Apple issues patch for macOS security bypass vulnerability

The Apple logo on a glass storefront in Ireland
(Image credit: Shutterstock)

Apple has fixed a vulnerability in macOS that could have allowed attackers to bypass application restrictions on the tech giant’s Gatekeeper mechanism.

The vulnerability, tracked as CVE-2022-42821 and dubbed ‘Achilles’, was first uncovered by researchers at Microsoft and shared with Apple through the Coordinated Vulnerability Disclosure (CVD) system.

Microsoft said the Achilles flaw could have enabled hackers to gain access to operating systems and download or deploy malware on Mac devices.

Apple confirmed it patched the bug on 13 December in its raft of security updates for macOS 13, macOS 12.6.2 and macOS 1.7.2.

Achilles exploited Apple’s Gatekeeper security mechanism used on Macs which is responsible for checking downloaded apps to ensure that they are legitimate, and works by requiring the user to confirm or authorise launching an app that might have been flagged by the mechanism.

Apple’s Gatekeeper system operates in a similar fashion to Microsoft’s own Mark of the Web (MOTW) protocols.

“When downloading apps from a browser, like Safari, the browser assigns a special extended attribute to the downloaded file,” researchers explained.

“That attribute is named com.apple.quarrantine and is later used to enforce policies such as Gatekeeper or certain mitigations that prevent sandbox escapes.”

Microsoft said the Achilles flaw would allow attackers to leverage targeted payloads to abuse Access Control Lists (ACLs) - a mechanism in macOS that offers additional protection to the standard permission model.

If exploited, the flaw meant that a malicious app downloaded by a user would launch on their system instead of being blocked by Gatekeeper.

Apple introduced Lockdown Mode in macOS Ventura to mitigate the risk of zero-click remote code execution (RCE) exploits. However, researchers noted that this optional feature for high-risk users would not defend against Achilles.

“End-users should apply the fix regardless of their Lockdown Mode status,” said Jonathan Bar Or of the Microsoft 365 Defender Researcher Team.

Gatekeeper vulnerabilities

Bar Or said that while Gatekeeper is “essential” in spotting malware on macOS, there have been several historic examples of flaws which enabled attackers to bypass the system.

“Gatekeeper is not bulletproof,” he said. “Gaining the ability to bypass Gatekeeper has dire implications as sometimes malware authors leverage those techniques for initial access.”

Security researchers at Microsoft previously uncovered the Shrootless flaw in 2021 which enabled hackers to bypass the System Integrity Protection (SIP) feature and executive malicious code.

Similarly, in April 2021 Apple issued a fix for a critical zero-day vulnerability in macOS which allowed the group behind the Shlayer malware to bypass Apple Gatekeeper, File Quarantine, and Notarisation protocols.

Apple introduced its Notarisation process in February 2020 to counter growing threats to macOS. However, experimentation by a university student revealed that the Shlayer adware slipped past the protocol.

Bar Or noted that the research highlights the critical role that collaborative research plays in bolstering protection capabilities across platforms and the broader industry landscape.

“As environments continue to rely on a diverse range of devices and operating systems, organisations need security solutions that can provide protection across platforms and a complete picture of their security posture,” he said.

“This case also emphasised the need for responsible vulnerability disclosures and expert, cross-platform collaboration to effectively mitigate issues, protecting users against present and future threats.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.