F-Secure R&D discovers exploitable vulnerability in Apple’s macOS Gatekeeper
F-Secure R&D has discovered a vulnerability in macOS Gatekeeper that an attacker can exploit to infect unsuspecting users with malware. Attackers can compromise users with this vulnerability by manipulating them into downloading a specially crafted .zip file (for example, via phishing) that exploits the vulnerability, allowing them to bypass macOS Gatekeeper’s code signature and notarization checks.
The vulnerability, CVE-2021-1810, was originally discovered in late 2020. Apple released patches for both Big Sur and Catalina earlier this week. F-Secure has seen no evidence of this vulnerability being exploited in attacks, nor is it aware of any reports from third parties. However, there are other vulnerabilities addressed by the updates, so it’s important for users to patch as soon as possible.
Even though Apple has now issued patches for the vulnerability, we’re not planning on releasing a detailed writeup until users have had more time to update their devices (which we’re hoping is soon). However, at the core of the exploit is a specially crafted zip file.
For those of you that don’t know, Gatekeeper is a feature of the macOS operating system designed to protect the users of Mac computers against malware by preventing execution of software from untrusted sources. Basically, that means Gatekeeper blocks applications that aren’t signed with an Apple-issued certificate (Developer ID) and approved by Apple’s notarization service.
Any software distributed as a .zip file could contain an exploit for this vulnerability. There are a few mitigating factors though. For one, applications downloaded via Apple’s App Store are not affected by this issue. Similarly, applications delivered as macOS Installer packages (.pkg, .mpkg) contain an installer certificate which is verified independently from Gatekeeper. And F-Secure developed detections that prevent these files from running on machines using our endpoint protection products, so our users are safe.
Additionally, advanced users can manually inspect the code signature of any downloaded application using “codesign -v” and “codesign -dv” in Terminal.
However, as mentioned earlier, everyone should update their software to ensure they’re safe from this and other threats.
Disclosure timeline:
2020-12-09 | Vulnerability discovered by F-Secure R&D |
2020-12-11 | Vulnerability disclosed to Apple Product Security |
2021-01-14 | Detection released to F-Secure endpoint protection products (F-Secure SAFE, F-Secure Computer Protection, F-Secure Client Security) |
2021-04-22 | Apple acknowledges report will be credited in next update cycle |
2021-04-26 | Apple releases Security Update 2021-002 Catalina and macOS Big Sur 11.3 |