Apple updates macOS’ XProtect to block ‘Windows’ malware files: Report

By Digit NewsDesk | Published on 25 Apr 2019
  • Apple release update to plug vulnerability in macOS.

  • A Windows .exe file was found that used to run on macOS using the Mono .NET framework and drop Malwares.

Apple updates macOS’ XProtect to block ‘Windows’ malware files: Report

Apple has reportedly updated the macOS’ built-in antivirus software XProtect to include signatures that detect Windows PE files and Windows executables that can run on Macs by utilising the Mono .NET framework. Citing mac security expert Patrick Wardle, Bleeping Computer reported that two new signatures were released on April 19 that, when used together, can detect adware bundles that contain Windows executables that can run on macOS.

“These two new signatures are called ‘PE’, which detects Windows PE files, and ‘MACOS.d1e06b8’, which is used to detected a specially crafted Windows executable that can run on Macs,” the tech news platform reported. Initially, Japan-based cybersecurity firm Trend Micro found .exe files (executable files) delivering malicious payload on macOS. The highest number of infections were seen in the UK, Australia, Armenia, Luxembourg, South Africa, and the US.

The malware utilizes a Mac installer to execute Windows executables using the Mono .NET - a cross-platform framework that allows C# programmes to run on Windows, Macs, and Linux. These malware samples would extract a Windows executable file named Installer.exe that, once run, would contact remote servers to download “offers” to install. “These offers could be unwanted browser extensions, adware, miners, and password stealing Trojans,” Bleeping Computer said.

What’s interesting is that although these files are Windows executables, they won’t be able to run on Windows. The reason for this is that these adware bundles attempt to load the Mac Mono framework libraries, which are not available in Windows.

This is not the first time that a vulnerability has been found in macOS. In February, an 18-year-old German, Linus Henze, discovered a vulnerability that used to leave users’ saved passwords exposed to hackers. This reportedly included passwords saved in the iCloud Keychain or even passwords to banking websites, social networking websites, email websites and streaming services like Netflix, Amazon and more.

Digit NewsDesk

The guy who answered the question 'What are you doing?' with 'Nothing'.

email Protection Status