When Apple released the latest version 11.3 for macOS on Monday, it didn’t just introduce support for new features and optimizations. More importantly, the company has fixed a zero-day vulnerability that hackers were actively exploiting to install malware without activating key Mac security mechanisms, some of which had been around for more than a decade.
Together, the defenses provide a comprehensive set of protections designed to prevent users from accidentally installing malware on their Macs. While one-click and even zero-click exploits rightly receive a lot of attention, it’s much more common to see trojan apps that disguise malware as a game, update, or other desired piece of software.
Protecting users from themselves
Apple engineers know that Trojans pose a greater threat to most Mac users than more sophisticated exploits that stealthily install malware with minimal or no user interaction. So a core part of Mac security relies on three related mechanisms:
- File quarantine requires explicit user confirmation before any file downloaded from the Internet can run
- Gatekeeper blocks the installation of apps unless they are signed by a developer known to Apple
- Mandatory app notarization allows apps to be installed only after Apple scans them for malware
Earlier this year, a piece of malware known to Mac security experts began exploiting a vulnerability that allowed it to completely suppress all three mechanisms. It’s called Shlayer and has an impressive record in the three years since it came out.
Last September, for example, it managed to pass the security scan that Apple requires to have apps notarized. Two years ago, it was delivered in an advanced campaign that used new steganography to evade malware detection. And last year, Kaspersky said that Shlayer was the most detected Mac malware by the company’s products, with nearly 32,000 different variants identified.
Shlayer’s exploitation of the zero-day, which began no later than January, was another impressive feat. Rather than using the standard Mach-O format for a Mac executable, the executable in this attack was the macOS script, which executes a series of line commands in a specific order.
Normally, scripts downloaded from the Internet are classified as application bundles and are subject to the same requirements as other types of executable files. However, a simple hack allowed scripts to completely escape those requirements.
Removing info.plist – a structured text file that maps the location of files it depends on – will no longer register the script as an executable bundle for macOS. Instead, the file was treated as a PDF or other type of non-executable file that was not subject to Gatekeeper and the other mechanisms.
One of the attacks started with the display of an ad for a fake Adobe Flash update:
The videos below show what a big difference the exploit made when someone took the bait and clicked download. The video directly below shows what the viewer saw without the restrictions. The one below showing how much more suspicious the update would have looked if the restrictions had been in place.
The bug, which is tracked as CVE-2021-30657, was discovered and reported to Apple by security researcher Cedric Owens. He said he encountered it when he used a developer tool called Appify while researching for a “red team” exercise, where hackers simulate a real-life attack in an effort to find previously overlooked security vulnerabilities.
“I found that Appify was able to turn a shell script into a double-click ‘app’ (basically just a shell script in the macOS app directory structure, but macOS treated it like an app),” he wrote in a direct message. “And when it is executed, it bypasses Gatekeeper. I actually reported it pretty soon after discovering it and didn’t use it in a live red team practice.
Apple fixed the vulnerability with the release of macOS 11.3 on Monday. Owens said the flaw appears to have existed since the release of macOS 10.15 in June 2019, when notarized endorsement was introduced.
Owens discussed the bug with Patrick Wardle, a Mac security expert who previously worked at Jamf, a Mac enterprise security provider. Wardle then contacted Jamf researchers, who discovered the Shlayer variant that exploited the vulnerability before it was known to Apple or most of the security world.
“One of our detections pointed us to this new variant, and upon closer inspection, we discovered it uses this bypass to allow it to be installed without an end-user prompt,” Jamf researcher Jaron Bradley told me. “Further analysis leads us to suspect that the developers of the malware discovered the zero-day and adapted their malware to use it in early 2021.”
Wardle developed a proof-of-concept exploit that showed how the Shlayer variant worked. Once downloaded from the Internet, the executable script will appear as a PDF file called “Patrick’s CV”. When a user double-clicks the file, a file named calculator.app is launched. The exploit can just as easily execute a malicious file.
In a 12,000-word deep dive into the causes and consequences of the exploits, Wardle concluded:
While this bug has now been patched, it clearly illustrates (again) that macOS isn’t impervious to incredibly superficial, but hugely impactful, bugs. How shallow? Well, the fact that a legit developer tool (appify) would accidentally trigger the bug is beyond laughable (and sad).
And how impactful? Essentially, macOS security (in the context of evaluating user-launched applications, which, remember, are responsible for the vast majority of macOS infections) has been completely questioned.
Bradley published a post explaining how the exploit looked and worked.
Many people consider malware like Shlayer to be unsophisticated because it relies on its victims to be tricked. To give Shlayer its credit, the malware is highly effective, largely due to its ability to suppress macOS defenses designed to tip users before accidentally infecting themselves. Those who want to know if they are the target of this exploit can download this python script written by Wardle.