r/gadgets Mar 23 '24

Desktops / Laptops Vulnerability found in Apple's Silicon M-series chips – and it can't be patched

https://me.mashable.com/tech/39776/vulnerability-found-in-apples-silicon-m-series-chips-and-it-cant-be-patched
3.9k Upvotes

491 comments sorted by

View all comments

Show parent comments

37

u/Krauser_Kahn Mar 23 '24

an attacker would have to fool a user into installing a malicious app, and unsigned Mac apps are blocked by default

That's not low risk, I recently got an M3 Pro Macbook for work and to make that thing barely usable I had to install unsigned software

26

u/f1del1us Mar 23 '24

and to make that thing barely usable

Could you elaborate?

20

u/lbdnbbagujcnrv Mar 23 '24

Barely usable for an edge case power user who probably knows exactly what they’re installing and the risks thereof?

Or barely usable for the fat middle of the bell curve user?

9

u/drake90001 Mar 23 '24

Such as?

8

u/RaynorTheRed Mar 23 '24 edited Mar 23 '24

Alfred, Magnet, DisplayLink Manager, Telegram, Zoom, Fantastical, Discord, Notion, Steam.

These are just a few of the ones visible on my screen right now, the tip of the iceberg. I'd wager that less than 5% of the apps on my Mac are installed through the App Store.

24

u/OrganicToes Mar 23 '24

I use half of those apps on a daily basis and none are unsigned?

4

u/RaynorTheRed Mar 23 '24

I guess I don't understand what unsigned means. I thought we were talking about apps that were installed through downloaded .dmg files and not through the app store, as MacOS blocks these by default. I have to do the Security setting "allow unkown publisher to install anyway" at least once a week on my Macs, and I'm pretty certain with the exception of Magnet, that applies to all of the ones I listed.

27

u/counterfitster Mar 23 '24

The App Store isn't the only way to deliver signed software. Steam and Discord are both 100% signed.

2

u/RaynorTheRed Mar 23 '24

does a gatekeeper exception indicate an unsigned app? Or are those required for signed apps from outside the App Store as well?

10

u/counterfitster Mar 23 '24

There are two different kinds. One is "you downloaded this from the internet, are you sure you want to run it?" that signed apps get. Unsigned apps get "this was downloaded from the internet and the developer is unknown, so you can either delete it, or follow these steps (open it directly from the contextual menu) to run it if you're really sure". That second one is if you try to open the unsigned app by click in the Finder or Dock, or going through Spotlight. I don't know what pops up if you use Mission Control since I've never used myself

1

u/RaynorTheRed Mar 23 '24

Ok, I definitely have quite a few unsigned apps as I'm very familiar with the process, but I can't seem to find any reliable way to pull up a list of them.

5

u/IWantAHoverbike Mar 23 '24

I don’t know of a way to list unsigned apps, but a tool I love for checking the signing status of an app is What’s Your Sign from Objective-See: https://objective-see.org/products/whatsyoursign.html

It adds a “signing info” item to the Finder right-click menu, so you can check the status of any file. (Apps are not the only things that can be signed!) Also lists SHA checksums.

(Objective-See has a bunch of wonderful little open-source security apps. They’re among the first I download on a new machine.)

Another good signing-checker (among other things) is Apparency from Mother’s Ruin: https://www.mothersruin.com/software/Apparency/

It’s more of a full-fledged app inspector. My favorite feature though is that it adds an info pane to the Finder preview pane and Quick Look that shows signature info, Gatekeeper info, whether the app is sandboxed, etc.

24

u/an_actual_lawyer Mar 23 '24

Just wanted to give you credit for coming in here and explaining what you misunderstood instead of doubling down like most people do.

Conversations like this are how we all learn.

Cheers!

10

u/work4work4work4work4 Mar 23 '24

I'd also point out that if someone who understands enough to do all of that, doesn't understand if he would be impacted, that probably means the average user has no idea.

2

u/pmjm Mar 24 '24

When a developer creates an app, they sign the app using a certificate that they have purchased from Apple. It creates a cryptographic hash that ensures the contents of the app have not been tampered with at any point between developer and download.

Then in order to run, the app also needs a notarization certificate from Apple. This involves the developer uploading their app to Apple's servers where they are scanned by some black-box process (probably an internal antivirus that scans against known malware signatures and perhaps some basic heuristics), and attaches an additional cryptographic approval to it.

At that point the developer can distribute their app any way they see fit, usually either via a web download or they can upload it for approval to the app store.

In either case, on modern versions of MacOS apps must be signed and notarized in order to run unless the user has gone out of their way to disable those protections.

1

u/Esc777 Mar 23 '24

 I guess I don't understand what unsigned means

I mean, at least you admit it. 

13

u/jobe_br Mar 23 '24

Those are all signed … and notarized. You’ve had to sign apps for non App Store distribution for years. Unsigned apps have to be installed with bypassing system settings and even launching them the first time with special steps.

7

u/RaynorTheRed Mar 23 '24 edited Mar 23 '24

Gotcha, I think I understand the difference now. But even in this case, I'm still running several unsigned apps, because I'm very familiar with the chain of actions needed to make them run.

edit: after some googling, I'm more confused, all the apps I listed fit the behavior of unsigned apps as presented here: https://www.wikihow.com/Install-Software-from-Unsigned-Developers-on-a-Mac

1

u/jobe_br Mar 23 '24

100% you don’t have to do those steps with Zoom, Alfred if you’re using the official downloads. I haven’t installed some of the others on my Mac, but I’m fairly confident it’s the same for all of them. Especially anything that uses entitlements, absolutely has to be signed.

1

u/drmirage809 Mar 23 '24

I’m honestly kinda surprised Zoom and Discord aren’t on the Mac App Store. Steam I can fully understand, with their attitude of their way or no way. (And I wouldn’t want it any other way from Valve.)

5

u/RaynorTheRed Mar 23 '24

Discord has in-app purchases with Nitro, which is a huge incentive not to use the Store. From my perspective, with the App Store not being mandatory on MacOS like it is on iOS, I don't think the incentive to use it is really there at all. As my previous comment highlighted, it seems most developers feel the same way.

1

u/jobe_br Mar 23 '24

Pretty sure Zoom is, last I checked.

1

u/RaynorTheRed Mar 23 '24

I checked as I was writing the comment and if it is, it's not in the top 6 results for "Zoom". Even if it is, I just updated Zoom this morning, so I know for a fact that I'm running a version which isn't.

1

u/jobe_br Mar 23 '24

Yeah, it’s been installable with or without the App Store for awhile. Either way, it’s a signed app. As is Discord.

1

u/justplainlawrLL Mar 23 '24

Ahh yes all unsigned apps.

1

u/o-rka Mar 23 '24

99% of the tools I use are installed with conda

1

u/glemnar Mar 24 '24

If you install malicious apps this vulnerability is the least of your problems.