Bypass Vulnerability Threatens Apple’s Gatekeeper Mechanism, Microsoft Warns

A bypass vulnerability in Apple’s Gatekeeper mechanism could let attackers run malicious apps on Mac devices, warned Microsoft researchers who discovered the flaw.

Apple’s Gatekeeper is a security mechanism that prevents untrusted apps from running on Mac devices. The feature checks whether downloaded apps have a valid signature before they launch. Based on the result, Gatekeeper either prompts users to confirm the launch or informs them that the app can’t be trusted and, therefore, can’t be launched.

“Many macOS infections are the result of users running malware, oftentimes inadvertently,” reads Microsoft’s announcement. “Fake app bundles might masquerade themselves as different apps, like Flash Player, or as a legitimate file, such as using a PDF icon and using the app name ’Resume’ to combat this highly popular infection vector, Apple has imposed strong security mechanisms. When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file.”

Microsoft security experts discovered the flaw, tracked as CVE-2022-42821, on July 27. They used a combination of extended attributes and Access Control Lists (ACLs) to develop the Achilles proof-of-concept (PoC) exploit to demonstrate its destructive potential. Gatekeeper relies on extended attributes to determine the source of a downloaded file and receive instructions on how to process it.

Researchers appended restrictive ACLs to downloaded files, making it impossible for other programs, such as Safari, to set new extended attributes, including com.apple.quarantine. This critical attribute alerts Gatekeeper to check downloaded content.

Without the quarantine attribute, the PoC exploit could bypass the security mechanism altogether. The threat of unpatched Gatekeeper bypass vulnerabilities stems from their potential role as initial access vectors in malicious campaigns against macOS devices.

After learning of the vulnerability, Microsoft shared its findings with Apple, which promptly addressed the shortcomings by releasing patches for all OS versions.

Microsoft highlights that the vulnerability could be exploited regardless of the status of Lockdown Mode. Lockdown Mode is an optional security feature introduced in macOS Ventura that was designed to prevent zero-click remote code execution exploits.