Skip to Content

macOS Gatekeeper bypass

Updated on 2022-12-22: macOS Gatekeeper bypass

Microsoft has published a write-up on another macOS Gatekeeper bypass found by its MSTIC team. I don’t know how I feel about Microsoft’s security teams sifting through Apple’s products when their Exchange servers keep getting ransomed left and right. Read more: Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability

Overview: macOS Archive Utility Vulnerability

Researchers at Jamf Threat Labs have discovered a remote code execution vulnerability in macOS Archive Utility. Jamf notified Apple about the issue on May 31, 2022; the flaw was fixed in July. Jamf found the Archive Utility vulnerability after detecting a flaw in Safari that could circumvent Gatekeeper checks earlier this year and decided to “research other archiving features that might suffer from similar issues.”


  • The flaw was fixed in macOS 12.5, released July 2022. Essentially, you leverage a flaw in the Safari browser to get it to unload a crafted archive file causing the quarantine bit to _NOT_ be set, which then bypasses the gatekeeper functions which prompt for permission prior to allowing execution of such a file. The fix is simple – apply the latest updates from Apple.


    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on