Apple fixed a zero-day vulnerability in its macOS which was being exploited in the wild by Shlayer malware to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads.
Shlayer is a multi-stage trojan that attacked over 10% of all Macs. The developers of Shlayer were able to get their malicious payloads through Apple’s automated notarizing process earlier.
If they pass this automated security check, macOS apps are allowed by Gatekeeper which is a macOS security feature that verifies if downloaded apps have been checked for known malicious content—to run on the system.
The Jamf Protect detection team discovered that the Shlayer threat actors created unsigned and unnotarized Shlayer samples that were exploiting a zero-day vulnerability (tracked as CVE-2021-30657) starting January 2021. Security engineer Cedric Owens has reported the same to Apple.
According to security researcher Patrick Wardle, this now fixed bug takes advantage of a logic flaw in the way Gatekeeper checked if app bundles were notarized to run on fully-patched macOS systems.
He stated that this vulnerability could lead to misclassification of certain applications, and thus would cause the policy engine to skip essential security logic such as alerting the user and blocking the untrusted application.
The malware variants that abuse this zero-day and distributed using poisoned search engine results and compromised websites can be launched by double-clicking.
Now, Apple has released a security update to fix the vulnerability in macOS Big Sur 11.3 and block malware campaigns actively abusing it.
The users are now alerted that malicious apps “cannot be opened because the developer cannot be identified” and advised to eject the mounted disk image because it may contain malware.
Image Credits : Digital Information World