- A researcher has found how the Shlayer malware on macOS works and how Gatekeeper is bypassed.
- Apple has fixed the logic flaw, but its exploitation has been going on for at least two years now.
- All macOS versions between 10.15 and 11.2.3 and both processor architectures are affected.
Apple’s macOS is one of the most secure operating systems out there, featuring multiple layers and mechanisms there to catch threats and stop them before they have the chance to unfold. As researcher Cedric Owens discovered, though, there’s a logic vulnerability that, if exploited, one could essentially bypass all security on macOS.
Tracked as “CVE-2021-30657”, the flaw enables a malicious application to bypass Gatekeeper checks, so anything (including malware executables) can run on the macOS as if it carries a valid Apple-issued certificate.
The bug was fixed by Apple yesterday, with the release of macOS Big Sur 11.3, but its exploitation is something that has been going on for a while. The researcher who discovered the vulnerability shared the finding with another expert in the field, Patrick Wardle, who found out that this is how malware like “Silver Sparrow” and “Shlayer” managed to bypass Apple’s notarization process, so that mystery is solved. However, this also means the flaw has been under active exploitation for over two years now.
At this point, you should consider updating your macOS as a top priority, but any existing infections won’t go away like that. Thankfully, we have a detailed guide on locating and removing “Silver Sparrow” from your Apple computer, so make sure to check it out.
The trick happens in the way the malware authors package their macOS applications, which exploits a logic flaw essentially. By taking out the properly list file that normally helps with dependency location-pointing and then repackaging the executable without a quarantine attribute, Owens found that macOS treats it as a local file, so the Gatekeeper isn’t even summoned for a check.
Although this bypassing possibility was known for second-state payloads all this time, the question of how the initial malware managed to bypass Gatekeeper remained, and this question has been answered now. As the researchers discovered by digging deeper, this logic flaw appears to have been introduced with the new notarization logic in macOS 10.15. This was an attempt to further secure the system from malware, but apparently, it backfired.
Another thing to note is that the researchers had to perform their analysis on an Intel-based macOS Big Sur 11.2.3, as the M1 systems hinder debugging. That’s very bad for security research, and this is a worrying example. However, the logic flaw should be present on M1-based systems nonetheless since the underlying architecture is irrelevant.