Microsoft discovered a vulnerability in Gatekeeper, a core macOS security feature, and says it could have allowed attackers to compromise vulnerable Macs with malware.
Microsoft principal security researcher Jonathan Bar Or discovered the flaw, named the “Achilles” vulnerability, and tracked it as CVE-2022-42821. Bar Or said the bug could allow malware to bypass the Gatekeeper’s protection on macOS.
Gatekeeper, first introduced in MacOS X Mountain Lion in 2012, is a security feature that allows only trusted software to run on macOS. It automatically checks that all apps downloaded from the internet have been verified as safe by Apple.
This verification process, known as “notarization,” is only given to identified developers whose apps are known to be free of malicious content.
In a blog post, Microsoft’s Bar Or explained that macOS has a “quarantine” feature, which applies to files and apps downloaded from a web browser. This feature prompts the Gatekeeper to check the file before the user can open it.
However, the Achilles vulnerability exploits a file permissions model called Access Control Lists (ACLs) to add extremely restrictive permissions to the downloaded file, preventing web browsers from setting the quarantine attribute properly and leaving the file vulnerable to potential exploitation.
If exploited, the bug could allow attackers to trick users into downloading and opening malicious files on macOS without triggering Gatekeeper’s security protections.
Apple didn’t acknowledge that the Achilles flaw was fixed until last week, even though Microsoft reported the vulnerability in July.
According to Bar Or, the Lockdown Mode feature introduced by Apple this year, designed to help protect high-risk users from sophisticated cyberattacks, wouldn’t defend against the Achilles vulnerability.
That’s because Lockdown Mode blocks silent, remotely triggered “zero-click” attacks that require no user interaction. Bar Or advises all users to apply the fix for this vulnerability, regardless of their Lockdown Mode status.
These Attacks Are a Prominent Issue for Apple
Zero-click attacks are a recurring issue for Apple. In 2016, a hacker group funded by the United Arab Emirates government hacked into hundreds of iPhones using a zero-attack tool called Karma. Plus, there have been several others:
- 2020 — At the end of 2020, the digital rights group Citizen Lab revealed that 36 editors and journalists at Al Jazeera were the victims of a zero-day iPhone hack.
- 2021 — Apple fixed a zero-day vulnerability in April 2021 that allowed malicious actors behind the notorious Shlayer malware to skirt Gatekeeper’s protection and notarization security checks.
- 2021 — In November 2021, Apple filed a complaint against the NSO Group concerning the ‘FORCEDENTRY’ zero-day exploit developed by the NSO Group to deploy their Pegasus spyware.
Many Gatekeeper bypasses similar to Achilles have been discovered recently, with Microsoft listing six of them. The Achilles flaw indicates that Gatekeeper is still not a perfect feature and necessitates that users regularly apply the latest updates to mitigate the threat of similar attacks.