Updated on 2022-12-22: macOS Gatekeeper bypass
Microsoft has published a write-up on another macOS Gatekeeper bypass found by its MSTIC team. I don’t know how I feel about Microsoft’s security teams sifting through Apple’s products when their Exchange servers keep getting ransomed left and right. Read more: Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability
Overview: macOS Archive Utility Vulnerability
Researchers at Jamf Threat Labs have discovered a remote code execution vulnerability in macOS Archive Utility. Jamf notified Apple about the issue on May 31, 2022; the flaw was fixed in July. Jamf found the Archive Utility vulnerability after detecting a flaw in Safari that could circumvent Gatekeeper checks earlier this year and decided to “research other archiving features that might suffer from similar issues.”
Note
- The flaw was fixed in macOS 12.5, released July 2022. Essentially, you leverage a flaw in the Safari browser to get it to unload a crafted archive file causing the quarantine bit to _NOT_ be set, which then bypasses the gatekeeper functions which prompt for permission prior to allowing execution of such a file. The fix is simple – apply the latest updates from Apple.
Read more in