Apple patches severe macOS security flaw


Protect Your Access to the Internet

Mac users are being urged to update to macOS Big Sur 11.3 as at least one threat group is exploiting the zero-day bug to sneak past the operating system’s built-in security mechanisms

Apple has rolled out an update for its macOS Big Sur operating system to address a bevy of security flaws, including a vulnerability that could allow malware to circumvent the operating system’s built-in protection mechanisms.

The vulnerability, tracked as CVE-2021-30657, could allow a malicious actor to craft a payload that could bypass Gatekeeper – the security feature in macOS that enforces code signing and verifies downloaded applications in order to help keep malware off Mac devices.

“This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop ups or warnings from macOS are generated,” said security researcher Cedric Owens, who discovered the security loophole before reporting it to Apple on March 25th. The tech titan plugged the vulnerability within five days with Big Sur 11.3 Beta 6.

Prior to the release of the update, Owens asked Mac security researcher Patrick Wardle of Objective-See to look under the hood of this macOS nasty. Wardle found that it stems from a logic flaw in macOS’s policy subsystem, a flaw that he said “would allow an unsigned, unnotarized application to be run, when it clearly should be resoundingly blocked!”.

Wardle created a proof-of-concept application that was able to bypass all of macOS’s security measures such as Gatekeeper, File Quarantine, and Notarization Requirements. The application was even able to circumvent these mechanisms on a fully up-to-date machine sporting Apple’s new M1 chip.

“As shown, this flaw can result in the misclassification of certain applications, and thus would cause the policy engine to skip essential security logic such as alerting the user and blocking the untrusted application,” Wardle noted. However, he went on to add that the patch released by Apple fixes the classification issues and makes…