Apple Patches MacOS Zero-Day Exploit
A new MacOS exploit pushes unchecked payloads to devices by bypassing Apple’s security tools when users attempt to use an infected installation package.
Apple Patches MacOS Bug
On Monday, April 26th Apple released MacOS 11.3, a security rollup patch which remediates multiple known attack vectors. Among these vectors is CVE-2021-30657, an exploit which has been used since January to push unchecked payloads to user computers by bypassing Apple’s security tools when a user attempts to use an infected installation package.
Under the Hood
Under normal circumstances, when a MacOS user opens an application installer, the installer is first put through Apple’s anti-malware detection suite. This process contains a multi-functional mesh of security checks and scans.
The first layer of the anti-malware mesh is the File Quarantine tag. Apple first started securing users against tainted downloads in OSX Leopard by implementing file quarantining. This security attribute marks un-identified files as unsafe by applying a quarantine tag to the file’s attributes. When opening files with the quarantine tag, access will either be prompted or denied, depending on the policies applied to the computer.
Iterating on the File Quarantine tags, Apple introduced an additional layer of security in OSX Lion named Gatekeeper. The macOS Gatekeeper checks code-signing information on all new files accessed by the system to ensure that the file conforms to system policies. If the file does not meet the system policy requirement, the access is either revoked or prompted depending on applied policies.
More recently, Apple introduced new functionality in macOS Catalina which requires pre-authorization by Apple before an application is released to the public with a process titled Notarization. With this new tool, software authors provide their software to Apple prior to public release for an automated security scan.
Once the scan completes, Apple provides an attribute tag for the software which verifies its authenticity and safety. If a user attempts to install software without this attribute, the software is flagged by the anti-malware suite and access is either denied or prompted based on computer policy.
Below is the prompt generated by the Notarization, Gatekeeper, and Quarantine processes working in concert to defend against a potentially dangerous executable.
How It Works
CVE-2021-30657 manages to bypass all layers of macOS’s anti-malware suite by re-building it’s payload bundles with specifically mischaracterized property files. When a re-bundled payload is passed through the detection suite, the file contents are not recognized by the File Quarantine and Notarization processes and are default allowed by the anti-malware tools.
Because payloads using the CVE-2021-30657 exploit are default allowed, the Gatekeeper process never gets activated and the user is never given a security prompt. Instead, the payload is quietly executed, and the computer becomes compromised. In its current iteration, the well-known malware suite Shlayer is known to use CVE-2021-30657 to silently push payloads to endpoints while masquerading as an Adobe Flash Player update.
There are two major takeaways from CVE-2021-30657.
First, never download applications from untrusted or third-party sites. Where possible, always install applications from the Mac App store or directly from well-known publishers like Microsoft or Adobe. When installing software not found on the Mac App store, make sure you are on the publishers’ website, and not a third-party website. These unsecure sites may contain reuploads of authentic software packages which contain software exploits similar to CVE-2021-30657.
Second, make sure that you keep your operating system up to date. MacOS 11.3 introduces patches which safeguard against CVE-2021-30657 and ensures that users are correctly prompted or denied before executing potentially dangerous executables.
How Syxsense Secure Can Help
Syxsense Secure provides automated patch management, vulnerability scanning, and IT management. It can detect if an endpoint is vulnerable to CVE-2021-30657 and deploy the corresponding security update efficiently, before any damage is done.
Syxsense Secure also provides the ability to push software to endpoint devices, limiting the attack surface of your company and providing your end users with safe access to the tools they need. Syxsense Secure also includes advanced features such as patch supersedence, patch roll back, and a wealth of automation and configuration features.
Further, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.