User profile for user: kjkkkk
kjkkkk Author
User level: Level 1
4 points

Macintosh secondary operating systems and security concerns

Greetings!


In case one installs windows OS using the bootcamp tool, also a version of Linux OS without using the bootcamp tool, knowing that the secondary operating systems will be potential targets of cyber attacks...


  • Are the operating systems other than the initial macOS able to effect the macOS partition of the hard drive in any way, in the worst case scenarios?
  • Or is there some structure to fully isolate the secondary operating systems from any type of reading or writing the primary macOS partition?
  • Well that requires the secondary OS to not purely having direct hardware access, and to be working under some Apple software that allocates the hardware, is this the case in reality?
  • even with the Linux installed outside of the bootcamp, isn’t it a potential access point to the macOS?

MacBook Pro 15″, macOS 10.15

Posted on Oct 6, 2020 2:11 AM

Reply

Similar questions

9 replies
User profile for user: Loner T
Loner T
User level: Level 9
59,536 points

Oct 7, 2020 8:27 AM in response to kjkkkk

kjkkkk wrote:

what about The “MacOS Base System” modifications and infections? Can it be done?

If you are referring to images provided by Apple's Internet Recovery system, this is verified by the Apple servers.

• what about “Firmware” infections? What are the things that macOS pro users need to be familiar with, with regard to the Firmware infections, also the relationship of firmware infections and secondary operating systems?

See What is a firmware password on Mac? - Apple Support as reference. Apple's EFI updates use signature verification using PKI.

• Some versions of Linux can be installed on external hard drives. While using that Linux, say a security exposure happens and a cyber offender gets the root access of the Linux system. Can he access the “macOS base system”, cause “firmware infections” and make things in a way that the Mac device can not be completely clean by restoring to factory settings?

This is a possible use-case. See What is the Startup Security Utility on Mac? - Apple Support for reference. We are now veering away from software security models to physical security of devices.

There are concerns about NSA having technologies which cause the device to stay infected all its lifetime, and hard drive formats wont fix it. Would you clarify the matter please?

You can create EFI malware. EFI layer also has signature validation. Apple now bundles EFI within macOS updates which has signature validation using certificates. As an example, Apple T2 prevents Linux being installed as bootable system. The user needs to intentionally disable safeguards to allow this. VM engines can also have security issues. If you are concerned about such level of compromises, Apple Genii can also do a 'hardware' wipe.

Reply
User profile for user: kjkkkk
kjkkkk Author
User level: Level 1
4 points

Oct 7, 2020 7:46 AM in response to Loner T

Ok, then it gets complex for the sake of this conversation lets make things clearer.


  • what about The “MacOS Base System” modifications and infections? Can it be done?
  • what about “Firmware” infections? What are the things that macOS pro users need to be familiar with, with regard to the Firmware infections, also the relationship of firmware infections and secondary operating systems?
  • Some versions of Linux can be installed on external hard drives. While using that Linux, say a security exposure happens and a cyber offender gets the root access of the Linux system. Can he access the “macOS base system”, cause “firmware infections” and make things in a way that the Mac device can not be completely clean by restoring to factory settings? There are concerns about NSA having technologies which cause the device to stay infected all its lifetime, and hard drive formats wont fix it. Would you clarify the matter please?
Reply
User profile for user: kjkkkk
kjkkkk Author
User level: Level 1
4 points

Oct 29, 2020 3:49 AM in response to kjkkkk

An alternative to Bootcamp is Wine software which runs windows apps in Mac, a commercial derivative named CrossOver available at https://www.codeweavers.com will permit the windows apps to be running in an isolated environment.

I am satisfied with their services, but yet found no absolute solutions to Mac OS compatibility provides Apple level security.

an idea would be for Apple to develop and maintain the legacy softwares as temporary workarounds, softwares such as Apple's version of messy structures such as TOR browser, Winrar, Deleted information extractor, and torrent software, and keep maintaining them the Apple way as long as those computer structures play a role in humanity, and are used by a part of the population.

unfortunately that is not gonna happen due to business considerations ;)

Reply
User profile for user: Loner T
Loner T
User level: Level 9
59,536 points

Oct 29, 2020 8:36 AM in response to kjkkkk

Wine has performance penalties. I have played with Wine (not CrossOver).


You can also use VM engines, which run as a GuestOS on the underlying HostOS (macOS on Macs). Some of the security features of macOS then come into play. https://developer.apple.com/documentation/security is primarily directed at developers, but does provide some insight.


With the release of macOS Big Sur (directed towards ARM), the Rosetta2 layer (based on the original OS9 to OSX Rosetta philosophy) will also provide some capabilities.


You are correct, very few commercial organizations have any interest in 'legacy', because it conflicts with growth of revenue streams that shareholders much desire. Planned obsolescence is a wonderful tool for growing revenue streams.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Macintosh secondary operating systems and security concerns

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up