Apple recently fixed a vulnerability in the macOS operating system that could be potentially exploited by a threat actor to bypass Apple’s Gatekeeper security mechanism and deploy malware on vulnerable macOS devices.

Jonathan Bar Or, Microsoft’s Principal Security Researcher, detailed Gatekeeper, the vulnerability able to bypass it, and the effects of the flaw in a security blog post published on Monday.

The research was shared by Microsoft to emphasize the importance of collaboration among researchers and the security community to improve defenses for the larger ecosystem.

Tracked as CVE-2022-42821 (dubbed as Achilles), the vulnerability is related to a scenario where attackers may side-step application execution restrictions imposed by Apple’s Gatekeeper security checks, which is designed to ensure that only trusted software run on Mac devices.

Microsoft share the vulnerability with Apple in July 2022 through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR).

The iPhone maker addressed the Achilles vulnerability by shipping an update in macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur) on December 13, 2022.

“Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS,” Jonathan wrote in the blog post.

Restrictive ACLs Bypass Gatekeeper

Gatekeeper is a macOS security feature, which enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware.

When downloading apps from a browser, like Safari, the browser assigns a special extended attribute named com.apple.quarantine to the downloaded file. This is later used to enforce policies such as Gatekeeper.

The current Gatekeeper design dictates the following behavior for downloaded apps:

  1. If the app is validly signed and notarized, meaning approved by Apple, then a prompt requires the user’s consent before it is launched.
  2. Otherwise, the user is informed that the app cannot be run as it’s untrusted.

“Due to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature,” adds Jonathan.

“However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.”

To demonstrate the Achilles vulnerability, Microsoft developed a proof-of-concept (POC) that examined AppleDouble files misusing ACLs.

For those unaware, AppleDouble is a file format that saves the metadata in a different file side-by-side next to the original file, with a “._” prefix.

The company decided to add very restrictive ACLs to the downloaded files, which prohibited Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute.

To carry out the POC, Microsoft created a fake directory structure with an arbitrary icon and payload.

The Redmond giant then created an AppleDouble file with the com.apple.ac.text extended attribute key and a value that represented a restrictive ACL by selecting the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”. Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.

Lastly, it created an archived malicious payload within the malicious app alongside its AppleDouble file and hosted it on a web server.

As a result, the malicious app instead of getting blocked by Gatekeeper, allowed attackers to download and deploy malware.

“Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles,” Microsoft Security Threat Intelligence team said on Monday.

“End-users should apply the fix regardless of their Lockdown Mode status.”