Microsoft has released details of a now-patched security hole in Apple macOS that could be exploited by an attacker to circumvent security measures designed to prevent malicious apps from being executed.
The Achilles flaw (CVE-2022-42821, CVSS score: 5.5) was resolved by Apple in macOS Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2, defining it as a logic flaw that may be weaponized by an app to bypass Gatekeeper tests.
“Gatekeeper bypasses like these might be used as a channel for initial access by malware and other threats, potentially increasing the success rate of destructive campaigns and attacks on macOS,” stated Jonathan Bar Or of the Microsoft 365 Defender Research Team.
The security flaw, discovered in July 2022, is defined as a logic flaw that might be exploited to escape Gatekeeper checks, potentially allowing threat actors to execute malicious code on susceptible systems.
“On July 27, 2022, Microsoft uncovered a weakness in macOS that can allow attackers to overcome application execution limits enforced by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps execute on Mac machines. We created a proof-of-concept exploit called “Achilles” to show the vulnerability.” According to Microsoft’s blog article.
Threat actors can employ Gatekeeper bypasses to deploy malware on macOS systems, according to Microsoft researchers.
Files downloaded from the internet on macOS are assigned the com.apple.quarantine extended attribute, which is used to impose security policies such as Gatekeeper’s programme execution limitations or mitigations to prevent sandbox escape.
Gatekeeper is a security feature that ensures only trusted software execute on the operating system. This is accomplished through the use of an extra attribute called “com.apple.quarantine” that is assigned to files downloaded from the internet. It is similar to the Windows Mark of the Web (MotW) flag.
When an unknowing user instals a potentially hazardous app that impersonates a legitimate piece of software, the Gatekeeper function prohibits the app from running since it is not legitimately signed and validated by Apple.
Even when an app is approved by Apple, users are prompted for their explicit agreement when it is launched for the first time.
Given the significant role that Gatekeeper plays in macOS, it’s difficult to conceive what would happen if the security barrier were to be bypassed, which would effectively allow threat actors to install malware on the devices.
Microsoft discovered the Achilles vulnerability, which uses a permission model known as Access Control Lists (ACLs) to add extremely restrictive permissions to a downloaded file (i.e., “everyone deny write,writeattr,writeextattr,writesecurity,chown”), preventing Safari from setting the quarantine extended attribute.
In a hypothetical attack scenario, an adversary could use the technique to create a rogue app and put it on a server, which could then be delivered to a potential victim via social engineering, malicious advertisements, or a drinking establishment.
The approach also avoids Apple’s recently adopted Lockdown Mode in macOS Ventura, which is an opt-in restrictive setting to thwart zero-click attacks and requires users to apply the most recent updates to mitigate threats.
Microsoft discovered that it was feasible to bypass Gatekeeper by abusing Access Control Lists (ACLs) when researching the different tools that Apple has developed to extend the traditional permission paradigm.
ACLs offer fine-grained permissions to files and directories, and Microsoft observed that applying very restrictive ACLs to files can “prohibit Safari (or any other programme) from creating new extended attributes, including the com.apple.quarantine attribute”.
Microsoft has developed proof-of-concept (PoC) malware known as Achilles that avoids Gatekeeper by constructing a bogus directory structure with an arbitrary icon and payload and an AppleDouble file with restrictive ACL. According to the tech giant, the code and the AppleDouble file can be placed in an archive that can be hosted on the internet.
