Microsoft Discloses Gatekeeper Bypass Vulnerability: Microsoft has revealed information about a recently patched security vulnerability in Apple macOS that might be used by an attacker to bypass security measures meant to prevent malicious apps from being executed.
Apple fixed the vulnerability, known as Achilles (CVE-2022-42821, CVSS score: 5.5), in macOS Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2. The company explained that the flaw was a logic error that could be exploited by a programme to bypass Gatekeeper checks.
According to Microsoft’s 365 Defender Research Team’s Jonathan Bar Or, “Gatekeeper bypasses like this might be utilised as a channel for initial access by malware and other threats,” which could boost the effectiveness of malware distribution and assault campaigns on macOS.
The operating system’s security component, Gatekeeper, restricts execution to authorised programmes exclusively. Files downloaded from the internet are marked with the extended attribute com.apple.quarantine to ensure compliance with this policy. It functions similarly to Windows’ Mark of the Web (MotW) flag.
Because it is not officially signed and notarized by Apple, the Gatekeeper function stops the app from being run when an unknowing user downloads a potentially hazardous app that impersonates a piece of authorised software.
The first time a user launches an app, even if Apple has approved it, they will receive a prompt asking for their permission. Given macOS‘s reliance on Gatekeeper for security, the implications of bypassing the barrier, which could allow threat actors to instal malware on the Macs, are difficult to ignore.
#Microsoft discloses details of a recently reported Gatekeeper bypass #vulnerability [CVE-2022-42821] in Apple #macOS that could allow attackers to bypass security measures and run malicious applications.
— The Hacker News (@TheHackersNews) December 20, 2022
Microsoft’s Achilles flaw prevents Safari from establishing the quarantine extended attribute by using the ACL permission mechanism to provide highly stringent permissions to a downloaded file (i.e., “everyone deny write,writeattr,writeextr,writesecurity,chown”).
An attacker may use this method to create a malicious programme, host it on a server, and then use social engineering, malicious advertisements, or a watering hole to spread it to their intended victims.
It also works around Lockdown Mode, a stringent setting in macOS Ventura that users may use to protect against zero-click attacks, so users should make sure they have the most recent updates installed.
“Fake apps remain one of the top entry routes on macOS,” said Bar Or, “showing Gatekeeper bypass techniques are an attractive and even a required capability for attackers to utilise in attacks.”