Microsoft has gone public with an evaluation of a mac OS Gatekeeper bug it found in July, dubbed Achilles, following patch releases by Apple final week.
the bug CVE-2022-42821exists within the macOS Monterey, Large Sur, and Ventura, permitting an app to bypass Gatekeeper checks.
Gatekeeper checks apps customers obtain from the Web. If the app is signed by Apple, the consumer is requested to verify they want to launch it; if not, the app is untrusted and execution is refused.
What Microsoft menace researcher Jonathan Bar Or found is that an attacker may use mac OS entry management lists (ACLs) to bypass Gatekeeper.
ACLs give information and directories extra finely grained permission administration than exists within the permission mannequin mac OS inherited from its Unix roots.
Bar Or found a logic error in how ACLs are utilized to information. It prevents browsers and downloaders from setting the attribute (com.apple.quarantine) that alerts Gatekeeper {that a} file is untrusted.
Bar Or describes the next proof-of-concept for bypassing Gatekeeper:
- “Create a pretend listing construction with an arbitrary icon and payload.
- Create an AppleDouble file with the com.apple.acl.textual content prolonged attribute key and a price that represents a restrictive ACL (we selected the equal of “everybody deny write,writeattr,writeextattr,writesecurity,chown”). Carry out the proper AppleDouble patching if utilizing ditto to generate the AppleDouble file.
- Create an archive with the appliance alongside its AppleDouble file and host it on an internet server.”
The fixes are in Mac OS Big Sur 11.7.2, Monterey 12.6.2and Ventura 13.
