Apple has patched a serious security bypass vulnerability in macOS that has been exploited in the wild by at least one threat group.
The tech giant on Monday informed customers that it has patched tens of vulnerabilities in macOS Catalina, Mojave and Big Sur. The Big Sur update fixes nearly 60 security holes, including a logic issue tracked as CVE-2021-30657 that, Apple says, can allow a malicious application to bypass Gatekeeper checks.
macOS has three main security mechanisms designed to protect users against malicious files downloaded from the internet: file quarantine, which prompts the user and asks for confirmation when executing a file; Gatekeeper, which checks code-signing information to ensure an application comes from a trusted developer and it has not been tampered with; and notarization, which involves automatically scanning software for malicious content before it is allowed to run.
The vulnerability tracked as CVE-2021-30657 can be exploited to bypass file quarantine, Gatekeeper and notarization using specially crafted applications. Specifically, a script-based application that does not contain an “Info.plist” configuration file is misclassified by Apple’s security mechanisms and is allowed to run without prompting the user.
Apple has credited “an anonymous researcher” for reporting the bug, but the issue was apparently reported to the tech giant by researcher Cedric Owens on March 25. Owens on Monday published a blog post detailing his findings. He also pointed out that an open source application named appify, which allows users to create “the simplest possible Mac app from a shell script,” has been generating apps that unintentionally exploit the vulnerability.
Patrick Wardle, a researcher who specializes in the security of Apple products, published a lengthy blog post on Monday to describe the vulnerability and its root cause in detail. Wardle has created a proof-of-concept (PoC) exploit that is disguised as a harmless PDF document and which executes an application on the compromised device when opened, without the user seeing any warnings.
The researcher said the vulnerability was apparently introduced in macOS 10.15 and older versions of the operating system do not seem to be affected. Apple has patched the issue in macOS Big Sur and Catalina.
“Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to incredible shallow, yet hugely impactful flaws. How shallow? Well that fact that a legitimate developer tool (appify) would inadvertently trigger the bug is beyond laughable (and sad).” Wardle said.
Wardle has asked Apple device management company Jamf — Jamf in 2019 acquired a Mac endpoint security company founded by Wardle — to look for threats that may have abused this weakness in the wild. Sure enough, Jamf researchers discovered that a variant of the Shlayer malware, which drops adware on infected devices, had been leveraging the vulnerability since at least January 9, 2021, to bypass the file quarantine, notarization and Gatekeeper.
In the attacks observed by Jamf, hackers had used poisoned search engine results to deliver the malware. The developers of Shlayer have been known to come up with clever ways to bypass Apple security mechanisms. Last year, they were spotted delivering notarized exploits.
*updated to add that macOS Catalina is also affected by CVE-2021-30657