Hackers used 0Day vulnerability to bypass macOS protection

Apple has released a security update for macOS that addresses the zero-day vulnerability (CVE-2021-30657). Its exploitation made it possible to bypass all OS security measures and run arbitrary software on computers running macOS.

“Exploiting the issue allows you to bypass all relevant macOS security mechanisms (file quarantine, gatekeeper, and signature requirements) even on a fully patched macOS M1,” said security researcher Patrick Wardle.

Apple macOS comes with a Gatekeeper feature that only runs trusted applications and ensures that the software is signed by the App Store or a registered developer.

However, the reported issue allows an attacker to design a rogue application in such a way as to trick the Gatekeeper service into launching it without issuing any security warning. The problem is related to the packaging of a malicious shell script disguised as an application that is launched with a double click.

According to information security firm Jamf, Shlayer malware operators exploited the Gatekeeper bypass vulnerability in attacks in January 2021. Attackers modified search engine results to expose malicious links that, when clicked, redirect users to a web page, ostensibly to download an application update for outdated software. The update was actually a bash script to silently install the Bundlore adware.

In addition to the 0Day vulnerability, Apple has also fixed a critical issue in the WebKit repository (CVE-2021-30661) that allows arbitrary code to execute on devices running iOS, macOS, tvOS, and watchOS.