Microsoft Discloses Gatekeeper Bypass Vulnerability in Apple macOS Systems

Microsoft Discloses Gatekeeper Bypass Vulnerability: Microsoft has revealed information about a recently patched security vulnerability in Apple macOS that might be used by an attacker to bypass security measures meant to prevent malicious apps from being executed.

Apple fixed the vulnerability, known as Achilles (CVE-2022-42821, CVSS score: 5.5), in macOS Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2. The company explained that the flaw was a logic error that could be exploited by a programme to bypass Gatekeeper checks.

According to Microsoft's 365 Defender Research Team's Jonathan Bar Or, “Gatekeeper bypasses like this might be utilised as a channel for initial access by malware and other threats,” which could boost the effectiveness of malware distribution and assault campaigns on macOS.

Microsoft Discloses Gatekeeper Bypass Vulnerability
Microsoft Discloses Gatekeeper Bypass Vulnerability

The operating system's security component, Gatekeeper, restricts execution to authorised programmes exclusively. Files downloaded from the internet are marked with the extended attribute to ensure compliance with this policy. It functions similarly to Windows' Mark of the Web (MotW) flag.

Because it is not officially signed and notarized by Apple, the Gatekeeper function stops the app from being run when an unknowing user downloads a potentially hazardous app that impersonates a piece of authorised software.

The first time a user launches an app, even if Apple has approved it, they will receive a prompt asking for their permission. Given macOS‘s reliance on Gatekeeper for security, the implications of bypassing the barrier, which could allow threat actors to instal malware on the Macs, are difficult to ignore.

Microsoft's Achilles flaw prevents Safari from establishing the quarantine extended attribute by using the ACL permission mechanism to provide highly stringent permissions to a downloaded file (i.e., “everyone deny write,writeattr,writeextr,writesecurity,chown”).

An attacker may use this method to create a malicious programme, host it on a server, and then use social engineering, malicious advertisements, or a watering hole to spread it to their intended victims.

It also works around Lockdown Mode, a stringent setting in macOS Ventura that users may use to protect against zero-click attacks, so users should make sure they have the most recent updates installed.

“Fake apps remain one of the top entry routes on macOS,” said Bar Or, “showing Gatekeeper bypass techniques are an attractive and even a required capability for attackers to utilise in attacks.”

Please keep visiting for updates. Keep our site bookmarked so you can quickly return to check for new content, Like WhatsApp Launches Accidental Delete Feature