Security Experts:

Connect with us

Hi, what are you looking for?



Apple Patches macOS Security Bypass Vulnerability Exploited by ‘Shlayer’ Malware

Apple has patched a serious security bypass vulnerability in macOS that has been exploited in the wild by at least one threat group.

Apple has patched a serious security bypass vulnerability in macOS that has been exploited in the wild by at least one threat group.

The tech giant on Monday informed customers that it has patched tens of vulnerabilities in macOS Catalina, Mojave and Big Sur. The Big Sur update fixes nearly 60 security holes, including a logic issue tracked as CVE-2021-30657 that, Apple says, can allow a malicious application to bypass Gatekeeper checks.

macOS has three main security mechanisms designed to protect users against malicious files downloaded from the internet: file quarantine, which prompts the user and asks for confirmation when executing a file; Gatekeeper, which checks code-signing information to ensure an application comes from a trusted developer and it has not been tampered with; and notarization, which involves automatically scanning software for malicious content before it is allowed to run.

The vulnerability tracked as CVE-2021-30657 can be exploited to bypass file quarantine, Gatekeeper and notarization using specially crafted applications. Specifically, a script-based application that does not contain an “Info.plist” configuration file is misclassified by Apple’s security mechanisms and is allowed to run without prompting the user.

Apple has credited “an anonymous researcher” for reporting the bug, but the issue was apparently reported to the tech giant by researcher Cedric Owens on March 25. Owens on Monday published a blog post detailing his findings. He also pointed out that an open source application named appify, which allows users to create “the simplest possible Mac app from a shell script,” has been generating apps that unintentionally exploit the vulnerability.

Patrick Wardle, a researcher who specializes in the security of Apple products, published a lengthy blog post on Monday to describe the vulnerability and its root cause in detail. Wardle has created a proof-of-concept (PoC) exploit that is disguised as a harmless PDF document and which executes an application on the compromised device when opened, without the user seeing any warnings.

The researcher said the vulnerability was apparently introduced in macOS 10.15 and older versions of the operating system do not seem to be affected. Apple has patched the issue in macOS Big Sur and Catalina. 

“Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to incredible shallow, yet hugely impactful flaws. How shallow? Well that fact that a legitimate developer tool (appify) would inadvertently trigger the bug is beyond laughable (and sad).” Wardle said.

Wardle has asked Apple device management company Jamf — Jamf in 2019 acquired a Mac endpoint security company founded by Wardle — to look for threats that may have abused this weakness in the wild. Sure enough, Jamf researchers discovered that a variant of the Shlayer malware, which drops adware on infected devices, had been leveraging the vulnerability since at least January 9, 2021, to bypass the file quarantine, notarization and Gatekeeper.

In the attacks observed by Jamf, hackers had used poisoned search engine results to deliver the malware. The developers of Shlayer have been known to come up with clever ways to bypass Apple security mechanisms. Last year, they were spotted delivering notarized exploits.

Apple on Monday also released an iOS update to patch 50 vulnerabilities, as well as security updates for Safari, Xcode and iCloud for Windows.

*updated to add that macOS Catalina is also affected by CVE-2021-30657

Related: Mac Malware Targeting Apple’s M1 Chip Emerges

Related: Mysterious Mac Malware Infected at Least 30,000 Devices Worldwide

Related: Mac Malware ‘XCSSET’ Adapted for Devices With M1 Chips

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.