Toni Dimaano Tech 12.20.2022 01:Dec AM EST

Microsoft Discovers MacOS Bug That Bypasses Security Tools

Apple has fixed a flaw that allowed malware to be installed on vulnerable macOS devices using untrusted apps that could run despite Gatekeeper application execution restrictions.

The Achilles security flaw was discovered and reported by Microsoft Principal Security Researcher Jonathan Bar Or, and it is currently listed as CVE-2022-42821.

The Security Bug Bypasses Gatekeeper Through Restrictive ACLs

Microsoft first identified a bug that allowed attackers to get around Apple's Gatekeeper security measure in macOS back in July 2022.

Bleeping Computer writes that Gatekeeper is a macOS security feature that automatically verifies whether all apps downloaded from the Internet are notarized and developer-signed.

Before launching or sending out an alert that the app cannot be trusted, it also requests confirmation from the user.

In a manner similar to Windows' Mark of the Web, web browsers assign the extended attribute com.apple.quarantine to each downloaded file in order to accomplish this.

The security flaw enables specially designed payloads to take advantage of an error in logic to impose limiting Access Control List (ACL) permissions.

These prevent Internet downloaders and web browsers from adding the com.apple.quarantine attribute to downloaded ZIP file payloads.

As a result, Gatekeeper is not able to stop the malicious app contained within the archived malicious payload from launching on the target's system, allowing attackers to download and use malware.

Through Coordinated Vulnerability Disclosure, Microsoft alerted Apple to the problem and named its proof-of-concept that exploited the vulnerability "Achilles."

According to Windows Central, if the discovered vulnerability remains unpatched, hackers might be able to install malware on Windows systems.

This Is Not The First That Malwares Bypass MacOS Security

It is more difficult for attackers to install malware and other malicious software on macOS thanks to several security features and layers of protection.

In order to enforce mitigations and other safeguards, Apple's Gatekeeper and other tools are used to inform a person if the app can not be run because it is untrusted.

"Due to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature," Apple says.

However Gatekeeper is not impenetrable, given the fact that there have been many methods of bypassing the security feature in the past, Bleeping Computer notes.

For instance, in 2021 Bar Or disclosed a security hole known as Shrootless that could allow threat actors to get around System Integrity Protection (SIP) and carry out arbitrary tasks on the compromised Mac.

In addition, the researcher found powerdir, a flaw that enables hackers to access users' protected data without using Transparency, Consent, and Control (TCC) technology.

In April 2021, Apple patched a zero-day macOS vulnerability that allowed hackers behind the infamous Shlayer malware to get around File Quarantine, Gatekeeper, and Notarization security checks.

It is important to note that gaining the ability to avoid Gatekeeper has serious repercussions because malware authors occasionally use those methods to gain initial access.