Microsoft has provided details about a security flaw in Apple’s macOS that has been fixed and could be used by an attacker to circumvent security measures that are in place to prevent malicious software from running.
Achilles is the flaw (CVE-2022-42821, CVSS score: The manufacturer of the iPhone addressed this issue in macOS Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2, describing it as a logic flaw that an app could use to get around Gatekeeper checks.
Jonathan Bar Or of the Microsoft 365 Defender Research Team stated, “Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS.”
Gatekeeper is a security feature that ensures that the operating system is used by only reputable applications. This is enforced by assigning files downloaded from the internet an extended attribute known as “com.apple.quarantine.” It is comparable to Windows’ Mark of the Web (MotW) flag.
As a result, because the app has not been properly signed and notarized by Apple, the Gatekeeper feature prevents it from running when an unsuspecting user downloads a potentially harmful app that impersonates legitimate software.
Even when an app has been approved by Apple, when it is first launched, users are prompted to give their explicit consent.
It is difficult not to imagine the consequences of bypassing the security barrier, which could effectively permit threat actors to deploy malware on the machines, given the crucial role that Gatekeeper plays in macOS.
Microsoft’s Achilles flaw takes advantage of an access control model known as Access Control Lists (ACLs) to add extremely restrictive permissions to a downloaded file (such as “everyone deny write,writeattr,writeextattr,writesecurity,chown”), preventing Safari from setting the quarantine extended attribute. This vulnerability was discovered by Microsoft.
An adversary could use this method to create a malicious app and host it on a server in a hypothetical attack. The app could then be distributed to a potential target through social engineering, malicious advertisements, or a bar.
Additionally, the approach avoids Apple’s recently introduced Lockdown Mode in macOS Ventura, which is an opt-in restrictive setting to combat zero-click exploits and requires users to install the most recent security updates.
According to Bar Or, “Fake apps remain one of the top entry vectors on macOS,” which indicates that “gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks.”
