Security researchers found a way to compromise a Mac out of the box before the user even logs in for the first time. That’s pretty bad, but here’s the deal: It’s really hard to do, it affects only a subset of Mac users, and it’s already been patched.
Apple’s Mac MDM Security Flaw
The security exploit uses Apple’s Mobile Device Management platform, or MDM, to deliver whatever payload hackers choose to put on a new Mac. Jesse Endahl, the chief security officer from the Mac management company Fleetsmith and Dropbox staff engineer Max Bélanger discovered the flaw.
Endahl told Wired,
We found a bug that allows us to compromise the device and install malicious software before the user is ever even logged in for the very first time. By the time they’re logging in, by the time they see the desktop, the computer is already compromised.
To take advantage of the flaw, someone needs to find a way to inject their own server with the malicious payload into a company’s MDM setup process. The server needs to fit into the process after a Mac completes its setup verification process, but before the computer asks Apple’s servers to start delivering apps.
MDM setups like this are typically used at the enterprise level. Companies buy Macs and link them to their MDM system during the purchase process. When the employee gets the computer and turns it on for the first time it contacts Apple’s servers. By the time the Mac finishes booting to the Desktop the process is complete and the apps and settings they need are installed.
Why Apple’s MDM Security Flaw Won’t Bite You
While Apple’s MDM issue is a legit security flaw, it isn’t something that’ll impact most people, nor is it something that’ll be wide spread. Exploiting the flaw takes some serious tech-savvy work and likely a lot of money. It’s the sort of thing that rogue governments will enjoy.
The flaw also requires the target computer be enrolled in a company’s MDM program. Since most people aren’t buying Macs that are used that way, they can’t be targeted.
Finally, Apple patched the flaw in macOS High Sierra 10.13.6. If you updated your operating system, you’re protected. Hopefully your IT department updated their systems, too, since that’s necessary to block the flaw.
Of course, there are probably still some Macs in the inventory chain that won’t get updated to macOS 10.13.6 until after they’re purchased. Those are potentially vulnerable—assuming they get enrolled in an MDM program, the company’s IT depart is behind on their security updates, and the hacker has plenty of skills, money, and motivation.