Microsoft reports macOS Gatekeeper has an 'Achilles' heel

Security researchers at Microsoft have discovered a bug in macOS that lets malicious apps bypass Apple's Gatekeeper security software "for initial access by malware and other threats." 

Dubbed "Achilles," (which sounds sexier than CVE-2022-42821) Microsoft researchers said the vulnerability was discovered in late July, and quickly patched by Apple in all affected versions of its OSes after the team followed responsible disclosure. 

Regardless of that fix, it's still critical for macOS users to patch their systems to the latest protected versions, Microsoft said, because Apple's much-touted Lockdown Mode isn't designed to protect against Achilles-style threats.

"End-users should apply the fix regardless of their Lockdown Mode status," Microsoft said. 

How to distract a Gatekeeper

Gatekeeper has been a part of macOS for a decade and is used to validate that apps are signed and notarized before allowing them to be launched. If an app isn't recognized, Gatekeeper blocks it by default, though this can be overridden by a user that is willing to accept the risk.

With Achilles, however, Microsoft's proof of concept was able to take advantage of how macOS deploys access control lists (ACLs) to completely bypass Gatekeeper. 

Infections with macOS are often the result of users running malicious apps, Microsoft principal security researcher Jonathan Bar Or wrote in the company's report on the bug. He said that Apple has imposed "strong security mechanisms" on macOS to combat the use of disguised malware or legitimate-but-infected apps

Apple does that by assigning a special extended attribute to files that it uses to enforce certain policies, like Gatekeeper quarantines. But in the course of researching recent Gatekeeper bypasses the team noticed two common approaches: misusing extended attributes and finding vulnerabilities in policy check enforcers that quarantine files.

• Apple patches iPhone and macOS flaws under active attack
• Microsoft squashes six security bugs already exploited in the wild
• Microsoft fixes under-attack Windows zero-day Follina
• Patch now: Zoom chat messages can infect PCs, Macs, phones with malware

A closer look at one particular vulnerability reported in 2021 led the researchers to turn to archive files as a method of bypassing Gatekeeper, and they found one in the form of AppleDouble binaries, which save metadata in a separate file.

When AppleDouble files are extracted by macOS, they found, all of the file's extended attributes are also restored. Slip in the right extended attribute by using the xattr command, like a modified ACL, and you have a way to tell Gatekeeper that whatever it's looking at definitely isn't the file it's looking for, Bar Orr said. 

"Our data shows that fake apps remain one of the top entry vectors on macOS, indicating Gatekeeper bypass techniques are an attractive and even a necessary capability for adversaries to leverage in attacks," Bar Or wrote.

Lockdown Mode, schmockdown mode

Apple claimed in July that Lockdown Mode was so secure, and the company so confident in its capabilities, that it was doubling its bug bounty payouts to a max of $2 million for Lockdown Mode compromises. 

Lockdown Mode is described by Apple as for a small number of users whose lives and/or work make them targets for digital threats. The optional mode is designed to fight government-sponsored spyware kits like Pegasus by blocking attachments, disabling some web technologies, blocking FaceTime calls, not allowing wired connections and blocking installation of configuration profiles and MDM software.

Sneaking malicious code in through a compromised binary is, unfortunately, not one of Lockdown Mode's features, though Apple said it plans to add features over time - hopefully a stronger Gatekeeper makes the cut.

Unfortunately for Bar Or and Microsoft, Achilles doesn't qualify for a Lockdown Mode bounty of any size. "Lockdown Mode is not intended to deal with this class of exploits, so it won't stop it," Bar Or told us. ®