Microsoft specialists spoke in detail about the vulnerability CVE-2022-42821, which could be used to bypass Gatekeeper.
A week ago, Apple developers fixed an issue, dubbed Achilles, in macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur).Let me remind you that we also wrote that Apple leaves critical bugs unpatched in macOS Big Sur and Catalina, and also that Apple Fixes at Once Two 0-Day Vulnerabilities That Threatened iOS, MacOS and Safari.
Microsoft employees discovered the Achilles bug in July 2022. They explain that on macOS, files downloaded from the Internet are given a special com.apple.quarantine attribute. Because of this, Gatekeeper can effectively prevent such applications from running because they are not signed or notarized by Apple. In short, the functionality is similar to Mark-of-the-Web (MotW) in Windows.
The Achilles vulnerability allows the use of specially crafted payloads to set restrictions on an Access Control List (ACL). As a result, the com.apple.quarantine attribute will not be assigned to payloads downloaded from the Internet in ZIP format. That is, a malicious application contained in the archive will be able to run on the victim’s system, and Gatekeeper will not block it, which will allow attackers to download and deploy malware on the machine.
Microsoft experts spoke about the effectiveness of “Lockdown mode“, introduced in macOS Ventura as an additional protective feature for users at risk who may become a target for targeted cyber attacks,
But the Lockdown mode aims to protect against zero-click exploits and therefore does not protect against Achilles.”
