Microsoft discovers a bug in macOS that allows malware to bypass security checks

Apple has corrected a security flaw that attackers can use to spread malware onto vulnerable macOS devices using untrusted apps capable of bypassing Gatekeeper execution restrictions.

Jonathan Bar Or is the principal Microsoft security researcher and reported the vulnerability (known as Achilles). It’s now being tracked under .

Apple fixed the bug in (Ventura), [Monterey] and (“Big Sur”) one week prior, December 13.

Bypass gatekeeper via restricted ACLs

checks every app downloaded from the Internet. If they have been notarized by developers (approved Apple), it asks the user for confirmation before the app launches or issues an alert that warns that the app is unsafe.

It is done by checking the extended attribute com.apple.quarantine, which web browsers assign to every downloaded file. This is similar to Mark of the Web for Windows.

This Achilles flaw permits specially-crafted payloads, which can abuse a logic problem to set restricted Access Control List permissions (ACL), that prevent web browsers from downloading the payload as ZIP files.

The malicious app in the archived malicious paymentload is launched on target’s computer instead of being blocked by Gatekeeper. This allows attackers to install and distribute malware.

Microsoft stated Monday that Apple’s Lockdown Mode was an option protection for users at high risk who might be targeted by sophisticated cyberattacks. It is designed to prevent zero-click remote code execution exploits and does not protect against Achilles.

The Microsoft Security Threat Intelligence group stated that “end-users should apply this fix regardless of whether or not they are in Lockdown Mode.”

MacOS Security Bypasses and Malware: More

This bypass is one of many Gatekeeper ones that have been discovered over the years. Many of these are being used by attackers on macOS to get around security features like Gatekeeper, File Quarantine and System Integrity Protection (SIP), even though they’re fully patched Macs.

Bar Or, for example, reported that a 2021 can allow threat actors to bypass System Integrity Protection to execute arbitrary operations on compromised Macs, raise privileges to root and install rootkits onto vulnerable devices.

Also , which allows hackers to bypass Transparency, Consent, and Control technology (TCC), to gain access to users’ private data.

Additionally, he released exploit code to fix a macOS flaw (CVE-20222-26706). can be used by attackers to bypass the sandbox restrictions and run their code on the system.

Apple also fixed the zero-day macOS security flaw in April 2021. This allowed threat actors responsible for , to bypass Apple’s File Quarantine and Gatekeeper security checks. They could then download additional malware onto infected Macs.

Shlayer’s creators also had managed to obtain their payloads and used an age-old technique for increasing privileges, to execute unsigned payloads.