Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Will malware spread to other accounts/areas of the mac is you're using a standard account?
- Thread starter otherguy5
- Start date
- Sort by reaction score
Generally no, but being prompted for admin rights tends to be so automatic most people blindly authenticate. If that's the case, it doesn't matter if your user account is a standard user or admin user the result will be the same.
Safe computing practices is your. best bet, never open an attachment that you're not sure who it came from, don't visit naughty sites or places that are pirate focused. Only download software from known places. Never respond to urgent emails, regarding money owed, accounts being locked out, etc.
Last edited:
I follow these guidelines but I was fooled recently. I was asked to prove that "I was not a robot" similar to a CAPTCHA test. After I clicked on it, I got Malware.
Wow, what happened - did it download software? I'm not sure how clicking on a link would have infected the computer, at least on a Mac.
I clicked on what I thought was a valid CAPTCHA and then it went to a page asking me to allow permissions. It was only after allowing permission that I realized something was wrong
.So yes, clicking on a link did not cause the problems but my subsequent actions did.
Yeah, that's where things went south - thanks for expounding how that worked, so i can be a bit more careful
Are you asking a hypothetical question, or do you think that you have malware?
The malware would need manual authorization from an admin account to install itself in another user account or in the system domain. (Even for a admin user account.) Unless it was exploiting some vulnerabilities in the OS.
The malware would need manual authorization from an admin account to install itself in another user account or in the system domain. (Even for a admin user account.) Unless it was exploiting some vulnerabilities in the OS.
Right, that last part is key. Sophisticated attackers will leverage multiple vulnerabilities. A foot-in-the-door exploit like the one Plutonius described would normally be limited to the logged-in account, but if the attacker can find some other opportunity once they're in a position to execute code, they could get into other accounts or private data.
Granted, if your production user account is a non-admin account, and that's where you keep all of your files and private data, then getting in to the non-admin account is enough to create some havoc.
If you're creating a non-admin account in the hopes of creating a "safe space" to do some experimental web browsing or software installation, I'd consider:
- Enable FileVault on your production startup disk (everybody should just do this, period)
- Add a volume to your Mac's internal storage (or use an external disk, or use a VM)
- Install macOS onto that new volume (enable FileVault on this volume too)
Don't provide the password for your production startup disk when booted to the experimental volume, detach your backup disk when booting from this volume, and be really careful about granting full disk access to software that you install. If the software you're installing is making those sorts of requests, then a VM might be a better fit (or even a second Mac). This sort of setup would be more effective at isolating "your stuff" than a separate user account. When you're done or you feel that the environment is sufficiently tainted, you can just boot from the production startup volume and delete the experimental volume in Disk Utility.
*** unless there's a local exploit available that you have not patched.
If you're not 100% up to date with macOS security updates, on the current version of macOS, all bets are off.
And even if you are, its POSSIBLE there's a zero day for malware to get elevated access on your machine if it can get a foothold via the ability to run things under your non-privileged user account.
pwning a machine requires several steps, roughly:
- obtain ability to run code on machine, either as a privileged user or low privilege user
- if privileged access is obtained in step one, you're cooked
- if non-privileged, use your ability to run code locally to elevate/break out of the sandbox
- exploit local security problem
article from a few years ago, but the core concepts are the same on any platform today. local privilege escalation exploits are constantly discovered for all major platforms.
Privilege Escalation | macOS Malware & The Path to Root Part 1 - SentinelLabs
Researchers invest huge amounts of effort to uncover privilege escalations and develop exploits. What can we learn about macOS security from their work?
www.sentinelone.com
Example escalation of privilege for Sequoia prior to 15.6
CVE-2025-43188 - "macOS Sequoia Root Privilege Escalation"
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6. A malicious app may be able to gain root privileges.
This is why keeping current on security updates is essential.
Last edited: