Researchers at Jamf Threat Labs have discovered a remote code execution vulnerability in macOS Archive Utility. Jamf notified Apple about the issue on May 31, 2022; the flaw was fixed in July. Jamf found the Archive Utility vulnerability after detecting a flaw in Safari that could circumvent Gatekeeper checks earlier this year and decided to “research other archiving features that might suffer from similar issues.”
- The flaw was fixed in macOS 12.5, released July 2022. Essentially, you leverage a flaw in the Safari browser to get it to unload a crafted archive file causing the quarantine bit to _NOT_ be set, which then bypasses the gatekeeper functions which prompt for permission prior to allowing execution of such a file. The fix is simple – apply the latest updates from Apple.
Read more in