Apple on Monday issued a fix for a zero-day vulnerability in macOS, which was being actively exploited by cybercriminals for months in order to distribute the Shlayer malware.
In order to exploit the flaw (CVE-2021-30657), attackers could craft a fake application bundle, using a script as the primary executable. If the app is executed, the attackers would be able to bypass Apple’s core safeguard mechanisms that are in place to protect users from malware-laced downloads.
“This vulnerability is massively bad, as it affords malware authors the ability to return to their proven methods of targeting and infecting macOS users,” said security researcher Patrick Wardle in a deep-dive analysis of the vulnerability. “Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to... shallow, yet hugely impactful flaws.”
The flaw was first discovered by security researcher Cedric Owens, who reported the issue to Apple on March 25. The bug was found in macOS Catalina 10.15 and in macOS Big Sur before version 11.3, which is the latest macOS version released on Monday by Apple. As part of that release and ensuing patch, Apple said that the logic issue “was addressed with improved state management.”
Though the flaw was discovered in March, researchers with Jamf found that the vulnerability was being exploited in the wild by a variant of the Shlayer malware as early as Jan. 9. Shlayer is a trojan known for dropping adware, which has been a top threat for Mac users. In 2020, for instance, researchers with Kaspersky said that the Shlayer malware was the most widespread macOS threat of 2019.
Jamf researchers noted that, similar to previous variants of the malware, this Shlayer variant was spread via poisoned search engine results, where an attacker creates malicious web pages using search engine optimization (SEO) tactics. These websites then rank higher in search engine results, meaning that users are more likely to click on them.
"Though this bug is now patched, it clearly (yet again) illustrates that macOS is not impervious to... shallow, yet hugely impactful flaws.”
The flaw itself stems from a “subtle logic bug,” said Wardle, specifically existing in syspolicyd, which is an OS component that is core to Apple’s application analysis and approval process. This issue could allow unsigned, unnotarized applications to run that should be blocked, said Wardle.
Wardle said that the vulnerability could be exploited by a “script-based proof of concept application that could trivially and reliably sidestep all of macOS’s relevant security mechanisms… even on a fully patched M1 macOS system.”
In order to craft this application bundle, an attacker would need to first use a script as the main executable (for instance, example:myapplication.app/Contents/MacOS/myapplication, with “myapplication” being a bash script). As part of this, the bundle would not include an Info.plist file, which contains meta information about an application, such as the path to its executable, noted researchers. This application can then be placed in a macOS disk image file (DMG) for distribution to victims.
“This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop ups or warnings from macOS are generated,” said Owens.
Once the application is executed, the logic error allows it to bypass three core Apple security safeguards. These include Apple’s file quarantine service, which gives users a warning requiring their explicit confirmation before allowing a file to execute; Gatekeeper, which checks the code signing information of downloaded items and blocks those that do not adhere to system policies; and Application Notarization, which are a set of requirements ensuring that Apple has scanned and approved all software before it is allowed to run.
It’s not the first time that the Shlayer malware has skirted by Apple’s security mechanisms. In August, researchers uncovered a campaign where cybercriminals were able to fly under the radar of Apple’s notarization mechanism to target macOS users with Shlayer malware, for instance. Jaron Bradley, analyst with Jamf, warned that Shlayer continues to reintroduce itself with innovative ways to infect macOS-based systems.
“Jamf recommends users ‘patch fast and patch often’ to keep their Mac up-to-date by upgrading macOS to versions 11.3, which is available now through the Mac App Store and provides the latest protection against the vulnerabilities,” Bradley said.
Overall, the logic flaw was one of several macOS bugs patched by Apple on Monday. The slew of flaws included another actively-exploited vulnerability in WebKit Storage (CVE-2021-30661), a use-after-free issue that could allow for arbitrary code execution. According to the security alert, “Apple is aware of a report that this issue may have been actively exploited.”