Microsoft has released information about a security hole in Apple macOS that has since been patched and could be used by an attacker to go around security measures put in place to stop the execution of malicious software.
The iPhone manufacturer resolved the flaw, dubbed Achilles (CVE-2022-42821, CVSS score: 5.5), with macOS Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2. It was described as a logic flaw that might be used as a weapon by an app to get through Gatekeeper checks.
According to Jonathan Bar Or of the Microsoft 365 Defender Research Team, “Gatekeeper bypasses like this might be used as a channel for initial access by malware and other threats and could assist boost the success rate of malicious campaigns and attacks on macOS.”
A security feature called Gatekeeper makes sure that only reputable apps are allowed to function on the operating system. An extra attribute named “com.apple.quarantine” that is assigned to files acquired from the internet is used to enforce this. It is comparable to Windows’ Mark of the Web (MotW) flag.
Therefore, the Gatekeeper feature prohibits an app from being run when an unwary user downloads a potentially hazardous app that impersonates a legitimate piece of software because it has not been validly signed and notarized by Apple.
Users are shown a prompt when an app is launched for the first time to request their express consent, even when Apple has approved the software.
Given the significant role that Gatekeeper plays in macOS, it’s difficult to conceive what would happen if the security barrier were to be bypassed, which would effectively allow threat actors to install malware on the devices.
By adding extremely restrictive permissions to a downloaded file (e.g., “everyone deny write,writeattr,writeextattr,writesecurity,chown”) using the Access Control Lists (ACLs) permission model, the Achilles vulnerability discovered by Microsoft prevents Safari from setting the quarantine extended attribute.
A rogue program might be created and hosted on a server in a hypothetical attack scenario, and then it could be distributed to a potential target by social engineering, malicious advertisements, or a watering hole.
The technique also gets beyond Apple’s recently adopted Lockdown Mode in macOS Ventura, an opt-in restricted setting to block zero-click attacks, which forces users to get the most recent updates to reduce risks.
False programs continue to be one of the most popular access points for macOS, proving that Gatekeeper bypass methods are appealing and even essential for attackers to use.