These bundles include a list of properties that tell the app where specific files it needs to use are located.īy taking out the property file and creating a bundle in a certain way, threat actors can exploit the flaw to be misrecognized by the OS and thus pass through the security checks, Wardle said in his post. The key to how the bug works lies in the way macOS apps identify files, which is not as single entities but instead as bundles of different files. How the bug does this is by setting into motion a logic bug in macOS’ underlying code so that it mischaracterizes certain application bundles and skipps the usual security checks, Wardle explained. The feature introduced Application Notarization to ensure that Apple has scanned and approved all software before it is allowed to run, according to the post.īy being able to bypass all of them, the zero-day bug, then, provides a triple threat that basically gives malware a free pass into the system. Notarization is the newest security feature of the three, introduced in macOS Catalina (10.15) and aimed at once again preventing users from sabotaging themselves. Gatekeeper checks the code-signing information of downloaded items, blocking those that do not adhere to system policies, Wardle said. However, since users kept ignoring the warning and letting malware pass through, Apple introduced Gatekeeper in OSX Lion (10.7) as a feature built atop File Quarantine. The three features that the flaw could bypass actually show a steady progression of macOS security, with the company reinforcing each feature to make the OS inherently less penetrable, Wardle explained.įile Quarantine, was introduced in OSX Leopard (10.5) in 2007, provides the first warning to the user that requires explicit confirmation before allowing a newly downloaded file to execute, he wrote. Wardle’s report takes an extensive technical look at the bug, finding that CVE-2021–30657 could bypass three key anti-malware detections present in macOS-File Quarantine, Gatekeeper and Notarization, he wrote in his post.Īpple has always considered itself a stickler for security with a focus on locking down its proprietary hardware products against malware–which makes the existence of this particular zero-day bug somewhat ironic. dmg–no pop ups or warnings from macOS are generated,” Owens wrote in a post on his Medium blog Monday. dmg and double-click the fake app inside of the. “This payload can be used in phishing and all the victim has to do is double-click to open the. Owens said he tested his exploit for the bug successfully on macOS Catalina 10.15–specifically on 10.15.7–and on versions of macOS Big Sur before Big Sur 11.3, submitting a report to Apple about the vulnerability on March 25. Owens asked Wardle to do a deeper technical dive of the bug after his initial analysis and report on it. “This bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk,” warned Patrick Wardle, an Apple security expert who runs the Objective-See Mac security tool site, in a blog post Monday. Click above to hone your defense intelligence! Download “The Evolution of Ransomware” to gain valuable insights on emerging trends amidst rapidly growing attack volumes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |