Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security for OCLP (OpenCore Legacy Patcher)

One of the arguments against caring about macOS security has been that "no one is targeting us, so we don't need to be overly concerned." For those who know even the tiniest bit about computer security, you know that's probably one of the dumber assertions.

Here is one way that you can inadvertently paint a target on your back. You are not targeted because someone is actively targeting you specifically (not initially). You become a target through your own actions. AI-enabled targeting schemes will make attacks like this more common.
 
  • Like
Reactions: Wheel_D and Subarctic5216
deeveedee said:
One of the arguments against caring about macOS security has been that "no one is targeting us, so we don't need to be overly concerned." For those who know even the tiniest bit about computer security, you know that's probably one of the dumber assertions.

Here is one way that you can inadvertently paint a target on your back. You are not targeted because someone is actively targeting you specifically (not initially). You become a target through your own actions. AI-enabled targeting schemes will make attacks like this more common.
Click to expand...
That article proves that fully updated, SIP enabled, GateKeeper enabled Macs can be compromised because the weakest link is always the user. ;)

MalwareBytes is terrible at protecting against malware https://forums.macrumors.com/threads/how-safe-is-malwarebytes-for-mac.2378702/post-32752608

The fake “Arc Browser” Ads have been reported by Jamf Threat Labs in April https://www.jamf.com/blog/infostealers-pose-threat-to-macos/
 
  • Like
Reactions: houser and deeveedee
deeveedee said:
Some of us here are focused on fixing issues. I personally am of the belief that they are unlikely to be fixed and am focused on getting OCLP docs and messaging to clearly state that the vulnerabilities exist, that an OCLP-patched Mac is not as secure as unpatched, fully-supported Mac (along with a list of known limitations) and that users are accepting risks by using the software.

I also think that the warnings may need to be model-specific (e.g., this model will not receive Apple RSRs).

I believe that chasing solutions to individual vulnerabilities (like SIP) just takes us down a rathole (for me) and will leave that for others to champion.

My requests, while highlighting the known limitations, have always been intended to drive OCLP / Dev transparency.
Click to expand...
Is an OCLP-patched Mac MORE secure then an unpatched, UN-supported Mac?
 
plunger said:
Is an OCLP-patched Mac MORE secure then an unpatched, UN-supported Mac?
Click to expand...
If we for now for the sake of argument disregard any mistakes by the end user.

You could possibly argue that a Mac that is no longer supported by Apple with Software updates is less secure than a same model Mac that is running an up to date MacOS before Sonoma via OCLP that is still supported by Apple with Software updates. In some respects that might be a simple but sound argument.

But it perhaps gets more complicated with Sonoma and Sequoia, as discussed earlier in this very thread and a signed/sealed system volume being broken by an OCLP patch. Ah well. Some info from Apple about this here
 
Last edited:
  • Like
Reactions: 5T33Z0
plunger said:
Is an OCLP-patched Mac MORE secure then an unpatched, UN-supported Mac?
Click to expand...
When this thread was created, OCLP docs claimed "you're just as secure as a fully-supported Mac." After this thread was created, OCLP docs have thankfully retreated from the "just as secure" position.

Your question is not as simple as you stated for multiple reasons, not the least of which has been stated many times in this thread: it depends on your use cases. Also, some later-model, unsupported Macs can still run newer versions of macOS without OCLP post-install patches (only requiring Open Core with SIP fully enabled). This is more likely if you do not need Legacy Broadcom Wi-Fi and you can replace your discrete graphics card or spoof a newer Intel iGPU.
 
Last edited:
One of the original requests here to OCLP developers was to allow selectively disabling Wi-Fi patches, so that Wi-Fi post-install patches are not applied by OCLP to macOS. This would allow users to fully enable SIP and preserve the APFS seal if they don't apply any post-install patches.

New instructions for OCLP here appear to be offering this requested option. Thank you, Devs!

