Apple was able to dodge a bullet recently after Microsoft reported a macOS vulnerability identified as CVE-2022-42821 or ‘Achilles.’ This new Achilles’ heel of macOS p focuses on Apple’s Gatekeeper security mechanism, which imposes application execution restrictions to ensure only trusted apps can run on Mac devices. However, with Achilles, Microsoft explained that the mechanism could be bypassed.
“Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS,” Microsoft Security Threat Intelligence stresses in a recent blog post. “
Microsoft expresses its appreciation for Apple’s Gatekeeper security feature but underscores that it is ‘not bulletproof’ due to the bypass techniques spotted in the past. It also enumerated some of the Gatekeeper bypass vulnerabilities discovered over the last several years. In this new discovery, Microsoft says the issue starts with downloading apps from Apple’s browser like Safari that assigns a special extended attribute (com.apple.quarantine) to the downloaded file. In its proof-of-concept, Microsoft says it created a fake directory structure with an arbitrary icon and payload and used ACL (Access Control Lists) permissions that could fool Apple programs and the Gatekeeper.
“Those ACLs prohibit Safari (or any other program) from setting new extended attributes, including the com.apple.quarantine attribute,” Microsoft explains.
Without the proper attributes set by Apple, the harmful app in the archived malicious payload can freely run on the system without Gatekeeper interfering. After that, bad actors can deliver malware that can harm the users.
Thankfully, the issue was able to be addressed by Apple after Microsoft communicated with the company. The latter also encourages users to get the solution immediately since Apple’s Lockdown Mode won’t protect them from Achilles.
“Fixes for the vulnerability, now identified as CVE-2022-42821, were quickly released by Apple to all their OS versions,” Microsoft says. “We note that Apple’s Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles. End-users should apply the fix regardless of their Lockdown Mode status. We thank Apple for the collaboration in addressing this issue.”