Skip to main content

Mac Gatekeeper bypass vulnerability fixed by Apple after discovery by Microsoft researchers

Avatar for Ben Lovejoy  | Dec 20 2022 - 5:47 am PT
0 Comments
Mac Gatekeeper bypass

A serious Mac Gatekeeper bypass vulnerability has been fixed by Apple, after it was discovered and reported by security researchers at Microsoft.

The flaw allowed malware to bypass Gatekeeper checks. Notably, the vulnerability even affected Macs running in ultra-safe Lockdown Mode …

Gatekeeper

Gatekeeper is a security feature built into macOS. When you attempt to run a new Mac app for the first time, Gatekeeper checks to see whether it has been notarized by Apple as coming from a recognized developer.

There are three user-selectable Gatekeeper settings:

  • Allow only those apps downloaded from the Mac App Store
  • Also allow those signed by certified Apple developers
  • Allow all apps

(Current and recent versions of macOS hide the third option, ensuring it cannot be selected inadvertently.)

When a new app is downloaded from the web, an attribute called com.apple.quarantine is assigned to the file, which is the signal for Gatekeeper to check it on opening.

Mac Gatekeeper bypass vulnerability

Bleeping Computer reports that a macOS flaw allowed an attacker to prevent the com.apple.quarantine attribute being assigned to the file, meaning that it wouldn’t trigger the Gatekeeper check when opened.

The Achilles flaw allows specially-crafted payloads to abuse a logic issue to set restrictive Access Control List (ACL) permissions that block web browsers and Internet downloaders from setting the com.apple.quarantine attribute for downloaded the payload archived as ZIP files.

As a result, the malicious app contained within the archived malicious payload launches on the target’s system instead of getting blocked by Gatekeeper, allowing attackers to download and deploy malware.

Notably, Lockdown Mode did not protect against the vulnerability.

Microsoft said on Monday that “Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles.”

As ever, it’s recommended to keep your Mac and other Apple devices fully updated. If you don’t want to update to Ventura, Apple offers the option to update to the latest (and most secure) version of earlier macOSes.

Apple is currently testing a new Rapid Security Response feature for both Mac and iOS devices, which will allow it to quickly patch security vulnerabilities like this without the need for a full OS update.

Photo: Ján Vlačuha/Unsplash

Add 9to5Mac to your Google News feed. 

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:

Comments

Guides

Mac

Mac

Apple’s Mac lineup consists of MacBook, MacBoo…
Security

Security

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear

Dell 49-inch curved monitor

Dell 49-inch curved monitor

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
Please wait...processing