Apple has patched a bug found by a Microsoft security researcher that can enable attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security feature, which is designed to ensure that only trusted apps run on Mac devices.
Security Implications Explained
Gaining the ability to bypass Gatekeeper has serious implications as malware authors can leverage those techniques for initial access, Microsoft security researchers said in a blog post.
The bug was discovered and reported by Microsoft principal security researcher Jonathan Bar Or. The vulnerability is now tracked as CVE-2022-42821. Apple addressed the bug in macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur) on December 13.
Gatekeeper is designed to ensure only trusted apps run on Mac devices. Last July, Microsoft developed a proof-of-concept exploit to demonstrate the vulnerability, which the vendor’s security team dubbed “Achilles.” Fixes for the vulnerability, now identified as CVE-2022-42821, were quickly released by Apple for all macOS versions.
Why Gatekeeper is Troubling
The concern is that Gatekeeper bypasses such as this could be “leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS,” Microsoft said.
Apple has implemented a number of security measures to rebuff malware infections that masquerade as fake app bundles or as a legitimate file such as a pdf icon.
For example, when downloading apps from a browser, such as Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent sandbox escapes.
The current Gatekeeper design mandates that if an app is validly signed and notarized the user still must agree to its launch. Otherwise, the app is denied access because it’s deemed untrusted.
Still, Gatekeeper is not “bulletproof,” Microsoft said:
“Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks. Nonetheless, through research-driven protections and collaboration with customers, partners, and industry experts, we strive to enrich our protection technologies to defend against such issues —r egardless of the platform or device in use.”