With macOS malware on the rise, Apple has been busy in recent years adding layers of protection that make it much harder for malware to run on Macs. But an operating system vulnerability, publicly disclosed and fixed today, has been exploited to bypass them all.
Security researcher Cedric Owens discovered the bug in mid-March while looking for ways to bypass macOS defenses. Apples Porter mechanism requires developers to register with Apple and pay a fee so that their software can run on Mac. And the company’s software notarization process requires that all applications go through an automated verification process. The logical flaw that Owens found was not in these systems but rather in macOS itself. Attackers could strategically design their malware to trick the operating system into letting it run even if it failed all security checks along the way.
“With all the security improvements Apple has made over the past few years, I was quite surprised that this simple technique worked,” says Owens, “So I immediately reported this to Apple given the potential for real world attackers use this technique to bypass Gatekeeper. There are several use cases of how this bug could be abused. “
The default is akin to a main entrance that is effectively barred and locked, but with a cat door at the bottom that you can easily throw a bomb into. Apple incorrectly assumed that apps will always have certain specific attributes. Owens found that if he created an application that was really just a script – code that told another program what to do rather than doing it itself – and that it didn’t did not include a standard application metadata file called “info.plist”, it could silently run the app on any Mac. The operating system wouldn’t give even its most basic message: “This is an application downloaded from the Internet. Are you sure you want to open it? “
Owens reported the bug to Apple and also shared his findings with longtime macOS security researcher Patrick Wardle, who conducted a more in-depth analysis of why macOS dropped the ball.
“The operating system correctly says, ‘Wait a minute, this is from the Internet, I’m going to quarantine this and I’m going to do all my checks,’” says Wardle. First, macOS checks to see if the app has been notarized, which in this case it hasn’t. But then it follows to see if the software is a set of applications; when it sees that there is no ‘info.plist’ file, macOS mistakenly determines that it is not an app, ignores any other evidence to the contrary, and leaves it running without no warnings for the user. “He just says ‘OK, cool’ and will do anything,” says Wardle. “It’s a little crazy!”
After gaining a more in-depth understanding of how the bug works, Wardle contacted specialty device management company Apple Jamf to see if the company’s Protect antivirus product had reported any script-based malware that met the criteria. In fact, Jamf had reported a version of the Shlayer adware which actively exploited the bug.
The Gatekeeper feature on macOS, launched in 2012, prompts users with a warning asking if they’re sure they want to run apps downloaded outside of the Mac App Store. Over the years, however, attackers have managed to deceive enough victims to agree to continue to widely distribute their malware. But Apple’s notarization requirements, which took effect in February 2020, have made it much harder for malware players to target Macs. If a user attempts to run software that is not notarized, macOS will reject the app entirely. This is a big problem for cybercriminals, especially adware vendors, who rely on a large victim base to generate income.
The group that is developing Shlayer actively sought workarounds and had some success deceiving Apple in notarizing their malware. A bug that allows you to bypass the notarization requirement entirely would obviously be preferable, especially if it came with the bonus of not having to trick users into agreeing to run the malware.