SECURITY FEATURES on MacOSX (Part II)

SECURITY FEATURES on MacOSX (Part II)

In this blog, we’ll continue where we left off which covers the remaining security features on MacOS.

4. Automatic Updates

New vulnerabilities for operating systems are being disclosed almost every day, which led to patches and software updates, are regularly being made available by vendors to address the issues. Which means that it is important to keep a system up to date. Because the longer a system is unpatched, the higher risk of getting compromised.

5. Gatekeeper

Adversaries are constantly trying to infect a computer by tricking users into downloading malicious software that infects the computer system. Gatekeeper blocks by defaulting all applications which are not signed by Apple developer certificates. Unsigned applications can still be run if needed by explicitly allowing execution.

6. Anti Phishing & Download Protection

Phishing is one of the most commonly used attacks to get initial access. By using social engineering technique to trick the users into clicking or downloading something malicious, which gets the user’s system compromised when executed. Being able to identify and minimize phishing attacks is a key component of protecting a system. Fortunately, MacOS has anti phishing mechanism that is built into the Safari web browser. This protection is based on a deny list containing known phishing server and domains, all based on the Google Safe Browsing service.

Another form of compromise that needs to be protected against is a web-based attack. In which users either are tricked into downloading malicious content, or it is covertly downloaded to their system via drive-by attack. MacOS’s security against these attacks is twofold:

  • First, the Safari web browser has another deny list containing servers and domains hosting malware. These websites will be blocked, and a warning sign will be shown.
  • Second, if the website would not present in this deny list but a malicious file would be downloaded, the Gatekeeper functionality will still be able to block the malware from execution.

7. XProtect

XProtect consists of a deny list with signatures of known malware and YARA rules. Whenever an application is executed, it will be checked against XProtect’s database and be blocked if a match is found. Note that it does not replace a real anti virus engine as it cannot detect malware family patterns, but only detect specific files instead. This means that XProtect will allow execution whenever a slight change in the malware has been performed.

If a certain malware should already be installed on the system when XProtect’s database gets updated, it will start another tool designed to remove the malware from the system. Conveniently called Malware Removal Tool.

8. Find My

It is frustrated when losing a device somewhere else. Because this device contains sensitive data and might be important to be able to find or locate the device. Fortunately, MacOS offers a built-in feature to help locate such devices called Find My. To requirements to enable this feature is an active ICloud so that the device can be registered. Whenever the device is reported to be lost, it will share its current location with Apple so that the user can attempt to retrieve it. The current location is estimated based on the IP address and nearby Wifi networks. Even when the device is in sleeping mode and not connected to a Wifi network, it might still be possible to get its location.

If the user has enabled participation in the Find My network, MacOS will use bluetooth to participate in a world-wide network mesh of Apple devices, making location tracking possible. Recently, Apple also included the option to lock the lost/stolen systems, erase the contents of the device or play a sound from it. Therefore they can be found more easily when the owner is in its immediate proximity.

Other articles: SECURITY FEATURES on MacOSX (Part I), Firewalls, Data Security, Common Network Attack

Leave a Reply