Apple has fixed a vulnerability in macOS that could have allowed attackers to bypass application restrictions on the tech giant’s Gatekeeper mechanism.
The vulnerability, tracked as CVE-2022-42821 and dubbed ‘Achilles’, was first uncovered by researchers at Microsoft and shared with Apple through the Coordinated Vulnerability Disclosure (CVD) system.
Microsoft said the Achilles flaw could have enabled hackers to gain access to operating systems and download or deploy malware on Mac devices.
Apple confirmed it patched the bug on 13 December in its raft of security updates for macOS 13, macOS 12.6.2 and macOS 1.7.2.
Achilles exploited Apple’s Gatekeeper security mechanism used on Macs which is responsible for checking downloaded apps to ensure that they are legitimate, and works by requiring the user to confirm or authorise launching an app that might have been flagged by the mechanism.
Apple’s Gatekeeper system operates in a similar fashion to Microsoft’s own Mark of the Web (MOTW) protocols.
“When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file,” researchers explained.
“That attribute is named com.apple.quarrantine and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent sandbox escapes.”
Microsoft said the Achilles flaw would allow attackers to leverage targeted payloads to abuse Access Control Lists (ACLs) - a mechanism in macOS that offers additional protection to the standard permission model.
If exploited, the flaw meant that a malicious app downloaded by a user would launch on their system instead of being blocked by Gatekeeper.
Apple introduced Lockdown Mode in macOS Ventura to mitigate the risk of zero-click remote code execution (RCE) exploits. However, researchers noted that this optional feature for high-risk users would not defend against Achilles.
“End-users should apply the fix regardless of their Lockdown Mode status,” said Jonathan Bar Or of the Microsoft 365 Defender Researcher Team.
Gatekeeper vulnerabilities
Bar Or said that while Gatekeeper is “essential” in spotting malware on macOS, there have been several historic examples of flaws which enabled attackers to bypass the system.
“Gatekeeper is not bulletproof,” he said. “Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.”
Security researchers at Microsoft previously uncovered the Shrootless flaw in 2021 which enabled hackers to bypass the System Integrity Protection (SIP) feature and executive malicious code.
Similarly, in April 2021 Apple issued a fix for a critical zero-day vulnerability in macOS which allowed the group behind the Shlayer malware to bypass Apple Gatekeeper, File Quarantine, and Notarisation protocols.
Apple introduced its Notarisation process in February 2020 to counter growing threats to macOS. However, experimentation by a university student revealed that the Shlayer adware slipped past the protocol.
Bar Or noted that the research highlights the critical role that collaborative research plays in bolstering protection capabilities across platforms and the broader industry landscape.
“As environments continue to rely on a diverse range of devices and operating systems, organisations need security solutions that can provide protection across platforms and a complete picture of their security posture,” he said.
“This case also emphasised the need for responsible vulnerability disclosures and expert, cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats.”
