Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications.
Dubbed Achilles (CVE-2022-42821, CVSS score: 5.5), was addressed by the iPhone maker in macOS Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2, describing it as a logic issue that could be weaponised by an app to circumvent Gatekeeper checks.
Microsoft 365 Defender Research Team Jonathan Bar Or said that gatekeeper bypasses such as this could be used as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS.
Gatekeeper is a security mechanism designed to ensure that only trusted apps run on the operating system. This is enforced by means of an extended attribute called "com.apple.quarantine" that's assigned to files downloaded from the internet. It is analogous to the Mark of the Web (MotW) flag in Windows.
Thus when an unsuspecting user downloads a potentially harmful app that impersonates a piece of legitimate software, the Gatekeeper feature prevents the apps from being run as it's not validly signed and notarised by Apple.
Even in instances where an app was approved by Apple, users are displayed a prompt when it's launched for the first time to seek their explicit consent.
The Achilles vulnerability identified by Microsoft exploits a permission model called Access Control Lists (ACLs) to add extremely restrictive permissions to a downloaded file (i.e., "everyone deny write,writeattr,writeextattr,writesecurity,chown"), thereby blocking Safari from setting the quarantine extended attribute.
So basically a hacker could write a rogue app and host it on a server, which could then be delivered to a possible target via social engineering or malicious ads.
The method circumvents Apple's much hyped Lockdown Mode in macOS Ventura which is supposed to counter zero-click exploits.
"Fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks," Bar Or said.
Apple is saying nothing. It has fixed the flaw in its latest update.