The macOS operating system was fixed recently by Apple to eliminate a vulnerability found and reported by the principal security researcher of Microsoft, it could be exploited by attackers to install malware.

Untrusted applications with the capability of bypassing Gatekeeper application execution restrictions could be used to exploit this vulnerability. This security flaw has been named Achilles and assigned the CVE-2022-42821 designation.

It was on December 13 that Apple addressed the bug and made it available to users with the following versions of macOS:-

• macOS13 (Ventura)
• macOS 12.6.2 (Monterey)
• macOS 1.7.2 (Big Sur)

Flaw profile

• CVE ID: CVE-2022-42821
• Description: It’s a logic issue.
• CVSS Score: 5.5 
• Severity: MEDIUM

Gatekeeper Security Bypassing

Apps downloaded from the Internet are automatically checked by Gatekeeper on macOS. When the app can’t be trusted, the user is prompted to confirm or an alert is displayed that the app is untrustworthy before it can be launched.

Gatekeeper has been recognized as one of the most useful and effective security features on macOS as a result of its role as a countermeasure against malware.

It is worth considering, however, that Gatekeeper, in spite of being bulletproof, has been found vulnerable to numerous bypass techniques in the past.

An extension attribute named com.apple.quarantine is associated with all downloaded files in web browsers, very similar to the Mark of the Web in Windows, that identifies files that will be quarantined.

A logic error present in the Access Control List (ACL) can be exploited by specially-crafted payloads to set restrictive permissions on a computer system due to the Achilles flaw. 

As a result, a web browser or internet downloader that downloads a payload archived as a ZIP file will not be able to set the com.apple[.]quarantine attribute.

In the case of an archived malicious payload, the malicious application contained within the archive is launched on the target’s computer as a result. It is through this method that attackers can download and deploy malware instead of being blocked by Gatekeeper.

Gatekeeper Bypass Vulnerabilities

During the last several years, a number of Gatekeeper bypass vulnerabilities were discovered, and the following are some examples:-

• CVE-2022-22616: Assignment of the quarantine attribute.
• CVE-2021-1810: Assignment of the quarantine attribute.
• CVE-2021-30657: Component(s) that enforce policy checks.
• CVE-2021-30853: Component(s) that enforce policy checks.
• CVE-2019-8656: Assignment of the quarantine attribute.
• CVE-2014-8826: Component(s) that enforce policy checks.

A variety of threats and attack capabilities are continually emerging in the threat landscape. Using this rapidly evolving threat scenario, malicious actors are able to gain access to systems and data on a computer system using unpatched vulnerabilities and misconfigurations.

There is no doubt that fake apps remain a significant vector for entry into macOS systems. Gatekeeper bypass techniques are becoming more and more attractive to threat actors, as attacks become more sophisticated, and they are even being considered necessities by malicious actors.

A case like this illustrates the importance of responsible vulnerability disclosures as well as collaboration across different platforms. By doing so, various issues can be addressed effectively, protecting users from potential threats in the future as well as in the present.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book