Apple patches macOS Gatekeeper bypass vulnerability exploited in the wild


Protect Your Access to the Internet

Apple has issued a slew of security fixes resolving issues including an actively exploited zero-day flaw and a separate Gatekeeper bypass vulnerability. 

a close up of an umbrella

© ZDNet

The Cupertino, Calif.-based giant’s latest security patch round was issued on Monday, macOS Big Sur 11.3. 


Load Error

One of the most notable fixes is for a vulnerability found by Cedric Owens. Tracked as CVE-2021–30657, the vulnerability allows attackers to bypass Gatekeeper, Apple’s built-in protection mechanism for code signing and verification. 

In a Medium blog post, Owens describes how threat actors could “easily craft” a macOS payload that is not checked by Gatekeeper.

“This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop-ups or warnings from macOS are generated,” the researcher said. 

Working with security expert Patrick Wardle, the duo then realized the root of the issue is a logic bug in the policy subsystem (syspolicyd) that permitted malicious apps to bypass Apple’s security mechanism. 

“Though unsigned (and unnotarized) the malware is able to run (and download & execute 2nd-stage payloads), bypassing all File Quarantine, Gatekeeper, and Notarization requirements,” Wardle noted.

According to Wardle and Jamf researchers, the vulnerability has unfortunately been exploited in the wild as a zero-day for months. 

The malware in question is Shlayer, adware which has recently been re-packaged to exploit CVE-2021-30657. It is thought the vulnerability may have been exploited from January 9 this year.

The vulnerability was reported on March 25 and was patched on March 30. 

“Kudos to Apple for quickly fixing the bug I reported to them,” Owens said on Twitter

Apple said within its security advisory that the vulnerability was patched through “improved state management.”

A separate vulnerability of note is CVE-2021-1810, discovered in late 2020 by F-Secure researchers. This security flaw can also be used to bypass macOS Gatekeeper’s code signature and notarization checks.

The company has chosen not to release the technical details of the bug until users have more time to…