An actively exploited zero-day vulnerability in macOS has been patched by Apple. The vulnerability, one of the most serious flaws in macOS to be discovered, allows malware to bypass File Quarantine, Gatekeeper, and Notarization protections.
The vulnerability – tracked as CVE-2021-30657 – is due to a logic flaw in the macOS policy subsystem that performs security checks on applications. The flaw was identified by security researcher and Twilio security engineer Cedric Owens who reported the flaw to Apple on March 25, 2021. Owens developed a proof-of-concept exploit and successfully exploited the flaw in macOS Catalina 10.15 as well as versions of macOS Big Sur prior to version 11.3.
The flaw can be easily exploited by a threat actor to create a macOS payload that is not checked by the Gatekeeper security feature. If a user clicks on a malicious application, it will run without any prompts or alerts. To increase the chance of the app being clicked, it could be disguised as a benign file such as a PDF document hosted on a website or delivered by email.
According to researcher Patrick Wardle, who performed technical analysis of the bug, the flaw is due to how macOS identifies applications, which is as a bundle of files rather than individual files. Included in the bundle of files is a list that tells the app where those files are located. If a bundle of files is created in a certain way and lacks the property file list, macOS can be tricked into misrecognizing the application allowing it to bypass all three of Apple’s anti-malware checks. “Any script-based application that does not contain an Info.plist file will be misclassified as ‘not a bundle’ and thus will be allowed to execute with no alerts nor prompts,” said Wardle.
After the flaw was reported, Wardle asked researchers at Jamf to search to find out if the flaw had already been reported in the wild. They found the bug was already being actively exploited by Shlayer malware and had been since at least January 2021. Shlayer malware is a Trojan that is mostly distributed via fake pop-ups on hijacked domains, email, and malicious adverts – malvertising – in third party ad blocks on legitimate websites.
Shlayer malware is currently used to deliver adware as the secondary payload, which will run on the system as if they had been verified as non-malicious. The secondary adware payload could easily be changed to something more malicious, such as a wiper or ransomware.
The flaw has been corrected in macOS Big Sur 11.3 which was released on April 26, 2021. Apple has also made a further update to make it harder for other zero-day vulnerabilities to be exploited in a similar fashion. If a user attempts to install an application, the operating system will perform a check to find out if the app has passed Notarization. If a vulnerability has been exploited to bypass Notarization, the user will be given a warning that the file is suspicious.
All macOS users have been advised to perform the update as soon as possible to prevent the flaw being exploited.