IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Apple issues patch for macOS security bypass vulnerability

The Achilles vulnerability enabled malware to slip past Apple’s Gatekeeper security checks

Apple has fixed a vulnerability in macOS that could have allowed attackers to bypass application restrictions on the tech giant’s Gatekeeper mechanism.  

The vulnerability, tracked as CVE-2022-42821 and dubbed ‘Achilles’, was first uncovered by researchers at Microsoft and shared with Apple through the Coordinated Vulnerability Disclosure (CVD) system.

Microsoft said the Achilles flaw could have enabled hackers to gain access to operating systems and download or deploy malware on Mac devices.  

Apple confirmed it patched the bug on 13 December in its raft of security updates for macOS 13, macOS 12.6.2 and macOS 1.7.2. 

Achilles exploited Apple’s Gatekeeper security mechanism used on Macs which is responsible for checking downloaded apps to ensure that they are legitimate, and works by requiring the user to confirm or authorise launching an app that might have been flagged by the mechanism.

Apple’s Gatekeeper system operates in a similar fashion to Microsoft’s own Mark of the Web (MOTW) protocols.  

“When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file,” researchers explained.  

“That attribute is named com.apple.quarrantine and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent sandbox escapes.” 

Microsoft said the Achilles flaw would allow attackers to leverage targeted payloads to abuse Access Control Lists (ACLs) - a mechanism in macOS that offers additional protection to the standard permission model.  

If exploited, the flaw meant that a malicious app downloaded by a user would launch on their system instead of being blocked by Gatekeeper.  

Apple introduced Lockdown Mode in macOS Ventura to mitigate the risk of zero-click remote code execution (RCE) exploits. However, researchers noted that this optional feature for high-risk users would not defend against Achilles.  

“End-users should apply the fix regardless of their Lockdown Mode status,” said Jonathan Bar Or of the Microsoft 365 Defender Researcher Team.  

Gatekeeper vulnerabilities 

Bar Or said that while Gatekeeper is “essential” in spotting malware on macOS, there have been several historic examples of flaws which enabled attackers to bypass the system.  

“Gatekeeper is not bulletproof,” he said. “Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.” 

Security researchers at Microsoft previously uncovered the Shrootless flaw in 2021 which enabled hackers to bypass the System Integrity Protection (SIP) feature and executive malicious code.  

Similarly, in April 2021 Apple issued a fix for a critical zero-day vulnerability in macOS which allowed the group behind the Shlayer malware to bypass Apple Gatekeeper, File Quarantine, and Notarisation protocols. 

Apple introduced its Notarisation process in February 2020 to counter growing threats to macOS. However, experimentation by a university student revealed that the Shlayer adware slipped past the protocol.  

Bar Or noted that the research highlights the critical role that collaborative research plays in bolstering protection capabilities across platforms and the broader industry landscape.  

“As environments continue to rely on a diverse range of devices and operating systems, organisations need security solutions that can provide protection across platforms and a complete picture of their security posture,” he said.  

“This case also emphasised the need for responsible vulnerability disclosures and expert, cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats.” 

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Microsoft Azure spending notifications unavailable until March
Cloud

Microsoft Azure spending notifications unavailable until March

2 Feb 2023
Hackers target business cloud environments by abusing Microsoft’s ‘verified publisher’ status
Security

Hackers target business cloud environments by abusing Microsoft’s ‘verified publisher’ status

1 Feb 2023
Google to cut global workforce by 12,000 roles
Careers & training

Google to cut global workforce by 12,000 roles

20 Jan 2023
Windows 11 System Restore bug preventing users from accessing apps
Microsoft Windows

Windows 11 System Restore bug preventing users from accessing apps

19 Jan 2023

Most Popular

Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023