Microsoft Spots macOS Vulnerability That Lets Malware Bypass Security Checks

Microsoft Spots macOS Vulnerability That Lets Malware Bypass Security Checks

Jonathan Bar Or, Microsoft’s principal security researcher, located the flaw back in July and immediately shared it with Apple via the company’s Security Vulnerability Research (MSVR) program. Nicknamed “Achilles,” the vulnerability left room for skilled attackers to skip Gatekeeper’s application execution restrictions. Not only could bad actors use Achilles to “get a foot in the door” before launching a larger attack, but they could exploit the vulnerability in such a way that boosted the impact of larger macOS malware campaigns.

Gatekeeper typically allows only trusted applications to run on macOS devices. It does this by checking downloaded software for an attribute titled “com.apple.quarantine,” which is only assigned to Apple-verified files. Achilles, however, permitted custom malicious payloads to bypass Gatekeeper’s checks by exploiting restrictive Access Control Lists (ACLs) that prohibit Safari, Apple’s web browser, from setting the com.apple.quarantine attribute on archived ZIP files. This allowed malicious apps “hidden” inside an archived payload to launch on the victim’s macOS device.

Microsoft Spots macOS Vulnerability That Lets Malware Bypass Security Checks

“Due to its essential role in stopping malware on macOS, Gatekeeper is a helpful and effective security feature,” Microsoft’s Achilles writeup reads. “However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.”

Bar Or has since logged Achilles on the Common Vulnerabilities and Exposures (CVE) list. Apple has also patched the vulnerability via macOS versions Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2, the last two of which became available last week. Microsoft’s Security Threat Intelligence team recommends that all macOS users should apply the patch, even if they utilize Apple’s Lockdown Mode (which is said to protect users in need of heightened personal security). Lockdown Mode is meant to prevent attacks involving zero-click remote code execution, meaning it doesn’t protect against a vulnerability like Achilles.

Continue reading

In Massive Shift, Apple Announces New Macs With ARM-Based M1 Chip
In Massive Shift, Apple Announces New Macs With ARM-Based M1 Chip

Apple saw huge success the last time it switched architectures to Intel, but this time? The jury's still out, but one thing is certain: Apple is about to make a lot more money.

Benchmark Results Show Apple M1 Beating Every Intel-Powered MacBook Pro
Benchmark Results Show Apple M1 Beating Every Intel-Powered MacBook Pro

Apple's new M1 SoC can beat every single Intel system it sells, at least in one early benchmark result. We dig into the numbers and the likely competitive situation.

How Apple Is Collecting Your Data in macOS Big Sur
How Apple Is Collecting Your Data in macOS Big Sur

Apple's new Big Sur has been accused of some serious privacy violations and unfriendly user-access controls. The situation is a bit more nuanced.

Apple: ‘It’s Up to Microsoft’ to Get Windows Running on New ARM Macs
Apple: ‘It’s Up to Microsoft’ to Get Windows Running on New ARM Macs

According to Apple, the question of supporting Windows on the M1 is entirely in Microsoft's court.