- Microsoft researchers found a vulnerability in macOS that allows threat actors to bypass security features in Apple’s Gatekeeper, a tool designed to make sure only trusted applications can run on Mac devices, according to a blog post released Monday.
- Threat actors can use the vulnerability, which researchers call Achilles, as a vector for malware and can enhance the capabilities of future malicious attacks against macOS, researchers found. The vulnerability was assigned CVE-2022-42821.
- Apple’s Lockdown Mode, which was released in macOS Ventura to protect high-risk users, is designed to prevent zero-click remote execution exploits but doesn’t work against Achilles, the researchers found.
Gatekeeper has been a frequent target of threat activity in recent years, and researchers, as part of their proof of concept exploit, identified different mechanisms to bypass the security feature. Threat actors can:
- Misuse the com.apple.quarantine extended attribute assignment
- Find a vulnerability in the components that enforce policy checks on quarantined files.
Microsoft researchers pointed out a few examples of Gatekeeper bypass that were previously assigned common vulnerability and exposure (CVE) numbers.
In one example, CVE-2021-1810 involved the assignment of the quarantine attribute. In this example, a path longer than 886 characters fails to inherit the com.apple.quarantine extended attribute, as outlined by researchers from With Secure.
Microsoft shared research about the issue with Apple in July through coordinated vulnerability disclosure and Apple released fixes to all its operating systems, according to the blog. Apple did not immediately return a request for comment.
Researchers from Zimperium said Gatekeeper is a strong process to make sure apps going through macOS are legit, but this layer of security is not enough by itself.
“Whether they are targeting iOS or macOS, threat actors are looking for new and novel ways to bypass these OEM security tools that provide zero advanced threat protection and risk telemetry back to their security teams, leaving critical data and systems at great risk,” Richard Melick, director of threat reporting at Zimperium, said via email.