Gatekeeper, a key component of the macOS security system, was recently found to have a vulnerability by Microsoft that could have allowed malware to infect vulnerable Macs. The “Achilles” vulnerability was found by Microsoft principal security researcher Jonathan Bar Or and is referred to as CVE-2022-42821. According to Bar Or, the flaw could enable malware to bypass Gatekeeper’s security measures on macOS.
Gatekeeper is a security feature which was first launched in 2012, restricts the use of untrusted software on macOS. All apps downloaded from the web are instantaneously verified by the feature to be from known developers whose apps have been “notarized” by Apple and are recognised to be safe of any malicious content.
Microsoft’s Bar Or explained in a blog post that, “Many macOS infections are the result of users running malware, oftentimes inadvertently. Fake app bundles might masquerade themselves as different apps, like Flash Player, or as a legitimate file, such as using a PDF icon and using the app name “Resume”. To combat this highly popular infection vector, Apple has imposed strong security mechanisms. When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file. That attribute is named com.apple.quarantine and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent sandbox escapes.”
By taking advantage of the flaw, a user could be persuaded to download and run a malicious file on macOS without invoking Gatekeeper’s security measures. According to Bar Or, Lockdown Mode, an opt-in Apple feature launched earlier this year to assist high-risk users in thwarting some of the more advanced cyberattacks, would not provide protection against by Achilles vulnerability because Lockdown Mode is intended to thwart silent and remotely triggered “zero-click” attacks that do not necessitate user interaction, and end-users must implement the workaround irrespective of their Lockdown Mode status.
The Achilles flaw was disclosed by Microsoft in July, but Apple didn’t accept it until it was fixed last week.