720-891-1663

Return to list of client alerts

macOS Gatekeeper Security Bypass

Apple is beginning to look like Microsoft. I remember when, in the old days, we all thought Apple software was secure. It is still good, but clearly, it is far from perfect.

Apple’s Gatekeeper is supposed to make sure that only apps signed by Apple approved certificates can run on a Mac.

In theory, if Gatekeeper can’t validate that it was signed by an approved source, then the user will get a pop-up when trying to run the app.

BUT!

When you download an app from a browser like Safari, it quarantines that app until Gatekeeper can validate the signature. The browser does that by assigning an attribute called Com.Apple.Quarantine.

When you run a program it looks for that attribute and if it sees it, then it validates that the signature is good.

But since Apple is acting like Microsoft these days, some customer needed to be able to assign arbitrary attributes to a downloaded file, so Apple created a way to do that. Instead of saying no.

One of these special attributes that a downloader can add is “don’t allow anyone to add any extended attributes. Which includes Safari. Which means that it can’t quarantine the download. Which means macOS happily runs the malicious app with no warning.

Microsoft calls this vulnerability Achilles – because why not gig Apple. After all, Microsoft’s code is pristine and pure. No, I am not on drugs.

What is also interesting is that Apple’s “lockdown mode”, which is supposed to stop state sponsored terrorism, won’t detect this either.

In theory, this bug is fixed in Monterey 12.6.2 and Big Sur 11.7.2.

But if Apple is following in Microsoft’s footsteps, they may have patched the symptom and not really fixed the problem. If so, expect it to be back.

For more details, the CVE number is 2022-42821. While that doesn’t necessarily mean that there have been 42,000+ bugs reported this year, it is certainly indicative of that. Up until a few years ago CVE numbers were only 4 digits (less than 10,000) and there was always a lot of numbers left over at the end of the year.

At least you can and should patch it, but don’t assume it is really fixed just yet.

For more info:

NIST CVE Database: https://nvd.nist.gov/vuln/detail/CVE-2022-42821

Dark Reading: https://www.darkreading.com/vulnerabilities-threats/microsoft-warns-on-achilles-macos-gatekeeper-bypass

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy