According to Wired, security researchers have found that there is a way to hack a new Mac even before it's turned on. Researchers say attackers would hack enterprise Macs using Apple’s Device Enrollment Program and its Mobile Device Management platform, and allow to remotely put malware on the Macs.
The bug, which discovered by Jesse Endahl and Max Bélanger, a Chief Security Officer at Fleetsmith and a staff engineer at Dropbox to demo the security flaw today at the Black Hat security conference in Las Vegas. Fortunately, Apple has already fixed the flaw in its latest macOS 10.13.6, still, that leaves older Macs vulnerable.
"We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time," Endahl says. "By the time they’re logging in, by the time they see the desktop, the computer is already compromised."
Endahl and Bélanger noticed that when an enterprise Mac uses MDM to view apps that are installed from the Mac App Store, there is no certificate pinning to verify the authenticity of the manifest. Therefore, hackers are able to use middlemen to install the malicious app to access data. Worse, this flaw can be used to attack Mac across the company.
Image Via YouTube
Post a Comment