Apple's macOS Gatekeeper asleep on the job: Exploited flaw put users 'at grave risk' of malware infection

Bug that let malicious files slip past defenses now fixed in Big Sur 11.3

Apple has released macOS 11.3, fixing a serious flaw that allowed an attacker to sneak malicious files past the operating system's Gatekeeper security mechanism.

Gatekeeper is one of the primary macOS defenses against the installation of malware, explained Cedric Owens, the security researcher who found the bug, in a message to The Register.

The vulnerability, he said, lets an attacker rig a malicious file so it won't get blocked by Gatekeeper when a user tries to open it. He considers it to be one of the most dangerous he's encountered on recent versions of macOS.

All it would take to install a malicious payload abusing this bug would be for the user to double-click on malware downloaded to a Mac via an emailed link or website.

"A victim detonating one of these payloads would give the attacker the ability to remotely access sensitive data in directories not protected by TCC [Apple's Transparency, Consent, and Control framework]," said Owens, who elaborated on his findings in a Medium post.

In an email to The Register, security researcher Patrick Wardle, founder of free security project Objective See and director of research at security biz Synack, said, "This bug, a subtle logic flaw deep within macOS’s policy subsystem, trivially bypasses many core Apple security mechanisms, such File Quarantine, Gatekeeper, and Notarization requirements, leaving Mac users at grave risk."

He has written up the issue in full here.

Most Mac malware infections, he said, are the result of users unwittingly running infected software. He pointed at the recently identified Silver Sparrow malware, which managed to infect over 30,000 Macs in a matter of weeks, despite the need for user interaction.

piles of money

At least Sony offered a t-shirt, says macOS flaw finder: Bug bounties now for Macs if you want this 0-day, Apple


Apple has implemented interrelated mechanisms over the years to reduce the threat of interaction-based malware, such as File Quarantine in 2007 (Mac OS X Leopard), Gatekeeper in 2012 (Mac OS X Lion v10.7.5), and Applications Notarization in 2020 (macOS 10.15).

Thanks to this bug, Wardle explained, "it is possible to craft a malicious application that though unsigned (and hence unnotarized) is misclassified and thus is allowed to launch with no prompts or alerts. This effectively reverts aspects of macOS security back to pre-2007 levels."

The logic flaw Wardle mentioned has to do with a code oversight that misclassifies a script-based application (run via the shell, /bin/sh) without an Info.plist configuration file as "not a bundle," which means the script can execute without any Gatekeeper alerts or permission prompts. It's been around since the release of macOS Catalina 10.15 in 2019.

Objective See's free BlockBlock security tool has a mode to detect apps that aren't Notarized, like a malicious script attempting to exploit the Gatekeeper bypass. So too apparently does Jamf Protect, an enterprise product.

Wardle said he and former colleagues at security firm Jamf found Mac malware that exploits this bug in the wild earlier this month.

According to Jaron Bradley, macOS detections expert at Jamf, the malware detected using this technique is an updated version of Shlayer, a family of malware discovered in 2018 that's one of the most commonly seen forms of Mac malware.

"One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt," Bradley explained in a message to The Register. "Further analysis leads us to believe that the developers of the malware discovered the zero day and adjusted their malware to use it, in early 2021."

Shlayer's goal is to install adware on the victim's computer, so the malware authors can profit from ad revenue, said Bradley, noting that the earliest sample using the Gatekeeper bypass technique was spotted on January 9, 2021.

Owens said he reported the bug to Apple on March 25. Apple fixed the issue five days later in a macOS Big Sur 11.3 beta release, said Wardle, based on scouring for changed strings in the beta code. The official release of macOS Big Sur 11.3 should help close this particular hole once macOS users apply the update. ®

Other stories you might like

  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading
  • Cloud security unicorn cuts 20% of staff after raising $1.3b
    Time to play blame bingo: Markets? Profits? Too much growth? Russia? Space aliens?

    Cloud security company Lacework has laid off 20 percent of its employees, just months after two record-breaking funding rounds pushed its valuation to $8.3 billion.

    A spokesperson wouldn't confirm the total number of employees affected, though told The Register that the "widely speculated number on Twitter is a significant overestimate."

    The company, as of March, counted more than 1,000 employees, which would push the jobs lost above 200. And the widely reported number on Twitter is about 300 employees. The biz, based in Silicon Valley, was founded in 2015.

    Continue reading
  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading

Biting the hand that feeds IT © 1998–2022