Apple has patched a nasty macOS bug that could have allowed malicious applications to circumvent the operating system’s in-built security protections.
As reported by Bleeping Computer, the flaw was first discovered by Gordon Long, Offensive Security Engineer at Box. According to Long, the vulnerability could allow a specially crafted, script-based application to be launched on a Mac device without Gatekeeper (an antivirus service that verifies the authenticity of all downloaded apps) ever triggering an alarm.
In order for the app to work, it would need to use a script starting with a shebang (!#) character, but with the rest of the line empty. That way, Unix shell would run the script without specifying a shell command interpreter.
Apple released a patch for the vulnerability in its September 2021 update, bringing the OS to version 11.6. Users of macOS 12 beta 6 are also protected, researchers confirmed.
macOS security bug
Objective-See security researcher Patrick Wardle has provided further insight into the exploit mechanism.
“The syspolicyd daemon will perform various policy checks and ultimately prevent the execution of untrusted applications, such as those that are unsigned or unnotarized,” he explained in a blog post.
“But, what if the AppleSystemPolicy kext decides that the syspolicyd daemon does not need to be invoked? Well then, the process is allowed! And if this decision is made incorrectly, well then, you have a lovely File Quarantine, Gatekeeper, and notarization bypass.”
Wardle also said that the attackers can mask the malicious app as a harmless PDF file which, as well all know, can be delivered in numerous ways, be it through email, poisoned search results, fake updates, or malware downloaded from shady websites.
After the victim runs the script, the attacker can also use it to download and run more potent malware, it was said.