Nasty macOS bug could have let hackers dance past security protections

A representative image of someone hacking online.

(Image credit: 123RF)

Cybersecurity researchers have discovered a new vulnerability in macOS which allowed threat actors to completely bypass native security solutions and execute an unsigned and unnotarized application without displaying security prompts.

Announcing the news in a blog post, researchers from Jamf Threat Labs said they spotted the flaw in the macOS Archive Utility, the native macOS archiving application, similar to WinRAR and other archiving apps.

Abusing the flaw found in this app allows threat actors to circumvent Gatekeeper, and all other security checks.

Quarantining folders

Explaining the flaw, tracked as CVE-2022-32910, Jamf said it revolves around how macOS handles unarchiving files downloaded from the internet.

When a Mac user downloads an archive, it will receive an extended attribute title com.apple.quarantine, signaling to the OS that it was received from a remote location and should be analyzed. Everything that gets extracted will also receive the same quarantine attribute. Well - almost everything. In some cases, Archive Utility will create additional folders to avoid confusion:

“When it comes to application bundles — Gatekeeper only cares if the app directory itself has a quarantine attribute set and disregards recursive files within the app bundle. Therefore, we can bypass Gatekeeper by ensuring that our non-quarantined folder is an application,” the researchers explained.

> Older macOS versions reportedly remain insecure after Apple chose only to patch Monterey

> Hackers could use your Mac to exploit Microsoft Word security flaws

> These are the best endpoint protection services out there

“As mentioned, the folder name containing our unarchived files is controlled by the user because Archive Utility creates this folder based on the archive name without the extension. Therefore, we can name our archive something like test.app.aar so that when it is unarchived, it will have a folder name titled test.app. Within that app will be an expected application bundle holding the executable.”

For the flaw to be exploited, the archive name must include an .app extension, there should be at least two files or folders in the root of the target directory being archive, as this triggers the auto-renaming of the temporary directory, and only the files and folders within the app should be archive, excluding the test.app directory.

Jamf says that after disclosing it to Apple, the company patched the issue in July 2022, so users are advised to update as soon as possible.

Check out the best firewalls around

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.