Skip to content

Microsoft discloses Gatekeeper vulnerability in macOS

  • by
  • 2 min read

Microsoft has disclosed details on a security flaw in macOS’ Gatekeeper that allowed an attacker to bypass security restrictions to run malicious programs if exploited. The bug was discovered and shared with Apple in July earlier this year.

The vulnerability is tracked as CVE-2022-42821 and has a CVSS score of 5.5.  Apple has since fixed the issue in macOS Ventura 13, Monterey 12.6.2 and Big Sur 11.7.2. According to Apple’s patch notes, the vulnerability was caused by a logic issue that allowed apps to bypass Gatekeeper checks. 

Similar to Windows’ Mark of the Web (MotW) feature, Gatekeeper is a built-in security mechanism in macOS that ensures only trusted applications run on the computer by adding an attribute called “com.apple.quarantine” to any files downloaded from the internet.

Gatekeeper on macOS works similarly to MotW on Windows.

Given the sensitive nature of Gatekeeper, any programs that might bypass it can cause major problems on the target PC as they can basically run unchecked. According to Microsoft’s report, “Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS”.

Microsoft’s proof-of-concept uses Access Control Lists (ACLs) to bypass Gatekeeper, hence the name, Achilles. What it does is that it adds a bunch of extremely restrictive permissions to a downloaded file, thereby preventing Safari from adding the com.apple.quarantine flag needed for Gatekeeper to work. 

This isn’t the first time Gatekeeper has bypassed either. Microsoft details the following six vulnerabilities that have been discovered in Gatekeeper over the past few years. 

In addition to this, malware families such as Shlayer have also abused Gatekeeper bypasses to run malware on macOS devices. All the aforementioned vulnerabilities lie in the components that implement policy checks on quarantined files and further misuse the com.apple.quarantine extended attribute assignment.

In the News: 2 API vulnerabilities found in LEGO Marketplace

>