Gatekeeper bypass exposes Macs to malware

Microsoft has gone public with an analysis of a mac OS Gatekeeper bug it discovered in July, dubbed Achilles, following patch releases by Apple last week.

The bug, CVE-2022-42821, exists in the macOS Monterey, Big Sur, and Ventura, allowing an app to bypass Gatekeeper checks.

Gatekeeper checks apps users download from the Internet. If the app is signed by Apple, the user is asked to confirm they wish to launch it; if not, the app is untrusted and execution is refused.

What Microsoft threat researcher Jonathan Bar Or discovered is that an attacker could use mac OS access control lists (ACLs) to bypass Gatekeeper.

ACLs give files and directories more finely grained permission management than exists in the permission model mac OS inherited from its Unix roots.

Bar Or discovered a logic error in how ACLs are applied to files. It prevents browsers and downloaders from setting the attribute (com.apple.quarantine) that alerts Gatekeeper that a file is untrusted.

Bar Or describe the following proof-of-concept for bypassing Gatekeeper:

• “Create a fake directory structure with an arbitrary icon and payload.
• Create an AppleDouble file with the com.apple.acl.text extended attribute key and a value that represents a restrictive ACL (we chose the equivalent of “everyone deny write,writeattr,writeextattr,writesecurity,chown”). Perform the correct AppleDouble patching if using ditto to generate the AppleDouble file.
• Create an archive with the application alongside its AppleDouble file and host it on a web server.”

The fixes are in mac OS Big Sur 11.7.2, Monterey 12.6.2, and Ventura 13.