Apple have released updates across their macOS platforms to address a vulnerability known as ‘Achilles’ that could allow malicious downloaded apps to bypass Gatekeeper security checks. A patch for this vulnerability was released in a security update last week, which can be found in macOS Ventura 13.1, macOS Monterey 12.6.2, and macOS Big Sur 11.7.2. Yesterday threat researchers at Microsoft’s security blog released details of proof of concept (PoC) code for an exploit of this vulnerability, so applying this update to all macOS devices should be treated as a priority now that exploit information has been publicly disclosed.  

Gatekeeper is a security mechanism that checks apps downloaded from a web browser for a developer signature, to identify if they are approved by Apple. Similar to Microsoft’s Mark of the Web (MotW), which has also experienced bypasses recently, downloaded apps are tagged with the file extension com.apple.quarantine and then the user must confirm the app launch on a pop-up prompt, or if it is considered malicious then the user will be informed that the untrusted app cannot be launched. This security measure helps to prevent malware being run on the device, and prevent sandbox escapes. 

The Achilles vulnerability, tracked as CVE-2022-42821, is a logic issue that allows for a malicious app to bypass Gatekeeper checks. This is done through the misuse of Access Control Lists (ACLs) which can prevent Safari or another browser from adding the file extension tag that signifies the app was downloaded from the internet. This is done by setting up restrictions on the app itself in the writeextattr. ability to prohibit the browser’s ability to write extended attributes to the file. This allows the threat actors to launch the malicious app on the Mac device. 

An optional security measure called Apple’s Lockdown Mode exists in macOS Ventura, which is designed for high-risk users that might be specifically targeted in a personalised sophisticated cyber attack. The aim of Lockdown Mode is to prevent zero-click remote code execution exploits, and so does not provide any protection against Achilles. All users should therefore apply the most recent updates to fix this vulnerability regardless of their Lockdown Mode status.