When Apple released the latest version 11.3 for macOS on Monday, not only new functions and optimizations were supported. More importantly, the company fixed a zero-day vulnerability that hackers actively exploited to install malware without triggering key Mac security mechanisms, some of which have been around for more than a decade.
Together, the protections provide comprehensive protection that prevents users from accidentally installing malware on their Macs. While one-click and even zero-click exploits rightly get a lot of attention, it is far more common to see Trojanized apps disguising malware as a game, update, or other desirable software.
Protect users from themselves
Apple engineers know that Trojans pose a greater threat to most Mac users than more sophisticated exploits that stealthily install malware with minimal or no user interaction. So a key part of Mac security relies on three related mechanisms:
- File quarantine requires explicit user confirmation before a file downloaded from the Internet can be executed
- Gatekeeper blocks the installation of apps unless they have been signed by a developer known to Apple
- The mandatory notarization of apps allows apps to be installed only after Apple has scanned them for malware
Earlier this year, malware known to Mac security experts began to exploit a vulnerability that allowed it to completely suppress all three mechanisms. It’s called Shlayer and has had an impressive record in the three years since it was first published.
Last September, for example, Apple succeeded in passing the security scan required by Apple to authenticate apps. It was delivered two years ago in a sophisticated campaign that bypassed malware detection using a new type of steganography. And last year, Kaspersky said Shlayer was the most common Mac malware detected by the company’s products. Almost 32,000 different variants were identified.
Shlayer’s zero-day exploitation, which began no later than January, was another impressive achievement. Instead of using the standard Mach-O format for a Mac executable file, the executable component in this attack was the macOS script, which executes a series of line commands in a specific order.
Typically, scripts downloaded from the Internet are classified as application packages and are subject to the same requirements as other types of executable files. However, a simple hack allowed the scripts to evade these requirements entirely.
Removing the info.plist file – a structured text file that maps the location of the files on which it depends – no longer registers the script as an executable bundle with macOS. Instead, the file was treated as a PDF or some other non-executable file that was not subject to Gatekeeper and the other mechanisms.
One of the attacks started when an ad was displayed for a fake Adobe Flash update:
The videos below show the big difference the exploit made when someone took the bait and hit download. The video directly below shows what the viewer saw with the restrictions removed. The following shows how much more suspicious the update would have looked if the restrictions had been in place.
Shlayer attack exploited by CVE-2021-30657.
Shlayer attack without exploiting CVE-2021-30657.
The bug, tracked as CVE-2021-30657, was discovered by security researcher Cedric Owens and reported to Apple. He said he found it while using a developer tool called Appify while looking for a “red team” exercise in which hackers simulate a real-world attack in order to find previously overlooked vulnerabilities.
“I found that Appify was able to turn a shell script into a double-clickable ‘app’ (actually just a shell script within the macOS app’s directory structure, but macOS treated it as an app),” he wrote in a direct message. “And when it is executed, it bypasses gatekeepers. I actually reported it pretty quickly after discovering it and didn’t use it in a live red team exercise. “
Apple fixed the vulnerability with the release of macOS 11.3 on Monday. Owens said the bug appears to have existed since macOS 10.15 was launched in June 2019 when authentication was introduced.
Owens discussed the bug with Patrick Wardle, a Mac security professional who previously worked at Jamf, a Mac security provider for businesses. Wardle then reached out to Jamf researchers who discovered the variant of Shlayer, which was exploiting the vulnerability before it became known to Apple or most of the security community.
“One of our discoveries brought this new variant to our attention, and upon closer inspection we found that this bypass can be used so that it can be installed without the end-user asking for it,” Jamf researcher Jaron Bradley told me. “Further analysis suggests that the malware developers discovered zero-day and adapted their malware for use in early 2021.”
Wardle developed a proof-of-concept exploit that showed how the Shlayer variant works. Once downloaded from the Internet, the executable script will be displayed as a PDF file named “Patrick’s Resume”. When a user double-clicks the file, a file called calculator.app is launched. The exploit could just as easily execute a malicious file.
In a 12,000 word dive examining the causes and effects of the exploits, Wardle concluded:
Although this bug has now been fixed, it clearly shows (again) that macOS is not immune to incredibly flat but extremely powerful bugs. How flat? Well the fact that a legitimate developer tool (Appify) would accidentally throw the error is more than ridiculous (and sad).
And how effective? Basically, macOS security (related to the evaluation of user-launched applications that make up the vast majority of macOS infections) has been completely challenged.
Bradley published a post in which he shared what the exploit looked like and worked.
Many people find malware like Shlayer undemanding because it relies on outsmarting its victims. To give Shlayer the right, the malware is highly effective, in large part due to its ability to suppress macOS defenses that aim to alert users before they accidentally infect themselves. Those who would like to know if they have been affected by this exploit can download this Python script written by Wardle.