Apple Issues Patch for Critical Anti-Malware Bypass Flaw

Author: Melodie Foster

Date: 28th April 2021

The zero-day flaw exists in MacOS where it can bypass anti-malware functions put in place and would allow an attacker to craft a payload which would not be detected by the security features designed to keep malware out.

Cedric Owens, a security researcher who first discovered the vulnerability said that “this payload can be used in phishing and all the victim has to do is double-click to open the .dmg and double-click the fake app inside of the .dmg–no pop ups or warnings from macOS are generated.”

The flaw works by bypassing three key anti-malware detections – File Quarantine, Gatekeeper and Notarization. File Quarantine provides the first warning to users that requires confirmation before allowing a recently downloaded file to execute. Since users kept ignoring the warnings and subsequently letting malware pass through, Gatekeeper was introduced which checks the code-signing information of downloaded files and will then block those that do not meet system policies. Notarization is the newest feature which ensures that downloaded files have been scanned and approved before it will be allowed to run.

The bug can bypass the aforementioned features because of how MacOS identifies files, as they are identified as bundles of different files as opposed to single entities. The bundles include a list of properties that will tell the app where specific files it needs to use are located. However, by taking out the property file and crafting a bundle in a specific way, MacOS will misclassify the file as “not a bundle” and will therefore be allowed to execute with no alerts or prompts.

The vulnerability has been patched in MacOS 11.3 which was released by Apple on Monday and since researchers have found this flaw has been exploited in the wild since at least January 9^th, it is recommended to patch your MacOS.[1]

[1] https://threatpost.com/apple-patches-macos-bug-bypass-defenses/165611/

Other resources

Cyber Success Stories

Arcturus cybersecurity consultants work with everyone from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here.
Find out more >

What can Arcturus do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Arcturus Deep Dives

Arcturus cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

Apple Issues Patch for Critical Anti-Malware Bypass Flaw

Author: Melodie Foster

Date: 28th April 2021

Other resources

Cyber Success Stories

What can Arcturus do for you?

Arcturus Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta