Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Microsoft uncovers Apple macOS Gatekeeper vulnerability

The Microsoft Security team recently announced it has uncovered and shared with Apple an important vulnerability in its Gatekeeper security technology.

user iconReporter
Wed, 28 Dec 2022
Microsoft uncovers Apple macOS Gatekeeper vulnerability
expand image

Amusingly dubbed “Achilles” by the Microsoft researchers, the vulnerability allows malicious actors to bypass Gatekeeper entirely and is considered a significant threat to Mac security.

Gatekeeper, first introduced in macOS in 2012, quarantines and then verifies any downloaded software. It’s based upon Apple’s older File Quarantine feature, which was itself released in MacOS X 10.5 Leopard in 2007.

While studying previous vulnerabilities in Gatekeeper, Microsoft researchers were able to find a new way to bypass the feature. Researchers used macOS’ Access Control Lists feature to lock down what a program could do with a file, including setting the com.apple.quarantine extended attribute assignment.

============
============

Using this exploit, Microsoft researchers were able to do the following in a proof of concept:

  1. Create a fake directory structure, including an arbitrary icon and payload.
  2. Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL.
  3. Create an archive with the application alongside its AppleDouble file and host it on a web server.

Jonathan Bar Or of the Microsoft 365 Defender Research Team said on the Microsoft Security blog that the vulnerability shows the importance of continuing research and sharing findings between companies in the space.

“Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks,” Or said. “Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues — regardless of the platform or device in use.

“This case also emphasised the need for responsible vulnerability disclosures and expert cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats. We wish to again thank the Apple product security team for their efforts and responsiveness in addressing the issue.”

Once researchers had confirmed their proof of concept, it was shared with Apple, and the vulnerability has been addressed in macOS Big Sur 11.7.2, macOS Monterey 12.6.2, and macOS Ventura 13.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.