So much happened in the realm of Apple security this past year! We're still catching up after all the major goings-on this month (which we'll cover soon in our January month in review) and we've finally found the time to publish our year-in-review article in which we look back at the top Mac security stories of 2017.
Read on to learn about the worst Mac threats that emerged this past year—we've hand-picked two major stories from each month in 2017—along with some honorable mentions of impactful Mac security news you may have missed.
Main article: Month in Review: Apple Security in January 2017
A university IT administrator found some strange network traffic coming from a Mac Pro, and found some previously unknown Mac malware. Evidently installed as part of a targeted attack, the malware (variously known as ClientCapture, Fruitfly, and Quimitchin) may have existing on the university's computer for years before being discovered.
Meitu, a seemingly innocuous iOS app that transformed selfies into "paintings" with large eyes, made its way into the App Store years ago, but rose in popularity in January.
This was a good reminder that just because an app is in the App Store doesn't necessarily mean that it respects your privacy.
Main article: Month in Review: Apple Security in February 2017
A virtual tital wave of Mac malware spilled forth in February, with brand new ransomware disguising itself as an Adobe Premiere Pro CC or Microsoft Office 2016 crack, Fancy Bear APT-related malware, Keychain-stealing iKittens, a Microsoft Word macro virus, and a remote access Trojan (RAT) found on a Russian cybercrime message board.
Forbes revealed that a tool called Phone Breaker, developed by a company in Russia, could recover ostensibly deleted Safari browser history from as far back as November 2015. Shortly after the Forbes article was published, known-affected iCloud accounts began to have their old "deleted" Safari browsing history actually disappear, presumably because Apple had begun cleaning out the old data that Phone Breaker had been able to dredge up.
Main article: Month in Review: Apple Security in March 2017
WikiLeaks published alleged U.S. Central Intelligence Agency documents containing attacks against software and hardware from the likes of Apple, Cisco, Google, Microsoft, and Samsung, some of which were supposedly used by the CIA a decade or longer ago.
Reportedly the leaks showed that the CIA had allegedly at one point been in development of iPhone and Mac rootkits. By the time the alleged leaked documents were revealed to the public, Apple had already patched many of the vulnerabilities described therein.
Each year at the CanSecWest security conference, hackers compete for cash prizes and geek cred in the Pwn2Own hacking competition.
On the first day of Pwn2Own, researchers Samuel Groß and Niklas Baumstark chained together multiple exploits to "get root" (obtain full administrator privileges) on a MacBook Pro, and they earned style points by displaying "pwned by niklasb & saelo" across the Touch Bar.
Main article: Month in Review: Apple Security in April 2017
An unofficial app store was reportedly available within an app in Apple's official App Store.
A Japanese-language app that claimed to have been a household financial helper program was, in fact, a subversive way of getting an unofficial Mandarin Chinese-language app store past Apple's vetting process, and it allowed modified or unauthorized apps to be installed without jailbreaking.
Like the Meitu app back in January, this was a second example showing that one should exercise caution even when installing apps from the App Store; Apple doesn't necessarily catch everything that may be hiding within an app.
Many major Web browser apps, including Firefox, Chrome, and Opera, were displaying internationalized domain name (IDN) characters in a way that could allow attackers to register a domain such as xn--80ak6aa92e.com and have it appear in the address bar as apple.com, for example.
Chrome and Opera have both changed the way they display such domain names to help avoid phishing attacks. Safari was never affected. Firefox, however, continues to display similar domain names in a misleading way by default—even in 2018; see the steps outlined in our April 2017 article to learn how to change that behavior.
Honorable mention goes to a report from The Mac Observer that Apple's Find My Mac feature could be easily bypassed by simply restarting a Mac holding down Command-Option-P-R. To prevent a thief from being able to disable Find My Mac using this method, you can set a firmware password (https://support.apple.com/en-us/HT204455) that you'll have to type each time you boot your Mac.
Main article: Month in Review: Apple Security in May 2017
The infected version of Handbrake prompted users to enter a password to "install additional codecs," and if users fell victim, a malicious payload was installed instead. That payload would then send a copy of the user's Keychain and sensitive browser data to the perpetrator behind the malware.
