A cybersecurity researcher discovered a serious logic bug in the way Apple’s macOS Catalina and Big Sur handled application bundle classification that could lead to malware delivery. Although, fix for the vulnerability is available through the latest macOS 11.3 update, can it actually patch dented user trust? A proactive response certainly is a good start.
It seems Apple has also started making gaffes when it comes to the security of its highly-rated products. The company’s macOS was found with a grave zero-day flaw that could allow an attacker to infiltrate an Apple computer with a malware via a malicious file/document.
Residing in the Big Sur version of the popular computer operating system, the vulnerability “trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk,†according to Patrick WardleOpens a new window , a former NASA and NSA employee, and the creator of macOS security tools provider Objective-SeeOpens a new window . Wardle believes this vulnerability could’ve been introduced in macOS 10.15 (Catalina).
The bug is tracked as CVE-2021-30657 and could be exploited simply by double-clicking an infected file, which then bypasses the OS’ underlying safety shield known as Gatekeeper. Execution of a malicious file laden with malware through a double click is a primitive way to infiltrate systems and is generally associated with Microsoft Windows, which is one of the reasons why the discovery can be disconcerting for Mac users.
The second reason is the fact that CVE-2021-30657 has been in existence for ‘months’ and that it was being actively exploited in the wild by a variant of a known Mac malware known as Shlayer adware dropper, as confirmed by researchers at Jamf, a company that provides enterprise management software for Apple products. Payload of this new variant is specifically repackaged to bypass Gatekeeper and exploit CVE-2021-30657Opens a new window .
And finally, threat actors propagating attacks using the bug are also muddling up search engine results by manipulating search indexes, which if clicked redirect the target to — you guessed it — a compromised web page which prompts the user to download and execute a malicious file.
See Also: Does Revil’s Ransomware Attack on Apple Signal a New Chapter in Cyber Extortion?
How Does CVE-2021-30657 Help in Bypassing Gatekeeper in macOS?
Going by what’s known, any app that is designed to exploit the flaw can practically bypass Gatekeeper.
Gatekeeper ensures that only trusted apps without any internal alterations run on the computer. “When a user downloads and opens an app, a plug-in or an installer package from outside the App Store, Gatekeeper verifies that the software is from an identified developer,†explainsOpens a new window Apple.
GatekeeperOpens a new window performs two more security checks as part of the security mechanism rooted within the macOS, the other two being file quarantine and notarization. Through file quarantine, the macOS Gatekeeper asks the user to manually confirm whether the software package should be executed (and installed), while notarization is a process wherein Gatekeeper performs automated security checks on the installed application.
Opens a new window
Source: Patrick Wardle, Objective-See
So when Cedric OwensOpens a new window pieced together a fake app using the vulnerability, he noticed that Gatekeeper wasn’t invoked. Owens, a security professional of 17 years is the one who discovered the vulnerabilityOpens a new window and notified Apple late in March.
Wardle went ahead and made another app disguised as a PDF file that simply launches the calculator on macOS. Demonstrations by both Owens and Wardle serve as proof-of-conceptsOpens a new window (PoC) for the vulnerability, indicating that an app that is developed to exploit CVE-2021-30657 can host a malicious payload, which upon execution could compromise the computer system.
Opens a new window
Source: Patrick Wardle, Objective-See
Wardle’s in-depth analysis of the vulnerability allowed him to gain additional insight on how exactly the bug could enable circumventing Gatekeeper. He found that his PoC app or any other app in the wild that is leveraging this vulnerability had a missing configuration file called Info.plist.
To the uninitiated, Info.plist is one of the components that makes up a bundled macOS application. Its purpose is to store meta information such as the paths to the files it needs for execution. So in the absence of this particular file, threat actors could structure the app a bit differently so as to bypass Gatekeeper and facilitate the malicious app’s execution.
“Any script-based application that does not contain an Info.plist file will be misclassified as “not a bundle†and thus will be allowed to execute with no alerts nor prompts.â€
(Read on a Mac, website isn’t mobile-optimized. But update to 11.3 before you do)
— Peter Steinberger (@steipete) April 27, 2021Opens a new window
See Also: CDNs Are Gateways to Malware Distribution in Slack, Discord: Cisco Talos
Potential Impact
The reach of malicious activities by ShlayerOpens a new window , which has been exploiting CVE-2021-30657 since January 2021, is unclear at the moment. Shlayer is one of the most prevalent malware plaguing Mac systems and accounts for almost 30% of all malicious detections for macOS, according to KasperskyOpens a new window .
Shlayer is an adware that is delivered to Mac users to display unwanted advertisements on their computer. On the surface, it may seem mostly harmless but as Malwarebytes Labs’ Thomas ReedOpens a new window explains, “Adware and PUPs can actually be far more invasive and dangerous on the Mac than ‘real’ malware. They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.â€
Mac users are also at risk of multiple other attack vectors besides adware including data theft, ransomware, etc.
Mitigation
Mac users need not worry. Owens’ disclosure of the vulnerability to Apple on March 25 was met with a quick response by the Cupertino, CA-headquartered company. Apple promptly released macOS Big Sur 11.3 Beta 6Opens a new window , which has the fix to CVE-2021-30657.
Patch for the bug corrects the way Gatekeeper reads and implements bundle classification logic, which is a technical way of saying that a missing component (including Info.plist) in an app would return an error message (refer image below) and terminate the execution of the application.
Opens a new window
Source: Jamf
“Kudos to Apple for rolling out a fix in Big Sur 11.3 beta 6 literally 5 days after I reported to them,†exclaimed Owens. “Again, I highly encourage you to update to Big Sur 11.3 soonest, as the fix has been applied to syspolicyd so that gatekeeper now properly blocks this payload on macOS 11.3.â€
Wardle also verified workings of the patch by reverse-engineering macOS 11.3 update.
Other Vulnerabilities in macOS
Apple’s update this week for BigSur and Catalina also fixed CVE-2021-1810Opens a new window , a vulnerability that also allows apps to elude Gatekeeper defenses. Discovered by cybersecurity company F-SecureOpens a new window , details of CVE-2021-1810 remain under wraps as of now.
The now-patched security flaw was indeed quite serious. It could trivially override many of the core security walls of Apple OS and reportedly was exploited for months, though unclear how many people got impacted. All Mac users, if not already, should go download this new 11.3 update and think more than twice before downloading any random files from the web.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!