Apple patches nasty macOS exploit that bypasses security protections

Malicious apps could bypass macOS Gatekeeper

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Applehas patched a nasty macOS bug that could have allowed malicious applications to circumvent theoperating system’s in-built security protections.

As reported byBleeping Computer, the flaw was first discovered by Gordon Long, Offensive Security Engineer at Box. According to Long, the vulnerability could allow a specially crafted, script-based application to be launched on aMacdevice without Gatekeeper (anantivirusservice that verifies the authenticity of all downloaded apps) ever triggering an alarm.

In order for the app to work, it would need to use a script starting with a shebang (!#) character, but with the rest of the line empty. That way, Unix shell would run the script without specifying a shell command interpreter.

Apple released apatchfor the vulnerability in its September 2021 update, bringing the OS to version 11.6. Users of macOS 12 beta 6 are also protected, researchers confirmed.

macOS security bug

Objective-See security researcher Patrick Wardle has provided further insight into the exploit mechanism.

“The syspolicyd daemon will perform various policy checks and ultimately prevent the execution of untrusted applications, such as those that are unsigned or unnotarized,” he explained in ablog post.

“But, what if the AppleSystemPolicy kext decides that the syspolicyd daemon does not need to be invoked? Well then, the process is allowed! And if this decision is made incorrectly, well then, you have a lovely File Quarantine, Gatekeeper, and notarization bypass.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Wardle also said that the attackers can mask the malicious app as a harmlessPDFfile which, as well all know, can be delivered in numerous ways, be it throughemail, poisoned search results, fake updates, ormalwaredownloaded from shady websites.

After the victim runs the script, the attacker can also use it to download and run more potent malware, it was said.

ViaBleeping Computer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

7 myths about email security everyone should stop believing

Best Usenet client of 2024

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case