OSX/Dok was new malware that was distributed via e-mail attachments. It came in two forms: the first variant was designed to spy on a victim's Internet traffic, and the second variant was a full-fledged remote access Trojan (RAT) that attempted to steal Keychains, iOS backups, iMessage chat history, and more from infected Macs. Both malware variants are detected and eradicated by Intego VirusBarrier as OSX/Dok.A and OSX/Dok.B.
Main article: Month in Review: Apple Security in June 2017
A site on the Dark Web was discovered that enabled would-be attackers to purchase off-the-shelf spyware or ransomware and tailor it to their own desires. Intego detects the malware as OSX/MacSpy.A and OSX/MacRansom.A, respectively.
OceanLotus is corporate and industrial espionage malware that originated on Windows in 2015, and later came to Mac in 2016. In June 2017, a new Mac version was found that disguised itself as a Microsoft Word .docx document.
Honorable mention goes to a report published on Medium alleging that nefarious iOS developers had been getting fishy apps past App Store reviewers, gaming Apple's advertising system, and then scamming App Store customers into incredibly expensive, auto-renewing, questionable services.
This was a third example in 2017 that clearly demonstrates that users cannot simply trust everything they find in the App Store.
Main article: Month in Review: Apple Security in July 2017
New variants of the Fruitfly malware were discovered in the wild with the capabilities of taking screenshots, recording keystrokes, taking pictures with the webcam, and more.
Backdoor malware originally discovered in 2013 dubbed OSX/Leverage also resurfaced, and is detected under the new name OSX/FlashyComposer due to its new delivery method, being disguised as an Adobe Flash Player installer.
Apple patched the Broadpwn vulnerability, a memory corruption issue that could allow a nearby attacker to exploit a flaw in Broadcom wireless hardware to execute arbitrary code on the wireless chip.
The bug was patched for macOS Sierra and the latest versions of iOS, watchOS, and tvOS. However, Apple opted to not patch Broadpwn for the two previous versions of macOS at the time: El Capitan and Yosemite. This has been a disturbing trend for Apple, delaying or avoiding patching certain serious vulnerabilities for the two previous versions of macOS that are ostensibly still receiving security updates.
Apple didn't patch Broadpwn for its AirPort wireless base station products until December 2017.
Main article: Month in Review: Apple Security in August 2017
A hacker claimed to have decrypted and then published online the firmware for Apple's Secure Enclave Processor (SEP), along with the decryption key and tools for working with them.
An Apple spokesperson sought to ease fears about fingerprints and passwords stored on devices with Touch ID potentially being less safe, stating, "There are a lot of layers of security involved in the SEP, and access to firmware in no way provides access to data protection class information."
A supposed hack for a Counter-Strike game turned out instead to be OSX/Pwnet.A, malware that installed a cryptocurrency miner.
OSX/Mughthesec.A was new malware disguised as a Flash Player installer. What it actually did was install adware and other potentially unwanted programs on a victim's Mac.
Main article: Month in Review: Apple Security in September 2017
An IoT security company published information about serious Bluetooth vulnerabilities collectively dubbed BlueBorne.
Apple devices running the latest versions of iOS or tvOS, or any version of macOS or watchOS, are not known to be vulnerable to BlueBorne attacks. However, several old models of iPhone, iPad, iPod touch, and Apple TV that cannot be upgraded to the latest version of iOS or tvOS remain vulnerable to exploitation.
Six researchers at a Chinese university found that all of the biggest-name speech recognition systems on the market, including Apple's Siri, were vulnerable to something the researchers called DolphinAttack: playing back spoken commands in an inaudibly high pitch so as to have them executed via "Hey Siri" without the user even being aware of it.
Mac security researcher Patrick Wardle found two serious vulnerabilities in the newly released macOS High Sierra: a flaw in a new feature called User-Approved Kernel Extension Loading, as well as a vulnerability that could allow malware to steal all of a user's Keychain passwords; Apple patched the latter bug in October.
Later in the year, we would learn of other serious vulnerabilities that were High Sierra exclusives, including multiple password vulnerabilities exploitable through System Preferences.
These Macs are more likely to have outdated firmware. Images: Apple via EveryMac
Honorable mention goes to a report from Duo Security warning that many Macs' firmware was outdated. Apple bundles EFI firmware updates with macOS updates, but sometimes the firmware update procedure fails and leaves Macs with an outdated version that may contain security vulnerabilities. Duo Security released an app called EFIgy to help users assess the state of their Macs' UEFI firmware.
