Apple’s latest macOS updates patch three vulnerabilities that can be exploited to bypass security mechanisms, including one that has been exploited in the wild and one that impacts only Macs powered by the M1 chip.
It was reported earlier this week that one of the security holes patched in macOS Big Sur and Catalina (CVE-2021–30657) has been exploited by a piece of malware known as Shlayer to bypass security mechanisms designed by Apple to protect users against malicious files downloaded from the internet, specifically file quarantine, Gatekeeper and notarization.
File quarantine asks the user for confirmation when executing a file downloaded from the internet, Gatekeeper checks code-signing information to ensure an application comes from a trusted developer and it has not been tampered with, and notarization involves automatically scanning software for malicious content before it is allowed to run.
CVE-2021–30657 is related to script-based applications that do not contain an “Info.plist” configuration file being misclassified. The issue was detailed this week by Cedric Owens, the researcher who discovered the bug, Apple security expert Patrick Wardle, who described its root cause and developed a PoC exploit, and Apple device management company Jamf, whose researchers discovered that the Shlayer malware had been exploiting the vulnerability since at least January 2021.
Two other similar vulnerabilities have been patched by Apple with the release of the latest macOS updates: one discovered by Wojciech Reguła of SecuRing (CVE-2021-30658) and one by Rasmus Sten of F-Secure (CVE-2021-1810). However, these do not appear to have been exploited in malicious attacks.
Reguła told SecurityWeek that the vulnerability he found can only be triggered on Macs with the M1 chip. He will likely publish a blog post detailing his findings, but he has shared some high-level information about the flaw, which only impacts macOS Big Sur.
“[The vulnerability] abuses the ‘/System/Library/CoreServices/Applications/iOS App Installer.app’ system application that will install an iOS App (with .ipa extension) on M1 Macs,” the researcher explained.
In a PoC video shared with SecurityWeek, Reguła showed that an attacker needs to trick the targeted user into clicking on a link and installing an application, but no security prompts related to Gatekeeper are displayed before the malicious .ipa application is executed. He said he also leveraged an additional trick to prevent the operating system from assigning it the file quarantine attribute.
F-Secure published a blog post with a brief explanation of Sten’s findings, but the company is not releasing any technical details just yet to prevent exploitation.
Sten told SecurityWeek that the vulnerability he discovered is similar to the one that has been exploited in the wild — it can bypass all three security features — but it uses different mechanisms to achieve the same goal. This issue affects the Archive Utility component in macOS Big Sur and Catalina.
The flaw involves specially crafted ZIP archive files that the targeted user needs to download, unpack and execute in order to trigger the exploit. This results in the application contained in the ZIP file — it can be a piece of malware — getting executed without any warning to the user.
However, F-Secure noted in its blog post that applications downloaded from the official App Store are not impacted and apps delivered as macOS installer packages cannot exploit the vulnerability as they contain a certificate that is verified outside of Gatekeeper.
“The most likely scenario is a phishing attack or a web server compromise, where an attacker is able to serve a legitimate-looking web page masquerading as a legitimate software vendor,” Sten explained. “This can then be used to trick the user into downloading a malicious app masquerading as a legitimate app. By exploiting CVE-2021-1810 this app would be able to run when the user double-clicks on it despite the fact that it hasn’t been signed or notarised.”
A short video demo of the vulnerability in action was posted by Sten on Twitter.