Connect with us

Hi, what are you looking for?



Apple Patches Security Bypass Vulnerability Impacting Macs With M1 Chip

Apple’s latest macOS updates patch three vulnerabilities that can be exploited to bypass security mechanisms, including one that has been exploited in the wild and one that impacts only Macs powered by the M1 chip.

Apple’s latest macOS updates patch three vulnerabilities that can be exploited to bypass security mechanisms, including one that has been exploited in the wild and one that impacts only Macs powered by the M1 chip.

It was reported earlier this week that one of the security holes patched in macOS Big Sur and Catalina (CVE-2021–30657) has been exploited by a piece of malware known as Shlayer to bypass security mechanisms designed by Apple to protect users against malicious files downloaded from the internet, specifically file quarantine, Gatekeeper and notarization.

File quarantine asks the user for confirmation when executing a file downloaded from the internet, Gatekeeper checks code-signing information to ensure an application comes from a trusted developer and it has not been tampered with, and notarization involves automatically scanning software for malicious content before it is allowed to run.

CVE-2021–30657 is related to script-based applications that do not contain an “Info.plist” configuration file being misclassified. The issue was detailed this week by Cedric Owens, the researcher who discovered the bug, Apple security expert Patrick Wardle, who described its root cause and developed a PoC exploit, and Apple device management company Jamf, whose researchers discovered that the Shlayer malware had been exploiting the vulnerability since at least January 2021.

Two other similar vulnerabilities have been patched by Apple with the release of the latest macOS updates: one discovered by Wojciech Reguła of SecuRing (CVE-2021-30658) and one by Rasmus Sten of F-Secure (CVE-2021-1810). However, these do not appear to have been exploited in malicious attacks.

Reguła told SecurityWeek that the vulnerability he found can only be triggered on Macs with the M1 chip. He will likely publish a blog post detailing his findings, but he has shared some high-level information about the flaw, which only impacts macOS Big Sur.

“[The vulnerability] abuses the ‘/System/Library/CoreServices/Applications/iOS App’ system application that will install an iOS App (with .ipa extension) on M1 Macs,” the researcher explained.

Advertisement. Scroll to continue reading.

In a PoC video shared with SecurityWeek, Reguła showed that an attacker needs to trick the targeted user into clicking on a link and installing an application, but no security prompts related to Gatekeeper are displayed before the malicious .ipa application is executed. He said he also leveraged an additional trick to prevent the operating system from assigning it the file quarantine attribute.

Gatekeeper bypass vulnerability

F-Secure published a blog post with a brief explanation of Sten’s findings, but the company is not releasing any technical details just yet to prevent exploitation.

Sten told SecurityWeek that the vulnerability he discovered is similar to the one that has been exploited in the wild — it can bypass all three security features — but it uses different mechanisms to achieve the same goal. This issue affects the Archive Utility component in macOS Big Sur and Catalina.

The flaw involves specially crafted ZIP archive files that the targeted user needs to download, unpack and execute in order to trigger the exploit. This results in the application contained in the ZIP file — it can be a piece of malware — getting executed without any warning to the user.

However, F-Secure noted in its blog post that applications downloaded from the official App Store are not impacted and apps delivered as macOS installer packages cannot exploit the vulnerability as they contain a certificate that is verified outside of Gatekeeper.

“The most likely scenario is a phishing attack or a web server compromise, where an attacker is able to serve a legitimate-looking web page masquerading as a legitimate software vendor,” Sten explained. “This can then be used to trick the user into downloading a malicious app masquerading as a legitimate app. By exploiting CVE-2021-1810 this app would be able to run when the user double-clicks on it despite the fact that it hasn’t been signed or notarised.”

A short video demo of the vulnerability in action was posted by Sten on Twitter.

Related: Researchers Show First Side-Channel Attack Against Apple M1 Chips

Related: Mac Malware ‘XCSSET’ Adapted for Devices With M1 Chips

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.