Apple's macOS Gatekeeper asleep on the job: Exploited flaw put users 'at grave risk' of malware infection

Apple has released macOS 11.3, fixing a serious flaw that allowed an attacker to sneak malicious files past the operating system's Gatekeeper security mechanism.

Gatekeeper is one of the primary macOS defenses against the installation of malware, explained Cedric Owens, the security researcher who found the bug, in a message to The Register.

The vulnerability, he said, lets an attacker rig a malicious file so it won't get blocked by Gatekeeper when a user tries to open it. He considers it to be one of the most dangerous he's encountered on recent versions of macOS.

All it would take to install a malicious payload abusing this bug would be for the user to double-click on malware downloaded to a Mac via an emailed link or website.

"A victim detonating one of these payloads would give the attacker the ability to remotely access sensitive data in directories not protected by TCC [Apple's Transparency, Consent, and Control framework]," said Owens, who elaborated on his findings in a Medium post.

In an email to The Register, security researcher Patrick Wardle, founder of free security project Objective See and director of research at security biz Synack, said, "This bug, a subtle logic flaw deep within macOS’s policy subsystem, trivially bypasses many core Apple security mechanisms, such File Quarantine, Gatekeeper, and Notarization requirements, leaving Mac users at grave risk."

He has written up the issue in full here.

Most Mac malware infections, he said, are the result of users unwittingly running infected software. He pointed at the recently identified Silver Sparrow malware, which managed to infect over 30,000 Macs in a matter of weeks, despite the need for user interaction.

Apple has implemented interrelated mechanisms over the years to reduce the threat of interaction-based malware, such as File Quarantine in 2007 (Mac OS X Leopard), Gatekeeper in 2012 (Mac OS X Lion v10.7.5), and Applications Notarization in 2020 (macOS 10.15).

Thanks to this bug, Wardle explained, "it is possible to craft a malicious application that though unsigned (and hence unnotarized) is misclassified and thus is allowed to launch with no prompts or alerts. This effectively reverts aspects of macOS security back to pre-2007 levels."

The logic flaw Wardle mentioned has to do with a code oversight that misclassifies a script-based application (run via the shell, /bin/sh) without an Info.plist configuration file as "not a bundle," which means the script can execute without any Gatekeeper alerts or permission prompts. It's been around since the release of macOS Catalina 10.15 in 2019.

Objective See's free BlockBlock security tool has a mode to detect apps that aren't Notarized, like a malicious script attempting to exploit the Gatekeeper bypass. So too apparently does Jamf Protect, an enterprise product.

Wardle said he and former colleagues at security firm Jamf found Mac malware that exploits this bug in the wild earlier this month.

According to Jaron Bradley, macOS detections expert at Jamf, the malware detected using this technique is an updated version of Shlayer, a family of malware discovered in 2018 that's one of the most commonly seen forms of Mac malware.

"One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt," Bradley explained in a message to The Register. "Further analysis leads us to believe that the developers of the malware discovered the zero day and adjusted their malware to use it, in early 2021."

Shlayer's goal is to install adware on the victim's computer, so the malware authors can profit from ad revenue, said Bradley, noting that the earliest sample using the Gatekeeper bypass technique was spotted on January 9, 2021.

Owens said he reported the bug to Apple on March 25. Apple fixed the issue five days later in a macOS Big Sur 11.3 beta release, said Wardle, based on scouring for changed strings in the beta code. The official release of macOS Big Sur 11.3 should help close this particular hole once macOS users apply the update. ®