Apple recently fixed a zero-day flaw in macOS that could bypass the operating system’s anti-malware protections. The research also shows that a variant of the well-known Shlayer malware has already been exploiting the flaw for several months.
CVE-2021-30657 Zero-Day Technical Overview
The vulnerability was discovered by security researcher Cedric Owens, and has been tracked CVE-2021-30657. As explained by Patrick Wardle who was asked by Owens to provide a deeper analysis, the vulnerability trivially circumvents many core Apple security mechanisms, creating a great threat to Mac users.
The exploit has been tested on macOS Catalina 10.15, and on Big Sur versions before 11.3. A report has been submitted to Apple on March 25.
“This payload can be used in phishing and all the victim has to do is double-click to open the .dmg and double-click the fake app inside of the .dmg–no pop ups or warnings from macOS are generated,” Owens explained on his Medium blog.
As for Wardle’s more extensive analysis, it revealed that the CVE-2021-30657 bug could bypass three key anti-malware protections in macOS – File Quarantine, Gatekeeper, and Notarization. It is noteworthy that Notarization is the latest security feature of the three, introduced in macOS Catalina (10.15). The feature introduces Application Notarization that should make sure Apple has scanned and approved all applications before they are allowed to run.
Triple Threat Zero-Day
Shortly said, the zero-day is a triple threat that lets malware get in the system freely. To do so, the exploit triggers a motion a logic bug in macOS’ underlying code in a way that it mischaracterizes certain application bundles and skips regular security checks, according to Wardle’s explanation. This is possible because of the way macOS applications identify files – as bundles instead of different files. The bundles contain a list of properties that instruct the app about the specific locations of files it needs.
“Any script-based application that does not contain an Info.plist file will be misclassified as ‘not a bundle’ and thus will be allowed to execute with no alerts nor prompts,” Wardle added.
Later analysis provided by the Jamf company revealed that the vulnerability has already been used in actual attacks.
“Shlayer malware detected allows an attacker to bypass Gatekeeper, Notarization and File Quarantine security technologies in macOS. The exploit allows unapproved software to run on Mac and is distributed via compromised websites or poisoned search engine results,” Jamf researchers confirmed.
Previous Shlayer Malware Attacks
The Shlayer malware has been previously known to disable Gatekeeper in attacks against macOS users. Shlayer is a multi-stage malware, capable of acquiring privilege escalation capabilities. It was first discovered in February 2018 by Intego researchers.
It is also noteworthy that Shlayer was previously distriuted in large-scale malvertising campaigns, in which approximately 1 million user sessions were potentially exposed.
To prevent the attacks, users should update their macOS systems immediately.