Microsoft Warns on Achilles macOS Gatekeeper Bypass

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Warns on Achilles macOS Gatekeeper Bypass


The latest bypass for Apples application-safety feature could allow malicious takeover of Macs.



A bypass vulnerability in macOS for Apples Gatekeeper mechanism could allow cyberattackers to execute malicious applications on target Macs — regardless of whether Lockdown mode is enabled.
Among the details on the bug (
CVE-2022-42821
), which Microsoft dubbed Achilles, is the fact that researchers were able to craft a working exploit using the Access Control Lists (ACL) mechanism in macOS, which allows fine-tuned permissioning for applications.
Apple Gatekeeper is a security mechanism designed to ensure that only trusted apps run on Mac devices — i.e., those that are signed by a valid authority and approved by Apple. If the software cant be validated by Gatekeeper, the user gets a blocking pop-up explaining that the app cant be executed.
In theory, this mitigates the threat of malicious sideloaded applications that users might accidentally download from pirate sites or third-party app stores. The issue, though, is that bad actors have devoted quite a bit of time to finding bypass avenues for the feature, Microsoft researchers noted, as shown by previous exploited vulnerabilities such as CVE-2022-22616,
CVE-2022-32910
, CVE-2021-1810,
CVE-2021-30657
, CVE-2021-30853, CVE-2019-8656, and CVE-2014-8826.
And no wonder: Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS, Microsoft researchers warned in
an advisory
issued this week. Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks.
Piggybacking off of details surrounding CVE-2021-1810, Microsoft researchers looked to create a new bypass — which they managed to do by appending malicious files with special permissioning rules via the ACL mechanism.
Apple employs a quarantine mechanism for downloaded apps, according to the advisory: When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper.
However, there is an additional option in macOS to apply a special extended attribute named com.apple.acl.text, which is used to set arbitrary ACLs.
Each ACL has one or more Access Control Entries (ACEs) that dictate what each principal can or cannot do, much like firewall rules, Microsoft researchers explained. Equipped with this information, we decided to add very restrictive ACLs to the downloaded files. Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute.
And without the quarantine attribute in place,
Gatekeeper
is not alerted to check the file, which allows it to bypass the security mechanism altogether.
Crucially, Microsoft researchers found that
Apples Lockdown feature
, which it debuted in July to prevent state-sponsored spyware from infecting at-risk targets, cant thwart the Achilles attack.
We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles, according to Microsoft.
The issue was disclosed to Apple in July, with fixes rolling out in the latest macOS version. To protect themselves, Mac users are encouraged to update their operating systems to the latest version as soon as possible.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Warns on Achilles macOS Gatekeeper Bypass