The Background Task Management tool built into macOS to thwart malware turns out not to perform its function very well. This was revealed by Mac security researcher Patrick Wardle during a Defcon-31 presentation in Las Vegas.
Since late 2022, Apple has built the Background Task Management tool into macOS Ventura. This tool specifically looks for “persistent” malware. When found, the tool sends a notification to end users or third-party security tools that a ‘persistent event’ is occurring. The idea is that these end users or security tools then investigate what is going on.
Several vulnerabilities in tool
However, according to security researcher Patrick Wardle, the security mechanism has several vulnerabilities that allow hackers to bypass the functionality. Since its introduction, he discovered that the implementation of this tool is so poorly done that any somewhat complicated malware can easily bypass the detection functionality.
At the Defcon event, the security researcher disclosed some of these deeper vulnerabilities. Among them, he showed a bypass access to the highest management account needed to be executed. Surely this vulnerability is important to patch because hackers who gain this level of access are able to disable Background Task Management notifications in macOS. They can then install as much malware as they want without the victim receiving any notifications.
Furthermore, Wardle discovered two vulnerabilities that can be exploited without having gained privileges through the management account. The vulnerabilities make it possible to disable persistence notifications in the tool. One of these vulnerabilities exploits a bug that controls how the alerting system communicates with the macOS kernel.
The other vulnerability involves a functionality that allows users, even those without deep privileges, to stop detection processes. This vulnerability can be manipulated so that it prevents notifications from reaching end users.
Apple is urged to patch the vulnerabilities as soon as possible.