EDIT: Since I haven't actually tested the latest OCLP post-install patch GUI at the time of this writing, it may be that the new OCLP instructions are simply offering the fully-enabled-SIP option to users who are knowledgeable enough to make their own post-install patching decisions (without using the OCLP post-install patcher). Regardless, it is nice of the Devs to explain this SIP-enabled-option in the OCLP instructions.
 
Last edited:
  • Like
Reactions: dimme
deeveedee said:
One of the original requests here to OCLP developers was to allow selectively disabling Wi-Fi patches, so that Wi-Fi post-install patches are not applied by OCLP to macOS. This would allow users to fully enable SIP and preserve the APFS seal if they don't apply any post-install patches.

New instructions for OCLP here appear to be offering this requested option. Thank you, Devs!

EDIT: Since I haven't actually tested the latest OCLP post-install patch GUI at the time of this writing, it may be that the new OCLP instructions are simply offering the fully-enabled-SIP option to users who are knowledgeable enough to make their own post-install patching decisions (without using the OCLP post-install patcher). Regardless, it is nice of the Devs to explain this SIP-enabled-option in the OCLP instructions.
Click to expand...
I gave it a try and could not get enabled SIP to stay enabled. I think I am doing something wrong. Hopefully someone smarter will give it a try and post here.
 
@dimme Whenever you make any changes to SIP via the OCLP GUI, you must Build and Install Open Core (OC) and then boot with the new OC EFI. I would recommend that you always test a new OC EFI on a USB Thumbdrive before installing the new OC EFI on your main boot drive. This way, if the new EFI does not work, you can just pull the USB Thumbdrive and reboot.

Note that SIP can only be fully enabled if you do not need OCLP post-install patches. If you are applying any OCLP post-install patches (e.g., if you are applying Wi-Fi patches or graphics patches), then SIP must be partially disabled (the OCLP default).
 
  • Like
Reactions: dimme
Since 2022 I am running Big Sur on a MBP 10.1 mid 2012, with the installation help of OCLP and it works great.
SIP is fully working because I removed the security restrictions of the OCLP:
- allow untrusted kexts
- allow unrestricted FS
- allow unauthenticated root

The MBP is working fine and fast without any restrictions whilst I am running the big progs Adobe, MS Office.
However when I installed Sonoma it was different, the speed was down end the fans continued to run full speed.
The issue with the graphics card was resolved nicely with the lates OCLP.
But it was not satisfactory and I had to revert to Big Sur which I am keeping although I am tempted to upgrade.

Sofar for i7 2.48, 16 GB ram and 750 ssd.
 
davigarma said:
Impressive. The unconsciousness of the times we live in. People install **** without knowing its origin, believing that some unknown people are working for the good of humanity.
Click to expand...
I tend to think that I'm more security conscious than most, but I don't think there is any malicious intent (or unintended vulnerabilities) indicated by those alerts. I haven't tested the latest OCLP yet, so I'm withholding judgement until I learn more.

EDIT: It could be something as simple as OCLP checking for the availability of an updated version of itself. When I install OCLP, I remove all dortania legacy patcher plists from /Library/LaunchAgents and /Library/LaunchDaemons. Also, I don't use an OCLP-patched Mac for any "production" use (just for fun and experimentation now), but that's just my personal preference.
 
Last edited:
deeveedee said:
I tend to think that I'm more security conscious than most, but I don't think there is any malicious intent (or unintended vulnerabilities) indicated by those alerts. I haven't tested the latest OCLP yet, so I'm withholding judgement until I learn more.

EDIT: It could be something as simple as OCLP checking for the availability of an updated version of itself. When I install OCLP, I remove all dortania legacy patcher plists from /Library/LaunchAgents and /Library/LaunchDaemons. Also, I don't use an OCLP-patched Mac for any "production" use (just for fun and experimentation now), but that's just my personal preference.
Click to expand...
Do you know who makes these OCLP cracks? Do you know what is installed in the hack? If you know, I believe you. If you don't know, the greatest security is prudence.
 
deeveedee said:
Ok. We may not agree on this, but I think it's just as irresponsible to install and use software without vetting it as it is to comment on software without installing/using/vetting it.
Click to expand...
Ok. There is no discussion about that, I wish you luck, but as a piece of advice, always watch your butt.
 
