Social Items

Gatekeeper is a security feature in Apple Mac which is supposed to allow only trusted apps to run on the system by ensuring that the application has been signed and cleared via an automated process known as "app notarization" which scans the app for malicious content.

The security feature, by default, accepts all software directly from Apple's own Mac App Store, as well as apps "signed" by developers approved by Apple, which it assume to be safe. But there is a flaw in Gatekeeper, tracked as CVE-2021-30657, which vulnerability was reported by Cedric Owens, a security engineer on March 25, 2021.

Apple had promptly released an update to macOS operating systems to address the vulnerability which could be exploited to circumvent all security protections, allowing unapproved applications to run on Macs.

How Hackers could have Exploited the Gatekeeper Flaw to Attack macOS Computers?



The Gatekeeper flaw uncovered by Owens could allow an adversary to craft rogue applications to deceive the Gatekeeper service and get executed without triggering security warnings, by packaging a malicious shell script as a "double-clickable app" of which the malware could be double-clicked and run like an app.



As the malware is run as an app in the sense that you can double click it and have macOS view it as an app when you right click, it's also shell script in that shell scripts aren't checked by Gatekeeper even if the quarantine attribute is present.

Given that unsigned, unnotarized, script-based proof of concept application could trivially and reliably sidestep all of macOS's security mechanisms (including Gatekeeper and Notarization Requirements), even on a fully patched M1 macOS system, with such a capability malware authors could succeed in their proven methods of infecting macOS users.

In a previous Gatekeeper flaw, hackers exploited it to sneak in malicious code to run as "signed" software, by inserting malware into the code libraries, or dylibs, that most large applications share; while the second, bundle malware into compressed installer packages (.dmg files) for signed software.

Albeit, Apple's attempt to patch the vulnerability by including verification of dylibs to block the first exploit, was too narrow to contain the flaw. It remains clear that Gatekeeper still doesn't block every piece of unsigned software, only the most obvious ones get blocked.

Mac users are thereby recommended to update their system to the latest versions of macOS to mitigate the risk associated with the Gatekeeper flaws.

Gatekeeper Flaw actively exploited in attacks on macOS Computers

Gatekeeper is a security feature in Apple Mac which is supposed to allow only trusted apps to run on the system by ensuring that the application has been signed and cleared via an automated process known as "app notarization" which scans the app for malicious content.

The security feature, by default, accepts all software directly from Apple's own Mac App Store, as well as apps "signed" by developers approved by Apple, which it assume to be safe. But there is a flaw in Gatekeeper, tracked as CVE-2021-30657, which vulnerability was reported by Cedric Owens, a security engineer on March 25, 2021.

Apple had promptly released an update to macOS operating systems to address the vulnerability which could be exploited to circumvent all security protections, allowing unapproved applications to run on Macs.

How Hackers could have Exploited the Gatekeeper Flaw to Attack macOS Computers?



The Gatekeeper flaw uncovered by Owens could allow an adversary to craft rogue applications to deceive the Gatekeeper service and get executed without triggering security warnings, by packaging a malicious shell script as a "double-clickable app" of which the malware could be double-clicked and run like an app.



As the malware is run as an app in the sense that you can double click it and have macOS view it as an app when you right click, it's also shell script in that shell scripts aren't checked by Gatekeeper even if the quarantine attribute is present.

Given that unsigned, unnotarized, script-based proof of concept application could trivially and reliably sidestep all of macOS's security mechanisms (including Gatekeeper and Notarization Requirements), even on a fully patched M1 macOS system, with such a capability malware authors could succeed in their proven methods of infecting macOS users.

In a previous Gatekeeper flaw, hackers exploited it to sneak in malicious code to run as "signed" software, by inserting malware into the code libraries, or dylibs, that most large applications share; while the second, bundle malware into compressed installer packages (.dmg files) for signed software.

Albeit, Apple's attempt to patch the vulnerability by including verification of dylibs to block the first exploit, was too narrow to contain the flaw. It remains clear that Gatekeeper still doesn't block every piece of unsigned software, only the most obvious ones get blocked.

Mac users are thereby recommended to update their system to the latest versions of macOS to mitigate the risk associated with the Gatekeeper flaws.
Internet Security

No comments

Subscribe to: Post Comments (Atom)