Apple patched what noted Mac security researcher Patrick Wardle described to SC Media as “the worst macOS bug in recent memory.” An adware group had already been using the bug in the wild.
The bug, patched in macOS 11.3, allowed hackers to circumvent much of Apple’s built-in malware detection for programs downloaded from the internet. MacOS knows to apply additional scrutiny to downloads by activating the “com.apple.quarantine” attribute. When all goes well, programs with that attribute trigger Apple’s suite of system warnings and outright blocking of suspicious applications — File Quarantine, Gatekeeper, and notarization. Apple released macOS 11.3 on Monday.
The problem stemmed from how Macs install programs. Macs have the ability to wrap a normal installation bundle around a script instead of a traditional program. When a developer uses that technique, and when those bundles lacked a metadata file called “Info.plist” or a suitable alternative, macOS ignores the com.apple.quarantine attribute. In short, a user could double click on a sketchy program and install it without any of the roadblocks Apple designed to get in the way.
A representative for Apple acknowledged the bug had been patched in the newest macOS update, noting that malware bypassing the quarantine system still had to contend with Apple’s built-in XProtect malware detection.
“Apple devices are designed with multiple layers of security in order to protect against a wide range of potential vulnerabilities, and we work constantly to add new protections for our users’ data,” the representative said.
Apple has also updated XProtect to block malware that exploited the technique.
The researchers who uncovered the vulnerability say that it could be used to devastating effect in unpatched systems.
“I’ve been red-teaming against Mac environments for the past few years now. From an attacker’s perspective, this is the best payload that I’ve ever seen or used against Mac,” said Cedric Owens, a red-teamer by day who discovered the bug doing after-hours tinkering.
Owens said it took only five days for a patch to appear in a macOS beta version.
“[I think] this is likely the worst or potentially most impactful bug to everyday macOS users (who, let’s be honest, aren’t going to be targeted by nation-states wielding pure remote zero days),” Wardle said via electronic chat.
“Also, as a logic bug, it’s 100% reliable.”
After Owens discovered the bug, Wardle did additional research on the bug on his ObjectiveSee website. Wardle contacted software company Jamf to use its Mac EDR to hunt down payloads and apps that matched the signature. Jamf, in turn, found what Wardle describes as “an aggressive strain of adware that installed second-stage payloads.”
Wardle said it was not uncommon to see Mac zero-days being used for adware, warning enterprise users to treat Macs like computers and not devices immune to malware, hacking or other ill-purpose.
“Don’t count on Apple’s built-in protection, as time and time again they prove buggy, bypassable or insufficient,” he said. “A third-party security tool probably makes sense.”