Microsoft describes gatekeeper bypass vulnerability in Apple macOS systems

December 20, 2022Ravie LakshmananEndpoint Security / Vulnerability

Gatekeeper Bypass vulnerability

Microsoft has released details of a now-patched vulnerability in Apple macOS that could be exploited by an attacker to bypass security measures imposed to prevent malicious applications from running.

The shortcoming, called Achilles (CVE-2022-42821, CVSS score: 5.5) was addressed by the iPhone manufacturer in macOS Ventura 13, Monterey 12.6.2 and Big Sur 11.7.2 and described as a logic issue that could be weaponized by an app Gatekeeper -Bypass checks.

“Gatekeeper bypasses like these could be used as a first-time vector for malware and other threats, and help increase the success rate of malicious campaigns and attacks on macOS,” said Jonathan Bar Or of the Microsoft 365 Defender Research Team.

Internet security

Gatekeeper is a security mechanism designed to ensure only trusted apps run on the operating system. This is enforced by an extended attribute called “com.apple.quarantine” assigned to files downloaded from the Internet. It is analogous to the Flag Mark of the Web (MotW) in Windows.

So if an unsuspecting user downloads a potentially malicious app that masquerades as legitimate software, the Gatekeeper feature will prevent the app from running because it is not validly Apple signed and notarized.

Even in cases where an app has been approved by Apple, users will be presented with a prompt to get their explicit consent upon first launch.

Given the crucial role Gatekeeper plays in macOS, it’s hard not to imagine the consequences of bypassing the security barrier, which could effectively allow attackers to install malware on the computers.

The Achilles vulnerability identified by Microsoft exploits a permissions model called Access Control Lists (ACLs) to add extremely restrictive permissions (e.g. “everyone deny write, write attr, write extattr, write security, chown”) to a downloaded file, causing Safari to is prevented, the quarantine extended attribute.

In a hypothetical attack scenario, an attacker could use the technique to create and host a rogue app on a server, which could then be delivered to a possible target via social engineering, malicious advertising, or a watering hole.

The method also bypasses Apple’s newly introduced lockdown mode in macOS Ventura – an opt-in restriction setting to counter zero-click exploits – which requires users to apply the latest updates to mitigate threats.

“Fake apps remain one of the key entry vectors to macOS, suggesting that gatekeeper bypass techniques are an attractive and even necessary capability for attackers to leverage in attacks,” Bar Or said.

Did you find this article interesting? follow us on Twitter and LinkedIn to read more exclusive content we publish.

Leave a Reply

Your email address will not be published. Required fields are marked *