Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Warns on 'Achilles' macOS Gatekeeper Bypass

The latest bypass for Apple’s application-safety feature could allow malicious takeover of Macs.

DARKReading
#vulnerability#mac#apple#microsoft#rce#auth

A bypass vulnerability in macOS for Apple’s Gatekeeper mechanism could allow cyberattackers to execute malicious applications on target Macs — regardless of whether Lockdown mode is enabled.

Among the details on the bug (CVE-2022-42821), which Microsoft dubbed “Achilles,” is the fact that researchers were able to craft a working exploit using the Access Control Lists (ACL) mechanism in macOS, which allows fine-tuned permissioning for applications.

Popular Target: Apple Gatekeeper for Vetting Applications

Apple Gatekeeper is a security mechanism designed to ensure that only “trusted apps” run on Mac devices — i.e., those that are signed by a valid authority and approved by Apple. If the software can’t be validated by Gatekeeper, the user gets a blocking pop-up explaining that the app can’t be executed.

In theory, this mitigates the threat of malicious sideloaded applications that users might accidentally download from pirate sites or third-party app stores. The issue, though, is that bad actors have devoted quite a bit of time to finding bypass avenues for the feature, Microsoft researchers noted, as shown by previous exploited vulnerabilities such as CVE-2022-22616, CVE-2022-32910, CVE-2021-1810, CVE-2021-30657, CVE-2021-30853, CVE-2019-8656, and CVE-2014-8826.

And no wonder: “Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS,” Microsoft researchers warned in an advisory issued this week. “Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks.”

Uncovering a New Gatekeeper Bypass

Piggybacking off of details surrounding CVE-2021-1810, Microsoft researchers looked to create a new bypass — which they managed to do by appending malicious files with special permissioning rules via the ACL mechanism.

Apple employs a quarantine mechanism for downloaded apps, according to the advisory: “When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper.”

However, there is an additional option in macOS to apply a special extended attribute named com.apple.acl.text, which is used to set arbitrary ACLs.

“Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules,” Microsoft researchers explained. “Equipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute.”

And without the quarantine attribute in place, Gatekeeper is not alerted to check the file, which allows it to bypass the security mechanism altogether.

Crucially, Microsoft researchers found that Apple’s Lockdown feature, which it debuted in July to prevent state-sponsored spyware from infecting at-risk targets, can’t thwart the Achilles attack.

“We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles,” according to Microsoft.

The issue was disclosed to Apple in July, with fixes rolling out in the latest macOS version. To protect themselves, Mac users are encouraged to update their operating systems to the latest version as soon as possible.

Related news

Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass

Microsoft has shared details of a now-patched flaw in Apple macOS that could be abused by threat actors with root access to bypass security enforcements and perform arbitrary actions on affected devices. Specifically, the flaw – dubbed Migraine and tracked as CVE-2023-32369 – could be abused to get around a key security measure called System Integrity Protection (SIP), or “rootless,” which

Apple Security Advisory 2022-12-13-6

Apple Security Advisory 2022-12-13-6 - macOS Big Sur 11.7.2 addresses bypass, code execution, and integer overflow vulnerabilities.

Apple Security Advisory 2022-12-13-5

Apple Security Advisory 2022-12-13-5 - macOS Monterey 12.6.2 addresses bypass, code execution, and integer overflow vulnerabilities.

Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems

Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications. The shortcoming, dubbed Achilles (CVE-2022-42821, CVSS score: 5.5), was addressed by the iPhone maker in macOS Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2, describing it as a logic

macOS Archive Utility Bug Lets Malicious Apps Bypass Security Checks

Exploit allows unsigned and unnotarized macOS applications to bypass Gatekeeper and other security, without notifying the user.

Details Released for Recently Patched new macOS Archive Utility Vulnerability

Security researchers have shared details about a now-addressed security flaw in Apple's macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple's security measures. The vulnerability, tracked as CVE-2022-32910, is rooted in the built-in Archive Utility and "could lead to the execution of an unsigned and unnotarized application

Details Released for Recently Patched new macOS Archive Utility Vulnerability

Security researchers have shared details about a now-addressed security flaw in Apple's macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple's security measures. The vulnerability, tracked as CVE-2022-32910, is rooted in the built-in Archive Utility and "could lead to the execution of an unsigned and unnotarized application

CVE-2022-22633: About the security content of macOS Big Sur 11.6.5

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.

CVE-2022-22665: About the security content of macOS Monterey 12.3

A logic issue was addressed with improved validation. This issue is fixed in macOS Monterey 12.3. A malicious application may be able to gain root privileges.

CVE-2021-30844: About the security content of macOS Big Sur 11.6

A logic issue was addressed with improved state management. This issue is fixed in Security Update 2021-005 Catalina, macOS Big Sur 11.6. A remote attacker may be able to leak memory.

DARKReading: Latest News

Apple Urgently Patches Actively Exploited Zero-Days