Background Task Manager can potentially miss malicious software on your machine.
Background Task Manager can potentially miss malicious software on your machine.
"It's a good thing for Apple to have added, but the implementation was done so poorly that any malware that's somewhat sophisticated can trivially bypass the monitoring," Wardle says about his Defcon findings.
At the Defcon hacker conference in Las Vegas, longtime Mac security researcher Patrick Wardle presented findings on Saturday about vulnerabilities in Apple's macOS Background Task Management mechanism, which could be exploited to bypass and, therefore, defeat the company's recently added monitoring tool.
So operating system makers like Microsoft and Apple, as well as third-party security companies, are always working to develop new detection mechanisms and tools that can spot potentially malicious software behavior in new ways.
With this in mind, Apple added Background Task Manager in macOS Ventura, which launched in October 2022, to send notifications both directly to users and to any third-party security tools running on a system if a “persistence event” occurs.
“There should be a tool [that notifies you] when something persistently installs itself, it's a good thing for Apple to have added, but the implementation was done so poorly that any malware that’s somewhat sophisticated can trivially bypass the monitoring,” Wardle says about his Defcon findings.
One of the bypasses Wardle presented on Saturday requires root access to a target's device, meaning that attackers need to have full control before they can stop users from receiving persistence alerts.
More concerning is that Wardle also found two paths that don't require root access to disable the persistence notifications Background Task Manager is supposed to send to the user and to security monitoring products.