Mac Gatekeeper bypass vulnerability fixed by Apple after discovery by Microsoft researchers

Tuesday, December 20, 2022 7:30 PM


A serious Mac Gatekeeper bypass vulnerability has been fixed by Apple, after it was discovered and reported by security researchers at Microsoft.

The flaw allowed malware to bypass Gatekeeper checks. Notably, the vulnerability even affected Macs running in ultra-safe Lockdown Mode …

Gatekeeper

Gatekeeper is a security feature built into macOS. When you attempt to run a new Mac app for the first time, Gatekeeper checks to see whether it has been notarized by Apple as coming from a recognized developer.

There are three user-selectable Gatekeeper settings:

  • Allow only those apps downloaded from the Mac App Store
  • Also allow those signed by certified Apple developers
  • Allow all apps

(Current and recent versions of macOS hide the third option, ensuring it cannot be selected inadvertently.)

When a new app is downloaded from the web, an attribute called com.apple.quarantine is assigned to the file, which is the signal for Gatekeeper to check it on opening.

Mac Gatekeeper bypass vulnerability

Bleeping Computer reports that a macOS flaw allowed an attacker to prevent the com.apple.quarantine attribute being assigned to the file, meaning that it wouldn’t trigger the Gatekeeper check when opened.

The Achilles flaw allows specially-crafted payloads to abuse a logic issue to set restrictive Access Control List (ACL) permissions that block web browsers and Internet downloaders from setting the com.apple.quarantine attribute for downloaded the payload archived as ZIP files.

As a result, the malicious app contained within the archived malicious payload launches on the target’s system instead of getting blocked by Gatekeeper, allowing attackers to download and deploy malware.

Notably, Lockdown Mode did not protect against the vulnerability.

Microsoft said on Monday that “Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles.”

As ever, it’s recommended to keep your Mac and other Apple devices fully updated. If you don’t want to update to Ventura, Apple offers the option to update to the latest (and most secure) version of earlier macOSes.

Apple is currently testing a new Rapid Security Response feature for both Mac and iOS devices, which will allow it to quickly patch security vulnerabilities like this without the need for a full OS update.