The macOS operating system was recently patched for a security vulnerability that could be exploited by a malicious actor to bypass “myriad of macOS’s fundamental security mechanisms” and execute arbitrary code.
Patrick Wardle described the discovery in a series of tweets on Thursday. According to CVE-2021-30853 (CVSS 5.5), the issue involves a scenario where a malicious macOS application can bypass Gatekeeper controls, ensuring that only trusted applications can be run and have been notarized.
As part of macOS 11.6 updates officially released on September 20, 2021, Apple said it fixed the vulnerability with improved checks reported by Box’s Gordon Long.
In a technical report on the vulnerability, Wardle said the flaw allows adware and malware to bypass macOS security mechanisms, mechanisms that would otherwise thwart infection attempts.
In particular, the bug evades not only Gatekeeper but also macOS’s file quarantine and notarization requirements, allowing an innocuous PDF file to compromise the entire system by simply being opened. Wardle explains that the problem is that applications based on unsigned and unnotarized scripts cannot explicitly specify an interpreter, resulting in a complete bypass.
It should be noted that a shebang interpreter directive — such as #!/bin/sh and #!/bin/bash — is typically used to parse and interpret shell programs. However, in this extreme attack, an adversary can create an application to embed a shebang line without providing an interpreter (e.g., #!) while forcing the operating system to execute the script without raising an alert.
“MacOS attempts (again) to run the script-based application ‘without an interpreter’ via the shell (‘/bin/sh’)” after the initial failure, Wardle explained.
As a result, malicious actors can exploit this flaw by tricking their targets into installing a malicious application masquerading as Adobe Flash Player or trojanized versions of legitimate applications like Microsoft Office. These malicious apps are then distributed via a method called search poisoning, in which attackers artificially increase the search engine rankings of websites hosting their malware.
The Gatekeeper process has already been shown to have flaws. Last April, Apple patched a zero-day vulnerability (CVE-2021-30657) that had been actively exploited, allowing unapproved software to run on Macs.
Microsoft disclosed a vulnerability dubbed “Shrootless” (CVE-2021-30892) in October, which could be exploited to perform arbitrary operations, escalate privileges to root, and install rootkits on compromised devices. In its October 26 security update, Apple said it fixed the issue with additional restrictions.