macOS: ZIP archives can bypass Apple’s gatekeeper

0
17
macos zip archives can bypass apples gatekeeper.jpg
macos zip archives can bypass apples gatekeeper.jpg

A bug in the macOS packing program makes it possible to deliver unsigned malicious code in archive files that is executed without warning. A patch is available.

Attackers can use manipulated archive files to bring malicious code to Macs that bypasses Apple’s integrated Gatekeeper protection function. Unauthenticated and even unsigned code is executed in this way by the operating system without warning, warns the provider of a device management tool, which reported the bug to the manufacturer.

Apple fixed the vulnerability in its archiving program back in July, but has only now documented the vulnerability afterwards. The patch is available for macOS 12 Monterey (from version 12.5) as well as the previous versions macOS 11 Big Sur (from version 11.6.8) and macOS 10.15 Catalina (with security update 2022-005). It can be assumed that the vulnerability also exists in older versions of macOS, for which Apple no longer provides security updates.

Normally, when unpacking a downloaded archive, Apple’s archiving program attaches a so-called quarantine attribute to all the files it contains, so that they are checked by the Gatekeeper protection function integrated in macOS when they are opened. If software has not been checked or certified by Apple or is not signed at all, the user is warned and the start-up process is stopped.

However, the vulnerability allows an archive to be manipulated in such a way that an app it contains is unpacked without a quarantine attribute, as the provider Jamf explains. The unpatched archiving program forgets to provide a temporary folder with the quarantine attribute when unpacking, which can be exploited for manipulation. The method is possible both when creating Apple archive files (.aar) and when creating common ZIP archives, which are still often found when downloading Mac apps. If the user opens the app from an archive that has been manipulated in this way, the operating system runs it without being checked. The logic problem in the archiving program has been fixed with an improved check, Apple has now announced in the updated release notes for the security updates.

SEE ALSO  We tested the cheapest folding smartphone in Spain, the ZTE Nubia Flip 5G