Apple recently fixed a vulnerability in the macOS operating system that could be potentially exploited by a threat actor to bypass Appleโs Gatekeeper security mechanism and deploy malware on vulnerable macOS devices.
Jonathan Bar Or, Microsoftโs Principal Security Researcher, detailed Gatekeeper, the vulnerability able to bypass it, and the effects of the flaw in a security blog post published on Monday.
The research was shared by Microsoft to emphasize the importance of collaboration among researchers and the security community to improve defenses for the larger ecosystem.
Tracked as CVE-2022-42821 (dubbed as Achilles), the vulnerability is related to a scenario where attackers may side-step application execution restrictions imposed by Appleโs Gatekeeper security checks, which is designed to ensure that only trusted software run on Mac devices.
Microsoft share the vulnerability with Apple in July 2022 throughย Coordinated Vulnerability Disclosureย (CVD) viaย Microsoft Security Vulnerability Researchย (MSVR).
The iPhone maker addressed the Achilles vulnerability by shipping an update in macOS 13ย (Ventura),ย macOS 12.6.2ย (Monterey), andย macOS 1.7.2 (Big Sur) on December 13, 2022.
โGatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS,โ Jonathan wrote in the blog post.
Restrictive ACLs Bypass Gatekeeper
Gatekeeperย is a macOS security feature, which enforcesย code signingย and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executingย malware.
When downloading apps from a browser, like Safari, the browser assigns a special extended attribute namedย com.apple.quarantine to the downloaded file. This is later used to enforce policies such as Gatekeeper.
The current Gatekeeper design dictates the following behavior for downloaded apps:
- If the app is validly signed and notarized, meaning approved by Apple, then a prompt requires the userโs consent before it is launched.
- Otherwise, the user is informed that the app cannot be run as itโs untrusted.
“Due to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature,” adds Jonathan.
โHowever, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.”
To demonstrate the Achilles vulnerability, Microsoft developed a proof-of-concept (POC) that examined AppleDouble files misusing ACLs.
For those unaware, AppleDouble is a file format that saves the metadata in a different file side-by-side next to the original file, with a โ._โ prefix.
The companyย decided to add very restrictive ACLs to the downloaded files, which prohibited Safari (or any other program) from setting new extended attributes, including theย com.apple.quarantineย attribute.
To carry out the POC, Microsoft created a fake directory structure with an arbitrary icon and payload.
The Redmond giant then created an AppleDouble file with the com.apple.ac.text extended attribute key and a value that represented a restrictive ACL by selecting the equivalent of โeveryone deny write,writeattr,writeextattr,writesecurity,chownโ. Perform the correct AppleDouble patching if usingย dittoย to generate the AppleDouble file.
Lastly, it created an archived malicious payload within the malicious app alongside its AppleDouble file and hosted it on a web server.
As a result, the malicious app instead of getting blocked by Gatekeeper, allowed attackers to download and deploy malware.
“Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles,” Microsoft Security Threat Intelligence teamย said on Monday.
“End-users should apply the fix regardless of their Lockdown Mode status.โ