Apple has patched a vulnerability that attackers could exploit to deploy malware to vulnerable macOS devices through untrusted apps capable of bypassing Gatekeeper app execution restrictions.
Discovered and reported by Microsoft Senior Security Researcher Jonathan Bar Or, the security flaw (dubbed Achille) is now tracked as CVE-2022-42821.
Bypassing the gatekeeper via restrictive ACLs
Porter is a macOS security feature that automatically checks all applications downloaded from the Internet if they are notarized and signed by the developer (approved by Apple), asking the user to confirm before launching or issuing an alert indicating that the app is unreliable.
This is achieved by checking an extended attribute named com.apple.quarantine which is assigned by web browsers to all downloaded files, similar to Mark of the Web in Windows.
The Achilles flaw allows specially crafted payloads to abuse a logic glitch to set restrictive access control list (ACL) permissions that prevent web browsers and Internet downloaders from setting the com.apple attribute .quarantine to download the archived payload as ZIP files.
As a result, the malicious application contained in the archived payload launches on the target’s system instead of being blocked by Gatekeeper, allowing attackers to download and deploy second-stage malicious payloads.
Microsoft said on Monday that “Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users who could be personally targeted by a sophisticated cyberattack, aims to stop runtime exploits from remote code without click, and only defend against Achilles.”
“End users should apply the fix regardless of their status in lockdown mode,” Microsoft Security Threat Intelligence Team added.
More macOS Security Bypasses and Malware
This is just one of multiple Gatekeeper bypasses found over the past few years, many of which are being exploited in the wild by attackers to bypass macOS security mechanisms such as Gatekeeper, File Quarantine, and System Integrity Protection ( SIP) on fully patched Macs.
For example, Bar Or reported a security flaw called Shrootless in 2021 that can allow hackers to bypass System Integrity Protection (SIP) to perform arbitrary operations on the compromised Mac, elevate privileges to root, and even install rootkits on vulnerable devices.
The researcher also discovered powerdira bug that allows attackers to bypass Transparency, Consent, and Control (TCC) technology to access protected user data.
He also released exploit code for a macOS vulnerability (CVE-2022-26706) that could help attackers bypass sandbox restrictions to run code on the system.
Finally, Apple patched a zero-day macOS vulnerability in April 2021 that allowed threat actors behind the notorious Shlayer malware to bypass Apple File Quarantine, Gatekeeper, and Notarization security checks and download more malware onto infected Macs.
The creators of Shlayer had also managed to get their payloads through Apple’s automated notarization process and used a years-old technique to increase privileges and disable macOS Gatekeeper to run unsigned payloads.