third-party security tools that provide detection and insight capabilities, as well as the creation of advanced security tools from third-party companies. Apple introduced Notarization in macOS 10.15, requiring developers to submit their software to check for malicious content before they can distribute it.
Apple’s code-signing frameworks and OS capabilities are an area of significant improvement. The company isn’t afraid to “break” legacy programs and software, which Wardle notes is “kinda based on hubris, but from a security point of view it works out well.” In Windows, for example, many problems stem from legacy components Microsoft hasn’t been willing to deprecate. Apple is quick to deprecate, which he says is good because it eliminates a lot of legacy code — even if the company isn’t always necessarily doing it for security reasons.
“One thing about all of this is you have to take a look at the motivations of why Apple is doing this,” he notes. “A lot of it is for security, but a lot of it is also to control what is run on their systems.” While there have been vulnerabilities in the notarization mechanism that allow adversaries to run un-notarized code, Wardle calls it a step in the right direction.
Of course, as with any company, work remains to be done. For Apple, much of this relates to its relationships with third-party software companies and security researchers. Clay and Wardle point to Apple’s lack of communication with the external security research community and how many of its members have had negative experiences with the company.
“In my opinion, their biggest issue with security, like most companies, is their organizational culture, which in the case of Apple is one of paranoid opacity and obfuscation,” Student says. The company has ignored reports from third-party researchers and enforces secrecy through NDAs and cease-and-desists. They also fix security issues, or fail to, without documentation.
Planning for Macs? What Security Teams Should Know
As organizations allow more employees to use Mac computers, security teams should take steps to protect these machines.
“As Apple grows, and their footprint grows inside the business community, that’s a high-profile target; it’s a high-value target for the criminals out there,” says Clay. “If I’m an attacker and I analyze how to get into an organization or how to laterally move across an organization, if the Windows environment is fairly well taken care of, they may pivot to other apps [or] platforms.”
It’s important to not treat Macs and Windows differently, Wardle says. While many companies have distinct policies for each OS, and many lack security policies for Macs, it’s a good idea to take the Windows security policy — which at this point is mature, hardened, and battle-tested — and apply the same methodology to macOS. The idea that Macs need a less-intensive security policy is “very dangerous thinking,” he notes.
Both systems should have an endpoint security agent, and Macs should have one that is Mac-specific or comes from a vendor that equally invests in Mac and Windows products. Just as researchers are seeing Mac malware authors gain a deeper understanding of macOS and create custom macOS threats, it’s important that the security tools installed have the same fundamental understanding of the OS. While Apple has introduced more security features into its OS, attackers will find a way around it, and it helps to bring third-party tools onto a system.
“Updating and patching is going to be another area,” Clay notes. “Organizations are going to want to ensure they have that capability and … if you have centralized patching capabilities across that platform, even better.”
Clay also advises implementing an educational program for employees so they know how to keep watch for attacks. Whether it’s a phishing email that drops Mac code instead of Windows code or exploits a bug in the Mac platform, they should know the risks and red flags related to them.