Friday, July 19, 2024

Microsoft Discovered a Vulnerability in macOS That Allow Attackers to Install Malware

The macOS operating system was fixed recently by Apple to eliminate a vulnerability found and reported by the principal security researcher of Microsoft, it could be exploited by attackers to install malware.

Untrusted applications with the capability of bypassing Gatekeeper application execution restrictions could be used to exploit this vulnerability. This security flaw has been named Achilles and assigned the CVE-2022-42821 designation.

It was on December 13 that Apple addressed the bug and made it available to users with the following versions of macOS:-

  • macOS13 (Ventura)
  • macOS 12.6.2 (Monterey)
  • macOS 1.7.2 (Big Sur)

Flaw profile

  • CVE ID: CVE-2022-42821
  • Description: It’s a logic issue.
  • CVSS Score: 5.5 
  • Severity: MEDIUM

Gatekeeper Security Bypassing

Apps downloaded from the Internet are automatically checked by Gatekeeper on macOS. When the app can’t be trusted, the user is prompted to confirm or an alert is displayed that the app is untrustworthy before it can be launched.

Gatekeeper on macOS

Gatekeeper has been recognized as one of the most useful and effective security features on macOS as a result of its role as a countermeasure against malware.

It is worth considering, however, that Gatekeeper, in spite of being bulletproof, has been found vulnerable to numerous bypass techniques in the past.

An extension attribute named is associated with all downloaded files in web browsers, very similar to the Mark of the Web in Windows, that identifies files that will be quarantined.

A logic error present in the Access Control List (ACL) can be exploited by specially-crafted payloads to set restrictive permissions on a computer system due to the Achilles flaw. 

As a result, a web browser or internet downloader that downloads a payload archived as a ZIP file will not be able to set the[.]quarantine attribute.

In the case of an archived malicious payload, the malicious application contained within the archive is launched on the target’s computer as a result. It is through this method that attackers can download and deploy malware instead of being blocked by Gatekeeper.

Gatekeeper Bypass Vulnerabilities

During the last several years, a number of Gatekeeper bypass vulnerabilities were discovered, and the following are some examples:-

  • CVE-2022-22616: Assignment of the quarantine attribute.
  • CVE-2021-1810: Assignment of the quarantine attribute.
  • CVE-2021-30657: Component(s) that enforce policy checks.
  • CVE-2021-30853: Component(s) that enforce policy checks.
  • CVE-2019-8656: Assignment of the quarantine attribute.
  • CVE-2014-8826: Component(s) that enforce policy checks.

A variety of threats and attack capabilities are continually emerging in the threat landscape. Using this rapidly evolving threat scenario, malicious actors are able to gain access to systems and data on a computer system using unpatched vulnerabilities and misconfigurations.

There is no doubt that fake apps remain a significant vector for entry into macOS systems. Gatekeeper bypass techniques are becoming more and more attractive to threat actors, as attacks become more sophisticated, and they are even being considered necessities by malicious actors.

A case like this illustrates the importance of responsible vulnerability disclosures as well as collaboration across different platforms. By doing so, various issues can be addressed effectively, protecting users from potential threats in the future as well as in the present.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles