Apple has always been very protective of the security of its operating systems. It is one of the keys to its kingdom that have allowed it to charge for its app store and suffer far fewer negative headlines than its competitors. However, it has just been hit by a series of vulnerabilities that suggest there could be cracks in its security walls.
Apple’s latest update to macOS Big Sur – 11.3 – contains over 50 security fixes along with other new features. Two other macOS versions, Catalina and Mojave, also received a raft of security patches, two of which are covered here.
The first of those vulnerabilities is CVE-2021-30657. It is already being exploited in the wild by notorious Mac malware Shlayer. It was discovered by security researcher Cedric Owens who detailed it in a blog on Medium.
The vulnerability allows an attacker to bypass Apple’s Gatekeeper function and install malicious code onto a device. According to Owens: “This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop ups or warnings from macOS are generated.”
In addition to his own testing, Owens asked another security researcher, Patrick Wardle, to check his code. In his blog, Wardle wrote: “This bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk.”
The blogs from both researchers are comprehensive and provide a significant amount of detail on the vulnerability.
F-Secure piles on the bad news
Owens is not the only one to have discovered problems with macOS Gatekeeper. Last year Finnish security company F-Secure discovered a vulnerability CVE-2021-1810. Like Owens discovery, it allowed cybercriminals to infect Mac devices with malware.
The method of infection is remarkably similar. A user receives a phishing email, this time with a specially-crafted .zip file. When executed, that file will bypass Gatekeeper. Unlike Owens and Wardle, F-Secure has decided not to publish more details until users have had time to patch.
One important difference between the two vulnerabilities is exploitation. While the Owens vulnerability is actively being exploited, the F-Secure one is not, despite being disclosed in December.
Enterprise Times: What does this mean
Claims that MacOS cannot be hacked have long been disproved. Like any company, Apple developers make mistakes, and so do hardware developers. Unlike many of its competitors, Apple generally sets a higher testing and approval bar for code. That has meant more work for cybercriminals to breach the OS.
However, that does not mean macOS doesn’t have problems. Apple might issue fewer patch updates than Microsoft or Google, but it still has to issue them. There is also a growing body of malware targeting macOS. What will worry Apple is that Gatekeeper is a critical component in its security controls. Having to fix multiple issues is embarrassing but not as embarrassing as finding one of those vulnerabilities is being actively exploited.
On the positive side, the fact that the issues were found, reported and addressed is good news for Apple. It shows an active community out there willing to work with it to improve product security.