Main article: Month in Review: Apple Security in October 2017
Many Apple products were affected, and Apple released patches for its operating systems at the end of October. However, Apple waited until December to finally mitigate against KRACK Attacks for its AirPort wireless base station products (along with certain specific models of iOS, tvOS, and watchOS products).
Following in the footsteps of Handbrake in May (and Transmission twice in 2016), yet another software developer's download server was compromised in October and began distributing Trojanized versions of the company's software.
Honorable mention goes to iOS developer Felix Krause's warnings about two potential concerns with iOS devices: the ability for apps to replicate the appearance of Apple ID authentication dialog boxes (which could aid in phishing attacks) or to secretly spy on a user via the device's camera whenever an app is in the foreground.
Main article: Month in Review: Apple Security in November 2017
A serious vulnerability was discovered in macOS High Sierra that could allow a local attacker with physical access to a Mac (and in some cases, even attackers with remote access over a network) to enable the Mac's "root" account (a powerful UNIX administrator account that's disabled by default in macOS) with a password of the attacker's choosing.
Apple rushed to mitigate the flaw, pushing a patch to all Internet-connected macOS High Sierra users, but in its haste Apple made some errors that had to be rectified in future patches.
Two stories surfaced in November claiming that the iPhone X's new Face ID technology had been successfully tricked into unlocking Apple's latest smartphone.
Vietnamese hackers released two proof-of-concept videos showing masks they made that were able to successfully fool an iPhone X into unlocking. This is particularly interesting given that when Apple introduced the iPhone X, Apple executive Phil Schiller took the stage and bragged that Apple had tasked Hollywood mask-making experts with trying to fool Face ID, and their efforts had been unsuccessful; apparently they just hadn't been trying the right methods.
As seen in a viral video, a ten-year-old boy successfully unlocked his mother's iPhone X because Face ID evidently thought they were the same person. Apple's Schiller admitted during the iPhone X unveiling keynote that there's a higher probability of false matches for people who have "a close genetic relationship" with the user.
Honorable mention goes to the story of a fake antivirus blog that distributed a new variant of the OSX/Proton malware.
Main article: Month in Review: Apple Security in December 2017
On the last day of 2017, a security researcher dropped a macOS zero-day vulnerability that's believed to have been around for more than fifteen years, existing in numerous Mac OS X, OS X, and macOS releases.
IOHIDeous logo. Image credit: Siguza
In order for an attacker to take advantage of the bug (dubbed "IOHIDeous"), they would reportedly either need local access to a victim's Mac, or to have previously compromised a victim's Mac.
Apple would later patch the vulnerability in January, but only for the current and two previous versions of macOS (High Sierra, Sierra, and El Capitan). Previous versions of the Mac operating system remain vulnerable.
Apple also issued KRACK mitigations for certain specific models of iOS, tvOS, and watchOS products that for some reason had been excluded from October's KRACK updates.
Although Meltdown and Spectre would not become public knowledge until January 2018, Apple also released mitigations for the Meltdown speculative execution vulnerability in its December updates for macOS High Sierra, iOS 11, and tvOS 11 (Apple said that "watchOS did not require mitigation" for Meltdown).
Of course, all of the above only scratches the surface; there's plenty more that happened in 2017 that we can't cover in this article. In addition to the links above to each month's full list of stories, here are some additional year-in-review articles from other sources, covering either Mac security, cybersecurity in general, or Apple news from 2017:
Be sure to subscribe to The Mac Security Blog to stay informed about Apple security throughout each month.
Also, each week we discuss Mac and iOS security news and other topics of interest on the Intego Mac Podcast. You'll want to subscribe in iTunes/Podcasts to make sure you don't miss any shows! Show notes are available at podcast.intego.com.
Last but not least, be sure to subscribe to the Intego YouTube channel to get monthly updates in video form, and click on YouTube's bell icon (?) so you'll get notified when each new episode is available.
Fruit fly photo: Arian Suresh. "I am root"/Groot cartoon image credit: Johnathon Burns modified by Gaël. For additional image credits, please see the linked Intego articles.