Microsoft Uncovers macOS Flaw That Let Hackers Bypass Gatekeeper Security
CVE-2022042821 is the sixth vulnerability discovered in Gatekeeper, Apple’s tool to keep malicious apps at bay.
This week, Microsoft disclosed the details of a macOS vulnerability dubbed Achilles that Apple already fixed. Tracked as CVE-2022-42821, the vulnerability allows threat actors to bypass the Gatekeeper security protections designed to keep malicious applications at bay.
Discovered in July 2022 by Microsoft principal security researcher Jonathan Bar Or, CVE-2022-42821 (CVSS 5.5) is described as a logic flaw that can help circumvent Gatekeeper and set up malware on vulnerable devices.
“Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS,” Microsoft Security Threat Intelligence wrote in a blog post.
Gatekeeper helps macOS users stay safe by verifying whether applications being set up on the device are signed and notarized and, thus, legitimate and approved by Apple. The security feature is designed to deter execution and set up of fake app bundles masquerading as Flash Players or even files such as using PDF icons.
Any application downloaded from the web is assigned to com.apple.quarantine, a feature similar to Mark of the Web in Windows. This is the cue for Gatekeeper to check if the downloaded app which, if not verified, is disallowed from installation.
As an additional security step, Gatekeeper also prompts the user to consent to install the application, even if it is signed and approved by Apple.
See More: Microsoft December Patch Tuesday: Two Zero-Day Bugs And Six Critical Flaws Fixed
CVE-2022-42821 allows hackers to bypass Gatekeeper by setting restrictive Access Control Lists (ACLs) using specially-crafted payloads that prohibit Safari, web downloaders or any other program through which an app is downloaded from setting com.apple.quarantine attribute to the downloaded file/application/software.
ACLs determine permissions for files and directories, including writeattr (ability to write attributes to a file), writeextattr (write extended attributes to a file), writesecurity (set ACLs to a file), chown (set the owner of a file), and delete (ability to delete a file).
Microsoft’s proof of concept for CVE-2022-42821 or Achilles named after ACL abuse is available here.
“Due to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature,” Microsoft added. “However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof.”
CVE-2022042821 is the sixth vulnerability discovered in Gatekeeper. Microsoft added that Apple’s Lockdown Mode feature does not protect against Achilles.
Apple has fixed the flaw in macOS 1.7.2 (Big Sur), macOS 13 (Ventura), and macOS 12.6.2 (Monterey) through an update rolled out on December 13, 2022.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock