Apple patched a zero-day vulnerability in its MacOS that can bypass critical anti-malware capabilities and which a variant of the notorious Mac threat Shlayer adware dropper already has been exploiting for several months.
Security researcher Cedric Owens first discovered the vulnerability, tracked as CVE-2021–30657 and patched in macOS 11.3, an update dropped by Apple on Monday. The vulnerability is particularly perilous to macOS users because it allows an attacker to very easily craft a macOS payload that goes unchecked by the strict security features built into the OS specifically to keep malware out.
“This bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk,” warned Patrick Wardle, an Apple security expert who runs the Objective-See Mac security tool site, in a blog post Monday. Owens asked Wardle to do a deeper technical dive of the bug after his initial analysis and report on it.
Owens said he tested his exploit for the bug successfully on macOS Catalina 10.15–specifically on 10.15.7–and on versions of macOS Big Sur before Big Sur 11.3, submitting a report to Apple about the vulnerability on March 25.
“This payload can be used in phishing and all the victim has to do is double-click to open the .dmg and double-click the fake app inside of the .dmg–no pop ups or warnings from macOS are generated,” Owens wrote in a post on his Medium blog Monday.
Vulnerability Deep Dive
Wardle’s report takes an extensive technical look at the bug, finding that CVE-2021–30657 could bypass three key anti-malware detections present in macOS—File Quarantine, Gatekeeper and Notarization, he wrote in his post.
Apple has always considered itself a stickler for security with a focus on locking down its proprietary hardware products against malware–which makes the existence of this particular zero-day bug somewhat ironic. The three features that the flaw could bypass actually show a steady progression of macOS security, with the company reinforcing each feature to make the OS inherently less penetrable, Wardle explained.
File Quarantine, was introduced in OSX Leopard (10.5) in 2007, provides the first warning to the user that requires explicit confirmation before allowing a newly downloaded file to execute, he wrote. However, since users kept ignoring the warning and letting malware pass through, Apple introduced Gatekeeper in OSX Lion (10.7) as a feature built atop File Quarantine. Gatekeeper checks the code-signing information of downloaded items, blocking those that do not adhere to system policies, Wardle said.
Notarization is the newest security feature of the three, introduced in macOS Catalina (10.15) and aimed at once again preventing users from sabotaging themselves. The feature introduced Application Notarization to ensure that Apple has scanned and approved all software before it is allowed to run, according to the post.
By being able to bypass all of them, the zero-day bug, then, provides a triple threat that basically gives malware a free pass into the system. How the bug does this is by setting into motion a logic bug in macOS’ underlying code so that it mischaracterizes certain application bundles and skipps the usual security checks, Wardle explained.
The key to how the bug works lies in the way macOS apps identify files, which is not as single entities but instead as bundles of different files. These bundles include a list of properties that tell the app where specific files it needs to use are located.
By taking out the property file and creating a bundle in a certain way, threat actors can exploit the flaw to be misrecognized by the OS and thus pass through the security checks, Wardle said in his post.
“Any script-based application that does not contain an Info.plist file will be misclassified as ‘not a bundle’ and thus will be allowed to execute with no alerts nor prompts,” he wrote.
Exploitation in the Wild
Once he identified how the bug works, Wardle asked researchers from Mac security company Jamf to see if anyone had already exploited it in the wild. Turns out, a variant of malware already quite familiar to Mac users has been abusing the vulnerability since at least Jan. 9., according to a post Monday on the Jamf Blog.
“The Jamf Protect detections team observed this exploit being used in the wild by a variant of the Shlayer adware dropper,” according to the post by Jamf detections lead Jaron Bradley, who added that it is nearly identical to a malware sample previously identified by Intego Security.
The major difference, however, is that the variant has been repackaged to use a format necessary for carrying out the MacOS Gatekeeper bypass vulnerability, he explained, going into detail about how the attacker abused the flaw.
Shlayer and the macOS already have quite a history, as the stealthy adware is known as the No. 1 threat to Macs. Indeed, Shlayer was found slipping through the Notarization feature as recently last August disguised as Adobe Flash Player updates, something Wardle co-discovered with researcher Peter Dantini at the time.
Understandably, Apple and all the security researchers who took a look at the zero-day vulnerability are advising that macOS users update their systems immediately to avoid falling victim to any existing exploits for it.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.