It is possible that an Apple gatekeeper bypass vulnerability in macOS could allow cyber-attackers to install malicious programs on target Macs, regardless of the Lockdown mode the user has enabled in macOS.
In addition to discussing the details of the bug (CVE-2022-42821), which Microsoft has dubbed "Achilles," researchers were also able to construct a working exploit by exploiting the Access Control Lists (ACLs) feature of macOS, which allows applications to be governed by finely tuned permissions.
Apple Gatekeeper is a popular target for application vetting
Apple Gatekeeper is a security technology that was created by Apple, as a way to ensure that only "trusted apps" are allowed to run on Mac devices - that is, those that are approved by Apple and signed by a legitimate authority. A blocking pop-up is shown to the user when Gatekeeper cannot validate the software, explaining that the app cannot be run due to security concerns.
As a result of this development, users are less likely to be vulnerable to malicious sideloaded applications from pirate sites or third-party app stores, which may have been accidentally downloaded.
Microsoft researchers noted, however, that con men have spent quite some time attempting to find ways around the feature that could allow them to bypass it, as indicated by previously exploited vulnerabilities, such as CVE-2022-22616, CVE-2022-32910, CVE-2021-1810, CVE-2021-30657, CVE-2021-30853, CVE-2019-8656, and CVE-2014-8826.
It is not surprising that the user base is being bothered by such kinds of problems. Gatekeeper bypasses such as these are sometimes exploited by malware and other threats to gain initial access to macOS systems. This in turn increases the success rate of malicious campaigns and attacks on the system or the success rate of these programs. In our analysis, the data shows that fake apps will remain one of the most popular entry points for attackers on macOS over the coming years. This indicates that Gatekeeper bypass techniques will be a crucial element for attackers to leverage.
The discovery of a new gatekeeper bypass
The Microsoft team took advantage of details surrounding CVE-2021-1810 to create a security bypass - and they succeeded in doing so by adding permissioning rules (using the ACL mechanism) to malicious files as part of the process.
A quarantine mechanism is employed by Apple for downloaded apps, according to the advisory: "When you download an app from a browser, such as Safari, the browser automatically gives it an attribute called a special extended attribute." During enforcing policies such as Gatekeeper, com.apple.quarantine is used in the context of implementing the policy."
As an additional feature, the macOS file system provides the opportunity for you to apply a special extended attribute known as com. apple. al. text. This extended attribute can be used to set arbitrary access control lists.
According to Microsoft researchers, each ACL has a certain number of Access Control Entries (ACEs) that govern what each principal can and cannot do, much like firewall rule sets do for addresses. Accordingly, we decided to limit the complexity of these downloaded files by adding very restrictive Access Control Lists. These ACLs prohibit Safari (and any other program) from setting any newly extended attributes, such as the com. apple.quarantine attribute in the downloaded files.
In addition, without the quarantine attribute, the Gatekeeper is unaware that the file needs to be checked. Therefore, it is easily bypassed by bypassing the security mechanism entirely.
The researchers at Microsoft discovered that Apple's Lockdown feature, which Microsoft debuted in July to protect at-risk targets from state-sponsored spyware, cannot prevent the Achilles attack from obtaining the necessary exploits.
"We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed at stopping zero-click remote code execution exploits, and therefore does not defend against Achilles," according to Microsoft.
In July, Apple received an alert about the issue and was able to fix it in the latest macOS version.
For maximum protection against cybercrime, Mac operating systems must be updated as soon as possible.