Apple Fixes Mac Bug that Let Malware Bypass Gatekeeper Security

Apple has fixed a major security vulnerability in macOS that could let bad actors bypass Gatekeeper security to download and deploy malware without the user finding out — reports BleepingComputer.

Gatekeeper is a macOS security feature that checks any app you run for the first time to ensure it is developer-signed and has been verified by Apple as originating from a recognized developer. Whenever your Mac downloads a new app, it assigns a “com.apple.quarantine” attribute to the file to instruct Gatekeeper to check it on opening.

The security flaw, dubbed “Achilles,” prevents macOS from assigning the “com.apple.quarantine” attribute to downloaded ZIP files. It was discovered by a Microsoft researcher and is being tracked as CVE-2022-42821.

The Achilles flaw allows specially-crafted payloads to abuse a logic issue to set restrictive Access Control List (ACL) permissions that block web browsers and Internet downloaders from setting the com.apple.quarantine attribute for downloaded the payload archived as ZIP files.

As a result, the malicious app contained within the archived malicious payload launches on the target’s system instead of getting blocked by Gatekeeper, allowing attackers to download and deploy malware.

Even Apple’s Lockdown Mode, an enhanced security feature introduced in macOS Ventura and iOS 16 to defend against targeted spyware attacks, is vulnerable to this bug. Lockdown Mode “is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles,” Microsoft said on Monday.

Fortunately, Apple patched this serious security flaw in macOS 13.1, macOS 12.6.2, and macOS 11.7.2 last week.

To make sure you’re protected against Achilles, update your Mac to the latest available firmware. If you don’t want to (or can’t) update to macOS 13 (Ventura), be sure to download the latest iteration of macOS 12 (Monterey) or macOS 11 (Big Sur).