A new critical security flaw has been discovered on macOS. It was Jonathan Bar Or, a cybersecurity researcher at Microsoft, who was able to pinpoint this anomaly. In a blog post published on Monday, December 19, Microsoft Security Threat Intelligence details the ins and outs of this new flaw.
Bypassing Gatekeeper
Discovered on July 27, 2022 and named “Achilles”, the CVE-2022-42821 flaw allows bypassing Apple’s Gatekeeper system. This tool developed by the Apple brand makes it possible to authenticate software downloaded from the browser.
Normally, “When you install Mac apps, add-ons, and installers that aren’t from the App Store, macOS checks the developer’s ID signature to make sure the software is from an identified developer and doesn’t has not been modified”, explains Apple on its site. The user is therefore protected against the installation of viruses and other malicious programs.
Jonathan Bar Or used a PoC — Proof of Concept (prototype) — to illustrate the newly discovered flaw. He managed to develop a program that can block the addition of a file to the ACL (Access Control List). The program downloaded via the browser was no longer identified as “not verified” and could then be installed without any error message.
Used by hackers, this technique could allow malware to be distributed without Gatekeeper being able to identify the source of the software and its developers.
An update rolled out
Once discovered, the flaw was shared with Apple teams. A security update was made quickly. According to our colleagues from BleepingComputerthe bug was fixed in versions macOS 13 (Ventura), macOS 12.6.2 (Monterey) and macOS 1.7.2 (Big Sur) on December 13th.
The Lockdown mode developed by Apple and introduced in macOS Ventura aims to avoid zeroday vulnerabilities of this type. But Microsoft Security Threat Intelligence researchers explain that the tool does not protect against the vulnerability “Achilles”. “End users should apply the patch regardless of Lockdown Mode activation status”, say the specialists. For its part, Apple claims to have corrected the vulnerability “by carrying out better checks”.