Microsoft has discovered a concerning security flaw in one of its main competitors’ operating systems: Apple’s. Prior to its patching, the vulnerability allowed attackers to circumvent Gatekeeper’s various security checks and deploy malware on a target Mac.
Microsoft principal security Jonathan Bar Or, discovered the flaw in July and immediately shared it with Apple via the company’s Security Vulnerability Research (MSVR) program. The vulnerability, dubbed “Achilles,” allowed skilled attackers to circumvent Gatekeeper’s application execution restrictions. Not only could bad actors use Achilles to “get a foot in the door” before launching a larger attack, but they could also exploit the vulnerability in such a way that larger macOS malware campaigns would have a greater impact.
On macOS devices, Gatekeeper typically allows only trusted applications to run. This is accomplished by scanning downloaded software for the attribute “com.apple.quarantine,” which is only assigned to Apple-verified files. Achilles, on the other hand, allowed custom malicious payloads to bypass Gatekeeper’s checks by taking advantage of restrictive Access Control Lists (ACLs) that prevent Safari, Apple’s web browser, from setting the com.apple.quarantine attribute on archived ZIP files. This enabled malicious apps “hidden” within an archived payload to be launched on the victim’s macOS device.
“Gatekeeper is a helpful and effective security feature because of its essential role in stopping malware on macOS,” Microsoft’s Achilles writeup says. “However, considering there have been numerous bypass techniques targeting the security feature in the past, Gatekeeper is not bulletproof. Gaining the ability to bypass Gatekeeper has serious consequences because malware authors sometimes use those techniques to gain initial access.”
Achilles has since been added to the list of Common Vulnerabilities and Exposures (CVE). Apple has also patched the vulnerability in macOS versions Ventura 13, Monterey 12.6.2, and Big Sur 11.7.2, the latter two of which were released just a few weeks ago. The Security Threat Intelligence team at Microsoft recommends that all macOS users apply the patch, even if they use Apple’s Lockdown Mode (which is said to protect users in need of heightened personal security). Lockdown Mode is designed to prevent zero-click remote code execution attacks, so it does not protect against Achilles vulnerabilities.
