According to Apple’s security advisory, Apple recently patched a vulnerability in the macOS operating system (CVE-2021-30853) that might allow an attacker to circumvent the Gatekeeper security feature and execute arbitrary code. Gordon Long of Box reported the bug to Apple, and the company fixed it with the release of macOS 11.6 updates on September 20, 2021.
Wardle wrote in a technical write-up of the flaw, “Such issues are typically particularly harmful to regular macOS users because they allow adware and malware producers to evade macOS security mechanisms,…mechanisms that would otherwise impede infection efforts.
The flaw gets beyond not only Gatekeeper, but also File Quarantine and macOS’s notarization restrictions, effectively allowing a seemingly harmless PDF file to infect the entire system just by opening it. Wardle claims that the problem stems from the fact that an unsigned, non-notarized script-based programme can’t specify an interpreter explicitly, resulting in a complete bypass.
A shebang interpreter directive such as #!/bin/sh or #!/bin/bash is commonly used to parse and interpret a shell programme. However, in this edge-case attack, an adversary can write an application that includes the shebang line but does not include an interpreter (i.e., #!) and still get the underlying operating system to run the script without raising an alarm.
Threat actors can take advantage of this flaw by tricking their victims into downloading a rogue app disguised as Adobe Flash Player updates or trojanized versions of legitimate apps like Microsoft Office, which can then be delivered through a technique known as search poisoning, in which attackers artificially boost the search engine ranking of websites hosting their malware to entice potential victims.
Finally the researchers concluded that ,” In October, Microsoft revealed “Shrootless” (CVE-2021-30892), a vulnerability that may be used to conduct arbitrary activities, elevate privileges to root, and install rootkits on infected systems. As part of security updates handed out on October 26, 2021, Apple said it fixed the vulnerability with new restrictions.