  • Like
Reactions: deeveedee
All said, isn't it strange that the relatively miniscule OCLP population would be seen as a worthwhile, or profitable phishing target?
 
  • Like
Reactions: alvindarkness
RK78 said:
All said, isn't it strange that the relatively miniscule OCLP population would be seen as a worthwhile, or profitable phishing target?
Click to expand...
Not necessarily. If I'm a hacker and I have a relatively small group of targets with vulnerabilities that I know and understand, I'd prefer them over a general population with unknown vulnerabilities.

EDIT: ... and if my phishing is able to identify one of the targets as high value ...
 
Last edited:
davigarma said:
Impressive. The unconsciousness of the times we live in. People install **** without knowing its origin, believing that some unknown people are working for the good of humanity.
Click to expand...

Well said. My advice is always buy an up-to-date supported Mac than rely on projects like these. Cheapening out always comes back to bite you in the end.
 
dumastudetto said:
Well said. My advice is always buy an up-to-date supported Mac than rely on projects like these. Cheapening out always comes back to bite you in the end.
Click to expand...
Is this comment based on your direct experience of projects like these - whatever that's supposed to mean (please name others which have gotten you into trouble), or just what you surmise?
 
  • Like
Reactions: alvindarkness
I use an unto date Mac for my daly computer use. BUT I have 3 older Mac that work perfectly well but they don't support the latest OS or even ones that get updates from Apple. One is running windows, one linux and the other OCLP with the latest and greatest OS. The latter I don't use for online banking, shopping or email. But it comes in handy for experiments and home-brew and other projects.
 
  • Like
Reactions: paalb
RK78 said:
Is this comment based on your direct experience of projects like these - whatever that's supposed to mean (please name others which have gotten you into trouble), or just what you surmise?
Click to expand...

Yeah this is a great example of what can happen:
www.digitaltrends.com

Beware — even Mac open-source apps can contain malware

Your Mac isn't completely immune to hackers so watch out for this sneaky malware threat that pretends to be a helpful open-source app.
www.digitaltrends.com www.digitaltrends.com

All it takes is one bad actor to contribute code to OCLP that is accepted by the project. The code isn't identified as containing some kind of payload or sinister backdoor, suddenly everyone running the next production build is vulnerable. There could be someone building up trust within the OCLP team who has unknown real intentions. Or maybe members of the current team lose interest, and some wonderful person volunteers to step up and fill the gap maintaining the code.

There are so many risks and everything you do on your computer passes through some of these modifications and patches.

I can absolutely understand the appeal of OCLP and why people would want to use it. But if you can afford to buy new hardware that is supported by Apple, that's what I would do every time. Or you can play Russian roulette with your data.
 
dumastudetto said:
Yeah this is a great example of what can happen:
www.digitaltrends.com

Beware — even Mac open-source apps can contain malware

Your Mac isn't completely immune to hackers so watch out for this sneaky malware threat that pretends to be a helpful open-source app.
www.digitaltrends.com www.digitaltrends.com

All it takes is one bad actor to contribute code to OCLP that is accepted by the project. The code isn't identified as containing some kind of payload or sinister backdoor, suddenly everyone running the next production build is vulnerable. There could be someone building up trust within the OCLP team who has unknown real intentions. Or maybe members of the current team lose interest, and some wonderful person volunteers to step up and fill the gap maintaining the code.

There are so many risks and everything you do on your computer passes through some of these modifications and patches.

I can absolutely understand the appeal of OCLP and why people would want to use it. But if you can afford to buy new hardware that is supported by Apple, that's what I would do every time. Or you can play Russian roulette with your data.
Click to expand...
While I do not disagree with your statement, the same could be said for the majority of Linux software. As a user of open source software sometimes you. need to put a little trust in the community. But I do agree the smaller projects like OPLP are more susceptible to bad actors.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back