Apple has released macOS 11.3, fixing a serious flaw that allowed an attacker to sneak malicious files past the operating system's Gatekeeper security mechanism.
Gatekeeper is one of the primary macOS defenses against the installation of malware, explained Cedric Owens, the security researcher who found the bug, in a message to The Register.
The vulnerability, he said, lets an attacker rig a malicious file so it won't get blocked by Gatekeeper when a user tries to open it. He considers it to be one of the most dangerous he's encountered on recent versions of macOS.
GRAVE CHASE is a retro-inspired 2D horror action-adventure game in which a brother & sister must survive the month of October in the deadly graveyard of a ghoulish. A portfolio of projects I have worked on for personal enjoyment, pervious employers, or academic course work that include the Mac OS tag.
All it would take to install a malicious payload abusing this bug would be for the user to double-click on malware downloaded to a Mac via an emailed link or website.
'A victim detonating one of these payloads would give the attacker the ability to remotely access sensitive data in directories not protected by TCC [Apple's Transparency, Consent, and Control framework],' said Owens, who elaborated on his findings in a Medium post.
Grave Chase Mac Os 11
In an email to The Register, security researcher Patrick Wardle, founder of free security project Objective See and director of research at security biz Synack, said, 'This bug, a subtle logic flaw deep within macOS’s policy subsystem, trivially bypasses many core Apple security mechanisms, such File Quarantine, Gatekeeper, and Notarization requirements, leaving Mac users at grave risk.'
He has written up the issue in full here.
Most Mac malware infections, he said, are the result of users unwittingly running infected software. He pointed at the recently identified Silver Sparrow malware, which managed to infect over 30,000 Macs in a matter of weeks, despite the need for user interaction.
At least Sony offered a t-shirt, says macOS flaw finder: Bug bounties now for Macs if you want this 0-day, Apple
READ MOREApple has implemented interrelated mechanisms over the years to reduce the threat of interaction-based malware, such as File Quarantine in 2007 (Mac OS X Leopard), Gatekeeper in 2012 (Mac OS X Lion v10.7.5), and Applications Notarization in 2020 (macOS 10.15).
Thanks to this bug, Wardle explained, 'it is possible to craft a malicious application that though unsigned (and hence unnotarized) is misclassified and thus is allowed to launch with no prompts or alerts. This effectively reverts aspects of macOS security back to pre-2007 levels.'
The logic flaw Wardle mentioned has to do with a code oversight that misclassifies a script-based application (run via the shell,
/bin/sh
) without an Info.plist
configuration file as 'not a bundle,' which means the script can execute without any Gatekeeper alerts or permission prompts. It's been around since the release of macOS Catalina 10.15 in 2019.Objective See's free BlockBlock security tool has a mode to detect apps that aren't Notarized, like a malicious script attempting to exploit the Gatekeeper bypass. So too apparently does Jamf Protect, an enterprise product.
Wardle said he and former colleagues at security firm Jamf found Mac malware that exploits this bug in the wild earlier this month.
According to Jaron Bradley, macOS detections expert at Jamf, the malware detected using this technique is an updated version of Shlayer, a family of malware discovered in 2018 that's one of the most commonly seen forms of Mac malware.
'One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt,' Bradley explained in a message to The Register. 'Further analysis leads us to believe that the developers of the malware discovered the zero day and adjusted their malware to use it, in early 2021.'
Shlayer's goal is to install adware on the victim's computer, so the malware authors can profit from ad revenue, said Bradley, noting that the earliest sample using the Gatekeeper bypass technique was spotted on January 9, 2021.
Owens said he reported the bug to Apple on March 25. Apple fixed the issue five days later in a macOS Big Sur 11.3 beta release, said Wardle, based on scouring for changed strings in the beta code. The official release of macOS Big Sur 11.3 should help close this particular hole once macOS users apply the update. ®
Get ourTech Resources
Typing Diacritics And Special Characters:
Adding Special Characters on a Macintosh
Fonts often contain many characters that don’t appear on the Apple keyboard. These characters include accented characters, math symbols, and special punctuation symbols. One simple way to access these characters is to press and hold the base character key for a second or so and you will see a popup menu with the extended character options. For instance, pressing and holding the “a” key will give you these options:
This works for all extended characters based on A, C, E, I, L, N, O, S, U, Y, and Z.Another method is through key stroke commands. Use the following methods to insert special characters in standard desktop applications.
Fonts often contain many characters that don’t appear on the Apple keyboard. These characters include accented characters, math symbols, and special punctuation symbols. One simple way to access these characters is to press and hold the base character key for a second or so and you will see a popup menu with the extended character options. For instance, pressing and holding the “a” key will give you these options:
This works for all extended characters based on A, C, E, I, L, N, O, S, U, Y, and Z.Another method is through key stroke commands. Use the following methods to insert special characters in standard desktop applications.
To insert special characters with the Mac keyboard
(Times New Roman font):
Accent | Key Strokes | Available Characters |
Grave ` | option ` + the character | À È Ì Ò Ù à è ì ò ù |
Acute ´ | option e + the character | Á É Í Ó Ú á é í ó ú |
Circumflex ^ | option i + the character | Â Ê Î Ô Û â ê î ô û |
Tilde ~ | option n + the character | Ã Ñ Õ ã ñ õ |
Umlaut ¨ | option u + the character | Ä Ë Ï Ö Ü Ÿ ä ë ï ö ü ÿ |
LLRC Lab, Media, and Computer Help Pages
- Using DVD Shrink (external link)
- Using DVD Styler (external link)
Keyboard Help – Typing Diacritics and Special Characters
Grave Chase Mac Os X
Key Stroke | +Option | +Option- Shift | Key Stroke | +Option | +Option- Stroke |
A | å | Å | 0 | º | ‚ |
B | † | ¹ | 1 | ¡ | Ž |
C | ç | Ç | 2 | ™ | € |
D | | Î | 3 | £ | Ð |
E | ´ | 4 | ¢ | ð | |
F | ƒ | Ï | 5 | ƒ | Þ |
G | © | › | 6 | § | þ |
H | ™ | Ó | 7 | ¶ | ý |
I | ˆ | 8 | • | ° | |
J | | Ô | 9 | ª | · |
K | š | • | – | – en dash | — em dash |
L | ¬ | Ò | = | ‚ | ± |
M | µ | Â | [ | “ | ” |
O | ø | Ø | ] | ‘ | ’ |
P | ¼ | ½ | ´ | ª | |
Q | œ | Œ | ‘ | æ | Æ |
R | ® | ‰ | , | ¾ | ¯ |
S | ß | Í | . | „ | ˜ |
T | Ý | | ; | … | Ú |
U | ¨ | ` | ` | ||
V | ˆ | × | / | ÷ | ¿ |
W | … | „ | |||
X | ‰ | œ | |||
Y | ¥ | Á | |||
Z | ‡ | ¸ | |||
Key Stroke | +Option | +Option- Shift | Key Stroke | +Option | +Option- Stroke |