Hackers Used ‘Mind-Blowing’ Bug to Sneak Past macOS Safeguards
Hackers Used ‘Mind-Blowing’ Bug to Sneak Past macOS Safeguards

By Lily Hay Newman

The vulnerability was patched Monday, but hackers had already used it to spread malware.

WITH MACOS MALWARE on the rise, Apple has been busy in recent years adding layers of protections that make it a lot more difficult for malicious software to run on Macs. But a vulnerability in the operating system, publicly disclosed and patched today, was exploited to bypass all of them. 

Security researcher Cedric Owens discovered the bug in mid-March while looking for ways around macOS defenses. Apple’s Gatekeeper mechanism requires developers to register with Apple and pay a fee so their software will be able to run on Macs. And the company’s software notarization process mandates that all applications go through an automated vetting process. The logic flaw Owens found lay not in those systems but rather in macOS itself. Attackers could craft their malware strategically to trick the operating system into letting it run even if it failed all the safety checks along the way.

“With all of the security improvements Apple has made in the past few years I was pretty surprised that this simple technique worked,” Owens says, “So I immediately reported this to Apple given the potential for real world attackers to use this technique to bypass Gatekeeper. There are multiple use cases for how this bug could be abused.”

The flaw is akin to a front entrance that’s barred and bolted effectively, but with a cat door at the bottom that you can easily toss a bomb through. Apple mistakenly assumed that applications will always have certain specific attributes. Owens discovered that if he made an application that was really just a script—code that tells another program what do rather than doing it itself—and didn’t include a standard application metadata file called “info.plist,” he could silently run the app on any Mac. The operating system wouldn’t even give its most basic prompt: “This is an application downloaded from the Internet. Are you sure you want to open it?”

Owens reported the bug to Apple and also shared his findings with longtime macOS security researcher Patrick Wardle, who conducted deeper analysis into why macOS had dropped the ball.

“The operating system correctly says, ‘Wait a minute, this is from the internet, I’m going to quarantine this and I’m going to do all my checks,’” Wardle says. First, macOS checks to see if the app has been notarized, which in this case it hasn’t. But then it follows up to see if the software is an application bundle; when it sees there’s no ‘info.plist’ file, macOS wrongly determines that it’s not an app, ignores any other evidence to the contrary, and lets it run without any caution to the user. “It just says ‘OK, cool’ and will run anything,” Wardle says. “It’s kind of bonkers!”

After gaining a deeper understanding of how the bug worked, Wardle reached out to the Apple-focused device management firm Jamf to see if the company’s Protect antivirus product had flagged any script-based malware that fit the criteria. In fact, Jamf had flagged a version of the Shlayer adware that was actively exploiting the bug.

“This fully undermines many core, foundational components of macOS.”

SECURITY RESEARCHER PATRICK WARDLE

The Gatekeeper feature on macOS, launched in 2012, prompts users with a warning asking if they’re sure they want to run applications downloaded outside the Mac App Store. Over the years, though, attackers have been able to trick enough victims into agreeing that they could still distribute their malware widely. But Apple’s notarization requirements, which went into effect in February 2020, have made it significantly harder for malware actors to target Macs. If a user tries to run software that isn’t notarized, macOS will reject the app altogether. That represents a big problem cybercriminals, particularly adware peddlers, who rely on a broad victim base to generate revenue.

The group that develops Shlayer has aggressively sought workarounds, and has had some success tricking Apple into notarizing their malware. A bug that allows you to bypass the notarization requirement completely, though, would obviously preferable—especially if it came with the bonus of not needing to trick users into agreeing to run the malware at all.

Apple released a patch for the bug today in macOS Big Sur 11.3. A spokesperson confirmed that the bug allowed malware to bypass the notarization requirement and the Gatekeeper user warning overlay. In addition to fixing the logic issue in macOS, Apple also updated its XProtect system monitoring tool to detect and warn about any software that may be attempting to exploit the flaw. This means that even past versions of macOS immediately get some protection.

The researchers emphasize that while the bug was simple, and the result of an understandable engineering error, it reflects the fragility of even the most stringent anti-malware protections. And the mistake reinforces the importance of investing in rigorous and extensive code quality audits.

“It’s not to say that any operating system isn’t going to have flaws—they always will,” Wardle says. “But this fully undermines many core, foundational components of macOS. It’s a pretty mind-blowing oversight.”

In addition to macOS Big Sur 11.3, Apple also released iOS 14.5 today with with expanded app privacy features. Go ahead, make a day of it and install both.

Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University.

Affiliate News Feeds

  • Hardware
  • Internet of Things
  • Networking
  • Industry News
  • Software

The tech titan Amazon used its show in Las Vegas to talk about watery matters, supply chains and much more. The post AWS re:Invent 2022: A tiered tour of technology… [...]

In a recent interview with Ravi Pendekanti, SVP of Product Management & Marketing at Western Digital, he explained how they have expanded their HDD technology to lower total cost of… [...]

Our picks for the top Amazon Cyber Week deals to ease the stress of those who work from home. The post 5 Amazon Cyber Week deals sure to make remote… [...]

IIoT can be a revelation when implemented successfully, but companies may run into obstacles. Here’s what IIoT is and the top five obstacles associated with using it. The post Top… [...]

Learn how Internet of Things technology has continued to support digital transformation for organizations across industries. The post Top 5 trends to watch in industrial IoT appeared first on TechRepublic. [...]

UK-based IoT connectivity platform provider seeks élan and style by snapping up French firm. The post Wireless Logic continues acquisition spree with IoThink Solutions deal appeared first on TechRepublic. [...]

Consider securing your remote work setup with a three-year subscription to a top VPN. Windscribe Pro is more than 70% off today only. The post Lock in 3 years of… [...]

Virtualization platforms are available from a number of vendors, but it’s still critical to maintain your virtualization environment to avoid unnecessary resource consumption, out of-compliance systems or applications, data loss,… [...]

The company’s products seek to address real-time data transport, edge data collection instruments. The post NVIDIA unveils supercomputing and edge products at SC22 appeared first on TechRepublic. [...]

An account takeover (ATO), in which criminals impersonate legitimate account owners to take control of an account, are on the rise in Asia and across the world. Fraudsters are swindling… [...]

Experts warn that API attacks will soon become the most common type of web application attack. As a result, organizations and their security vendors need to align across people, processes,… [...]

Research shows that web applications and API attacks continued to explode in the first half of 2022. Does your organization have the best defense today? Akamai recommends deploying a holistic… [...]

See how to integrate the Trello software with Google Mail for a much simpler project management workflow. The post How to integrate Trello with Gmail appeared first on TechRepublic. [...]

Read how to install the Trello app in macOS and why it will make your project management even easier. The post How to install the Trello app on macOS and… [...]

Find out if one of these top seven Wrike alternatives are an ideal project management solution for you and your team. The post Top 7 Wrike alternatives for project and… [...]