Apple has rolled out an update for its macOS Big Sur operating system to address a bevy of security flaws, including a vulnerability that could allow malware to circumvent the operating system’s built-in protection mechanisms.
The vulnerability, tracked as CVE-2021-30657, could allow a malicious actor to craft a payload that could bypass Gatekeeper – the security feature in macOS that enforces code signing and verifies downloaded applications in order to help keep malware off Mac devices.
“This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop ups or warnings from macOS are generated,” said security researcher Cedric Owens, who discovered the security loophole before reporting it to Apple on March 25th. The tech titan plugged the vulnerability within five days with Big Sur 11.3 Beta 6.
Prior to the release of the update, Owens asked Mac security researcher Patrick Wardle of Objective-See to look under the hood of this macOS nasty. Wardle found that it stems from a logic flaw in macOS’s policy subsystem, a flaw that he said “would allow an unsigned, unnotarized application to be run, when it clearly should be resoundingly blocked!”.
Wardle created a proof-of-concept application that was able to bypass all of macOS’s security measures such as Gatekeeper, File Quarantine, and Notarization Requirements. The application was even able to circumvent these mechanisms on a fully up-to-date machine sporting Apple’s new M1 chip.
“As shown, this flaw can result in the misclassification of certain applications, and thus would cause the policy engine to skip essential security logic such as alerting the user and blocking the untrusted application,” Wardle noted. However, he went on to add that the patch released by Apple fixes the classification issues and makes sure that untrusted, unnotarized applications are blocked.
Wardle also contacted Jamf, a company specializing in Apple Enterprise Management solutions, to see whether there were signs of the vulnerability being abused in the wild. Unfortunately, its detection team confirmed that it has seen the exploit being used in the wild by a variant of Bundlore.Adware, more commonly known as Shlayer, that spreads using poisoned search engine results.
To mitigate the chances of leaving your device open to attacks, you should update your computer to macOS Big Sur 11.3 as soon as possible.
One more thing…
Apple has also issued an update for iOS and iPad OS devices that plugs a zero-day indexed as CVE-2021-30661. The flaw is a use-after-free bug and resides in the WebKit Storage component of the operating systems.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.,” reads the bug’s description.
The list of impacted devices includes Phone 6s and later, all versions of the iPad Pro, iPad Air 2 and later, the 5th generation iPad and later, iPad mini 4 and later, and the 7th generation of iPod touch. The tech giant also issued security updates to address the same issue plaguing Apple Watch products (watchOS 7.4) and Apple TVs (tvOS 14.5)
Your devices should update automatically if you’ve enabled the option. If not, you can do so manually by going through the Settings menu. To find out more about the updates you can refer to Apple’s security updates page.