Security researchers at Palo Alto Networks’ Unit 42 have uncovered significant vulnerabilities in macOS’s Gatekeeper security mechanism.
This discovery reveals how certain third-party applications and even some of Apple’s native command-line tools can inadvertently bypass Gatekeeper, potentially allowing malicious code to run unchecked on macOS systems.
Gatekeeper, a crucial security feature in macOS, is designed to ensure that only trusted software runs on the system. It achieves this by validating applications downloaded from outside the Apple App Store, confirming they are from verified developers and have not been tampered with.
However, the research shows that this protective measure can be circumvented due to inconsistencies in how some applications handle a specific metadata attribute called “com.apple.quarantine”.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide (PDF)
The quarantine attribute is automatically added to newly downloaded files on macOS. When a user attempts to run a file with this attribute, Gatekeeper is triggered to perform its security checks.
However, researchers found that certain third-party utilities related to archiving, virtualization, and some of Apple’s command-line tools do not properly enforce or propagate this attribute.
Among the vulnerable applications identified were popular archiving tools such as iZip, Archiver, BetterZip, WinRAR, and the 7z Utility. These applications failed to maintain the quarantine attribute when extracting files from various archive formats, including ZIP, TAR, and 7Z.
Additionally, VMware Fusion was found to drop the quarantine attribute when copying files from a host machine to a guest macOS virtual machine.
Perhaps most surprisingly, some of Apple’s own native command-line tools, including curl, SCP, Unzip, and tar, do not enforce the quarantine attribute on downloaded or extracted files. This oversight in Apple’s own utilities underscores the complexity of maintaining a robust security ecosystem.
The implications of these findings are significant. Without the quarantine attribute, Gatekeeper does not scan the files, potentially allowing malicious code to execute without the user’s knowledge or consent.
Attackers could exploit this vulnerability to bypass macOS’s built-in security measures and run harmful software on target systems.
Some developers have already begun addressing the issue in response to these findings. BetterZip, Archiver, and iZip have announced updates to their software to properly handle the quarantine attribute.
However, the broader issue of relying on third-party compliance for system-wide security remains a concern.
Users are advised to exercise caution when using third-party applications and to ensure their systems are up-to-date with the latest security patches. Meanwhile, Apple and third-party developers must work diligently to address these vulnerabilities and strengthen the overall security of the macOS ecosystem.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here