Categories: Cyber Security News

Microsoft Discovered a Vulnerability in macOS That Allow Attackers to Install Malware

The macOS operating system was fixed recently by Apple to eliminate a vulnerability found and reported by the principal security researcher of Microsoft, it could be exploited by attackers to install malware.

Untrusted applications with the capability of bypassing Gatekeeper application execution restrictions could be used to exploit this vulnerability. This security flaw has been named Achilles and assigned the CVE-2022-42821 designation.

It was on December 13 that Apple addressed the bug and made it available to users with the following versions of macOS:-

  • macOS13 (Ventura)
  • macOS 12.6.2 (Monterey)
  • macOS 1.7.2 (Big Sur)

Flaw profile

  • CVE ID: CVE-2022-42821
  • Description: It’s a logic issue.
  • CVSS Score: 5.5
  • Severity: MEDIUM

Gatekeeper Security Bypassing

Apps downloaded from the Internet are automatically checked by Gatekeeper on macOS. When the app can’t be trusted, the user is prompted to confirm or an alert is displayed that the app is untrustworthy before it can be launched.

Gatekeeper on macOS

Gatekeeper has been recognized as one of the most useful and effective security features on macOS as a result of its role as a countermeasure against malware.

It is worth considering, however, that Gatekeeper, in spite of being bulletproof, has been found vulnerable to numerous bypass techniques in the past.

An extension attribute named com.apple.quarantine is associated with all downloaded files in web browsers, very similar to the Mark of the Web in Windows, that identifies files that will be quarantined.

A logic error present in the Access Control List (ACL) can be exploited by specially-crafted payloads to set restrictive permissions on a computer system due to the Achilles flaw. 

As a result, a web browser or internet downloader that downloads a payload archived as a ZIP file will not be able to set the com.apple[.]quarantine attribute.

In the case of an archived malicious payload, the malicious application contained within the archive is launched on the target’s computer as a result. It is through this method that attackers can download and deploy malware instead of being blocked by Gatekeeper.

Gatekeeper Bypass Vulnerabilities

During the last several years, a number of Gatekeeper bypass vulnerabilities were discovered, and the following are some examples:-

  • CVE-2022-22616: Assignment of the quarantine attribute.
  • CVE-2021-1810: Assignment of the quarantine attribute.
  • CVE-2021-30657: Component(s) that enforce policy checks.
  • CVE-2021-30853: Component(s) that enforce policy checks.
  • CVE-2019-8656: Assignment of the quarantine attribute.
  • CVE-2014-8826: Component(s) that enforce policy checks.

A variety of threats and attack capabilities are continually emerging in the threat landscape. Using this rapidly evolving threat scenario, malicious actors are able to gain access to systems and data on a computer system using unpatched vulnerabilities and misconfigurations.

There is no doubt that fake apps remain a significant vector for entry into macOS systems. Gatekeeper bypass techniques are becoming more and more attractive to threat actors, as attacks become more sophisticated, and they are even being considered necessities by malicious actors.

A case like this illustrates the importance of responsible vulnerability disclosures as well as collaboration across different platforms. By doing so, various issues can be addressed effectively, protecting users from potential threats in the future as well as in the present.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…

5 hours ago

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…

6 hours ago

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…

6 hours ago

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…

6 hours ago

New Windows Zero-Day Vulnerability Let Attackers Steal Credentials From Victim’s Machine

A security researcher discovered a vulnerability in Windows theme files in the previous year, which…

6 hours ago

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…

6 hours ago