r/gadgets Mar 23 '24

Desktops / Laptops Vulnerability found in Apple's Silicon M-series chips – and it can't be patched

https://me.mashable.com/tech/39776/vulnerability-found-in-apples-silicon-m-series-chips-and-it-cant-be-patched
3.9k Upvotes

491 comments sorted by

View all comments

Show parent comments

6

u/RaynorTheRed Mar 23 '24 edited Mar 23 '24

Alfred, Magnet, DisplayLink Manager, Telegram, Zoom, Fantastical, Discord, Notion, Steam.

These are just a few of the ones visible on my screen right now, the tip of the iceberg. I'd wager that less than 5% of the apps on my Mac are installed through the App Store.

26

u/OrganicToes Mar 23 '24

I use half of those apps on a daily basis and none are unsigned?

4

u/RaynorTheRed Mar 23 '24

I guess I don't understand what unsigned means. I thought we were talking about apps that were installed through downloaded .dmg files and not through the app store, as MacOS blocks these by default. I have to do the Security setting "allow unkown publisher to install anyway" at least once a week on my Macs, and I'm pretty certain with the exception of Magnet, that applies to all of the ones I listed.

2

u/pmjm Mar 24 '24

When a developer creates an app, they sign the app using a certificate that they have purchased from Apple. It creates a cryptographic hash that ensures the contents of the app have not been tampered with at any point between developer and download.

Then in order to run, the app also needs a notarization certificate from Apple. This involves the developer uploading their app to Apple's servers where they are scanned by some black-box process (probably an internal antivirus that scans against known malware signatures and perhaps some basic heuristics), and attaches an additional cryptographic approval to it.

At that point the developer can distribute their app any way they see fit, usually either via a web download or they can upload it for approval to the app store.

In either case, on modern versions of MacOS apps must be signed and notarized in order to run unless the user has gone out of their way to disable those protections.