Canceled
Presented at
DEF CON 31 (2023),
Aug. 11, 2023, 11 a.m.
(45 minutes).
Ding~ A new software update is available for your Mac!
System updates are always considered a silver bullet to protect users against the latest security vulnerabilities. As is common practice, Apple keeps publishing monthly updates, sometimes even within a few weeks. And end users have been continuously educated to keep their devices up to date. Once they see Apple's system update notification, they may blindly click on the update.
But wait, are you sure you're getting the right system update?
During my research, I discovered a few critical vulnerabilities in the Apple OTA (over-the-air) update process. Apple had addressed them as CVE-2022-42791, CVE-2022-46722, and more. CVE-2022-42791 is the one that can bypass the update package signature verification and infect the new OS kernel.
On Intel Macs without the T2 Chip, they can be exploited to bypass the SIP protection and SSV (Signed System Volume) protection, infect the OS kernel, and execute arbitrary kernel code in Ring 0!
And there is one more vulnerability that can infect the OS firmware and execute arbitrary code before the kernel boots!
During this session, I'd like to share with you how a crafted system update can infect your device and inject malicious code into your OS kernel, dominating your device completely without your awareness.
REFERENCES:
https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web
https://support.apple.com/guide/security/secure-software-updates-secf683e0b36/web
https://www.theiphonewiki.com/wiki/Software_Update_Service
https://www.theiphonewiki.com/wiki/OTA_Updates
http://newosxbook.com/articles/OTA.html
http://newosxbook.com/articles/OTA2.html
http://newosxbook.com/articles/OTA3.html
http://newosxbook.com/articles/OTA4.html
http://newosxbook.com/articles/OTA5.html
http://newosxbook.com/articles/OTA6.html
http://newosxbook.com/articles/OTA7.html
http://newosxbook.com/articles/OTA8.html
https://support.apple.com/en-gb/HT213488
Presenters:
-
Mickey Jin
- Security Researcher at Trend Micro
Mickey Jin (@patch1t) works for Trend Micro as a security researcher with a keen interest in malware analysis, threat campaign research, and vulnerability research.
In the past two years, he has received over 100 CVEs from Apple, Inc.
Links:
Similar Presentations: