Apple patches macOS Gatekeeper bypass vulnerability exploited in the wild

The patch tackles a zero-day bug actively exploited by Shlayer malware.

Apple has issued a slew of security fixes resolving issues including an actively exploited zero-day flaw and a separate Gatekeeper bypass vulnerability. 

The Cupertino, Calif.-based giant's latest security patch round was issued on Monday, macOS Big Sur 11.3

One of the most notable fixes is for a vulnerability found by Cedric Owens. Tracked as CVE-2021–30657, the vulnerability allows attackers to bypass Gatekeeper, Apple's built-in protection mechanism for code signing and verification. 

In a Medium blog post, Owens describes how threat actors could "easily craft" a macOS payload that is not checked by Gatekeeper.

"This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg -- no pop-ups or warnings from macOS are generated," the researcher said. 

Working with security expert Patrick Wardle, the duo then realized the root of the issue is a logic bug in the policy subsystem (syspolicyd) that permitted malicious apps to bypass Apple's security mechanism. 

"Though unsigned (and unnotarized) the malware is able to run (and download & execute 2nd-stage payloads), bypassing all File Quarantine, Gatekeeper, and Notarization requirements," Wardle noted.

According to Wardle and Jamf researchers, the vulnerability has unfortunately been exploited in the wild as a zero-day for months. 

The malware in question is Shlayer, adware which has recently been re-packaged to exploit CVE-2021-30657. It is thought the vulnerability may have been exploited from January 9 this year.

The vulnerability was reported on March 25 and was patched on March 30. 

"Kudos to Apple for quickly fixing the bug I reported to them," Owens said on Twitter

Apple said within its security advisory that the vulnerability was patched through "improved state management."

A separate vulnerability of note is CVE-2021-1810, discovered in late 2020 by F-Secure researchers. This security flaw can also be used to bypass macOS Gatekeeper's code signature and notarization checks.

The company has chosen not to release the technical details of the bug until users have more time to update their software. However, the team says that a crafted, malicious .zip file, sent via phishing, for example -- is all that is required to trigger the vulnerability. 

"Any software distributed as a .zip file could contain an exploit for this vulnerability," F-Secure says. "There are a few mitigating factors though. For one, applications downloaded via Apple's App Store are not affected by this issue. Similarly, applications delivered as macOS Installer packages (.pkg, .mpkg) contain an installer certificate which is verified independently from Gatekeeper."

There is currently no evidence of CVE-2021-1810 being exploited in the wild. 

In February, Apple issued a fix for a vulnerability in the installer for Big Sur 11.2/11.3 which could have led to severe data loss. 

Alongside security fixes for macOS, Apple also introduced data collection limitations in iOS 14.5, a feature that is proving to be controversial. 

The system, dubbed App Tracking Transparency (ATT), has now been rolled out following a lengthy beta. ATT requires apps to obtain explicit consent to track users across different apps and services beyond their own platforms. As a result, the move is likely a blow to organizations that offer targeted advertising, only made possible by creating detailed profiles of users and their online habits. 

Facebook has proven to be one of ATT's most vocal critics

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0