Apple Patches macOS Security Bypass Vulnerability Exploited by ‘Shlayer’ Malware

Apple Patches macOS Security Bypass Vulnerability Exploited by ‘Shlayer’ Malware

Apple has patched a serious security bypass vulnerability in macOS that has been exploited in the wild by at least one threat group.

The tech giant on Monday informed customers that it has patched tens of vulnerabilities in macOS Catalina, Mojave and Big Sur. The Big Sur update fixes nearly 60 security holes, including a logic issue tracked as CVE-2021-30657 that, Apple says, can allow a malicious application to bypass Gatekeeper checks.

macOS has three main security mechanisms designed to protect users against malicious files downloaded from the internet: file quarantine, which prompts the user and asks for confirmation when executing a file; Gatekeeper, which checks code-signing information to ensure an application comes from a trusted developer and it has not been tampered with; and notarization, which involves automatically scanning software for malicious content before it is allowed to run.

The vulnerability tracked as CVE-2021-30657 can be exploited to bypass file quarantine, Gatekeeper and notarization using specially crafted applications. Specifically, a script-based application that does not contain an “Info.plist” configuration file is misclassified by Apple’s security mechanisms and is allowed to run without prompting the user.

Apple has credited “an anonymous researcher” for reporting the bug, but the issue was apparently reported to the tech giant by researcher Cedric Owens on March 25. Owens on Monday published a blog post detailing his findings. He also pointed out that an open source application named appify, which allows users to create “the simplest possible Mac app from a shell script,” has been generating apps that unintentionally exploit the vulnerability.

Patrick Wardle, a researcher who specializes in the security of Apple products, published a lengthy blog post on Monday to describe the vulnerability and its root cause in detail. Wardle has created a proof-of-concept (PoC) exploit that is disguised as a harmless PDF document and which executes an application on the compromised device when opened, without the user seeing any warnings.

The researcher said the vulnerability was apparently introduced in macOS 10.15 and older versions of the operating system do not seem to be affected. Apple only patched the issue in macOS Big Sur. 

“Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to incredible shallow, yet hugely impactful flaws. How shallow? Well that fact that a legitimate developer tool (appify) would inadvertently trigger the bug is beyond laughable (and sad).” Wardle said.

Wardle has asked Apple device management company Jamf — Jamf in 2019 acquired a Mac endpoint security company founded by Wardle — to look for threats that may have abused this weakness in the wild. Sure enough, Jamf researchers discovered that a variant of the Shlayer malware, which drops adware on infected devices, had been leveraging the vulnerability since at least January 9, 2021, to bypass the file quarantine, notarization and Gatekeeper.

In the attacks observed by Jamf, hackers had used poisoned search engine results to deliver the malware. The developers of Shlayer have been known to come up with clever ways to bypass Apple security mechanisms. Last year, they were spotted delivering notarized exploits.

Apple on Monday also released an iOS update to patch 50 vulnerabilities, as well as security updates for Safari, Xcode and iCloud for Windows.

Related: Mac Malware Targeting Apple’s M1 Chip Emerges

Related: Mysterious Mac Malware Infected at Least 30,000 Devices Worldwide

Related: Mac Malware ‘XCSSET’ Adapted for Devices With M1 Chips

picture 106

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:
tag iconTags:

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here