A serious vulnerability in the MacOS that could allow hackers to enter the system by bypassing its security and anti-malware features was recently patched out by Apple. The patched-out flaw has been getting exploited for the past couple of months by a version of the infamous Shlayer adware dropper.

The first one to discover this vuln is Cedric Owens, a security researcher. The discovered bug is tracked as CVE-2021-3065. The flaw was patched out by Apple with the macOS 11.3 update which was released on Monday. The reason why this particular vulnerability is so problematic is that it can allow a potential attacker to craft a malicious payload that the security features of macOS wouldn’t be able to detect.

According to Patrick Wardle, a security specialist at Apple, the flaw can be exploited to bypass even the strongest protection features of the macOS system.

After Owens asked Wardle to further investigate the bug, it was discovered that the flaw can be used to successfully infiltrate macOS Catalina (specifically version 10.15.7) and macOS Big Sur )prior to the 11.3 Big Sur update).

One possible way to use this flaw is for phishing – all the user has to do is open an infected .dmg file and then start the fake application that’s in it. Once this is done, the infection would be complete and there would be no warning from macOS’s protection features to notify the user that something might be wrong.

An in-depth look at the vulnerability

According to Wardle’s detailed report on the problem, the discovered bug could be used to bypass the Notarization, the Gatekeeper, and the File Quarantine macOS security features, which are the main protective barriers between incoming threats and the targeted system.

In general, Apple is a company that heavily focuses on the security of its products and the security features of macOS are known as highly effective and capable of stopping nearly all incoming threats without the need for third-party antivirus software. However, the CVE-2021-30657 flaw seems to be able to bypass all three of the main protective features of the system – something that has been very rarely observed throughout the years.

The File Quarantine feature was first introduced with the release of OSX (10.5 version) and its function is to show a pop-up that asked the user for explicit permission before a newly-downloaded file could be executed. However, users tended to overlook this warning and always gave their permission which oftentimes resulted in malware getting inside the system. 

Therefore, the next security barrier introduced by Apple was the Gatekeeper, which was first available with the macOS Lion 10.7. Gatekeeper’s purpose is to block software that doesn’t adhere to the security policies of Apple from being executed in the system.

The third major security feature of apple – the app Notarization – is the latest one, and it was first introduced with macOS Catalina 10.15. Its main goal was to further prevent users from accidentally downloading and running infected software. With this new feature, only apps that have been notarized by Apple are allowed to be run in the system. 

Obviously, if a bug is able to bypass all three of those security systems, that would allow the hacker to freely infect the targeted Mac without the user even realizing it. The way CVE-2021-30657 can be used for that purpose is by causing a mischaracterization of the malicious app that would result in the app not going through the regular security checks that each app should be subjected to before being allowed to run in the Mac. The key to the bug’s success lies in the way macOS applications identify different files. The files are identified not as separate entities but rather as bundles and each of those bundles includes a properties list that shows the application where a certain file is located.

The attackers can take out the property file and then create a bundle and thus exploit the CVE-2021-30657 flaw, causing macOS to miscategorized the bundle and thus allow that bundle to bypass all regular security checks.

According to the researchers, any app that doesn’t have an info.plist file will fall under the “not a bundle” categorization and this will allow it to be executed without being checked by the macOS security features.

How the Bug got Exploited in the Wild

Once the flaw was initially identified, Wardle contacted the researchers at Jamf, a Mac security company, and asked them to find out if CVE-2021-30657 has already been exploited. Apparently, there have already been malware attacks that used this bug according to the researchers at Jamf.

One notable example of a threat that exploited the bug is a version of the widespread Shlayer adware dropper, which Mac users have been struggling with for quite some time now.

What’s different when the CVE-2021-30657 flaw is used by this malware, however, is that Shlayer has been remade in order to use a specific format that would allow it to bypass the macOS Gatekeeper flaw.

According to many security researchers, Shlayer, as it is, is the number one threat for Mac computers and the fact that it has now been repackaged to exploit the CVE-2021-30657 bug makes it that more problematic.

At the moment, the best Mac users can do is make sure to install the latest macOS update on their computers to help fight off any potential attacks that try to exploit this bug. The macOS version that fixes the flaw is macOS Big Sur 11.3, which was just released.