In the “Wild World of macOS Installers” presentation, the host Tony Lambert waxes poetic about what an installer is and the different ways to install software on a macOS-based device. In Tony’s words, “an installer is going to be anything that drops additional, arbitrary, executable code onto a computer system."
Some of the different installer types used within macOS are:
- Package (PKG)
- Developer Libraries
- Python, Ruby and NodeJS
From a security standpoint, Tony draws connections to the similarity between installers and malware. For example, both install apps and modify configuration settings are used as vessels to deliver code. The major difference between them: installers are typically from trusted sources, whereas malware isn’t.
No doubt this similarity is one of the driving reasons why threat actors are increasingly stashing malicious code, scripts and so forth within installers to increase the chance of infecting target devices. Within the presentation, Tony dives into the various installer types including highlighting how they work, explaining what tasks can and cannot be performed with them and denoting important processes used in conjunction with each installer type. He explains which are used to launch scripts or to silently install applications in the background as well as how malware like Silver Sparrow abuse these functions to infect your Mac.
The latter portion of the presentation focuses less on PKG/DMG installers and delves specifically into third-party developer installers such as those used by popular developer frameworks like Python, Ruby and NodeJS. Tony breaks down each installer's mechanism and the commands associated with calling installers. He includes the script methods used to automate installs and additional features that allow admins to execute preinstall/post-install commands when preparing environments or requiring follow-up tasks to occur after code has been installed, such as running updates, for example.