Apple has fixed a vulnerability that attackers could have exploited to deliver malware to vulnerable macOS devices via untrusted applications able to bypass the execution restrictions of Gatekeeper applications. Found and first reported by Microsoft’s lead security researcher, Jonathan Bar Or, the security flaw dubbed Achilles it is now identified as CVE-2022-42821. It turns out that the problem has been definitively resolved by Apple in macOS 13 (Ventura), macOS 12.6.2 (Monterey) and macOS 1.7.2 (Big Sur) a week ago, on December 13th.
For the uninitiated, Gatekeeper is a macOS security feature that automatically checks all apps downloaded from the Internet, verifying if they are authenticated and signed by the developer (and therefore approved by Apple), then asking the user to confirm before startup or by issuing a warning in case the app cannot be trusted.
Specifically, the criticality dubbed Achilles allowed specially crafted payloads to set restrictive Access Control List (ACL) permissions that prevented web browsers and Internet downloaders from setting the attribute com.apple.quarantine to download the archived payload as a ZIP file.
As a result, the malicious app contained in an archived payload would launch on the target’s system instead of being blocked by Gatekeeper, allowing the attackers to download and distribute malware. Microsoft said on Monday that:
“Apple’s Lockdown Mode, introduced in macOS Ventura as an optional security feature for high-risk users who could be personally targeted by a sophisticated cyberattack, is intended to stop clickless remote code execution exploits , and thus not defend against Achilles. End users should apply the fix regardless of their block mode status.”
As always, the best advice we can give is to keep your Apple devices constantly updated. In any case, it’s good to remember that Apple is currently testing a new Rapid Security Response feature for Mac and iOS devices, which will allow you to quickly fix security vulnerabilities like this, but without the need for a full operating system update.
