If you haven’t already, you should update your Mac right now. A recently patched zero-day vulnerability in macOS operating systems has been allowing hackers to bypass much of Apple’s security protocols and deploy malware on an unknown amount of computers, new research shows.
The bug, which was discovered in March by security researcher Cedric Owens, would have allowed a malicious script to be downloaded onto “all recent versions of macOS,” including macOS versions 10.15 to 11.2. Thankfully, the new macOS 11.3 includes an update that patches the security hole.
Researchers say the vulnerability created a work-around for key macOS security features, including Gatekeeper, File Quarantine and the company’s Notarization security check, all of which are designed to catch and block malicious programs from being downloaded from the internet.
According to Owens, a hacker could hypothetically use the security flaw to sneak a malicious program onto a computer. Owens did his own research, creating a test program which he was able to hide inside an innocuous-looking document and sneak by the security programs meant to verify that a program came from a known developer.
“This bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk,” said another security researcher, Patrick Wardle, in a technical blog he wrote about the bug.
“This is likely the worst or potentially the most impactful bug to everyday macOS users,” he later told Vice News.
Hackers have been actively exploiting the bug, too—though the compromise strategies that have been uncovered seem fairly clumsy and require a user to download and and run an unknown internet program. The iOS endpoint protection company Jamf Protect reports that, earlier this year, the security flaw was seeing exploitation in the wild by hackers using Shlayer malware—a malicious adware that is one of the more common forms of malware known to target macOS systems.
“The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results,” Jamf researchers wrote.
In most cases, the…