January 28, 2023

M-Dudes

Your Partner in The Digital Era

Microsoft finds macOS bug that lets malware bypass security checks

Apple has fixed a vulnerability attackers could leverage to deploy malware on vulnerable macOS devices via untrusted applications capable of bypassing Gatekeeper application execution restrictions.

Found and reported by Microsoft principal security researcher Jonathan Bar Or, the security flaw (dubbed Achilles) is now tracked as CVE-2022-42821.

Apple addressed the bug in macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur) one week ago, on December 13.

Gatekeeper bypass via restrictive ACLs

Gatekeeper is a macOS security feature that automatically checks all apps downloaded from the Internet if they are notarized and developer-signed (approved by Apple), asking the user to confirm before launching or issuing an alert that the app cannot be trusted.

This is achieved by checking an extended attribute named com.apple.quarantine which is assigned by web browsers to all downloaded files, similar to Mark of the Web in Windows.

The Achilles flaw allows specially-crafted payloads to abuse a logic issue to set restrictive Access Control List (ACL) permissions that block web browsers and Internet downloaders from setting the com.apple.quarantine attribute for downloaded the payload archived as ZIP files.

As a result, the malicious app contained within an archived payload launches on the target’s system instead of getting blocked by Gatekeeper, allowing attackers to download and deploy malware.

Microsoft said on Monday that “Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles.”

“End-users should apply the fix regardless of their Lockdown Mode status,” the Microsoft Security Threat Intelligence team added.

More macOS security bypasses and malware

This is just one of multiple Gatekeeper bypasses found in the last several years, with many of them abused in the wild by attackers to circumvent macOS security mechanisms like Gatekeeper, File Quarantine, and System Integrity Protection (SIP) on fully patched Macs.

For instance, Bar Or reported a security flaw dubbed Shrootless in 2021 that can let threat actors bypass System Integrity Protection (SIP) to perform arbitrary operations on the compromised Mac, elevate privileges to root, and even install rootkits on vulnerable devices.

The researcher also discovered powerdir, a bug that allows attackers to bypass Transparency, Consent, and Control (TCC) technology to access users’ protected data.

He also released exploit code for a macOS vulnerability (CVE-2022-26706) that could help attackers bypass sandbox restrictions to run code on the system.

Last but not least, Apple fixed a zero-day macOS vulnerability in April 2021 that enabled threat actors behind the notorious Shlayer malware to circumvent Apple’s File Quarantine, Gatekeeper, and Notarization security checks and download more malware on infected Macs.

Shlayer’s creators had also managed to get their payloads through Apple’s automated notarizing process and used a years-old technique to escalate privileges and disable macOS’ Gatekeeper to run unsigned payloads.