A vulnerability was spotted in Apple’s macOS, which hackers could abuse to run malicious applications capable of evading the tech giant’s strict security policies. The security flaw, CVE-2022-32910, had already been addressed by Apple last July 20 as a part of its macOS Big Sur 11.6.8 and Monterey 12.5 updates.
The CVE-2022-32910 is a flaw rooted in the built-in Archive Utility of macOS that could allow hackers to launch unsigned and unnotarised apps without displaying security prompts on the users’ devices. Threat actors could achieve this by using specially crafted archives.
Apple immediately disclosed the macOS vulnerability after being discovered on May 31 and released patches on July 20.
Apple’s report on the discovered macOS vulnerability described it as a logic issue that could have let an archive file evade their Gatekeeper checks, originally designed to ensure that only trusted software is run on all of Apple’s OS.
The Gatekeeper checks are utilised to verify the legitimacy of all downloaded packages in a device and ensure that it came from a trusted developer that Apple has notarised. The tech firm also added that this technology requests user approval before opening any downloaded software for the first time. This step is vital to guarantee that the software launching on a device is safe.
Users must also remember that all archive files they obtain online must be tagged with the extended attribute “com.apple.quarantine,” which triggers the Gatekeeper check before the file is run on the device.
The discovery of the security flaw came after researchers noticed that the Archive Utility had not added the extended quarantine attribute to a folder when a user extracts an archive with two or more files or folders inside its root directory.
If a threat actor creates an archive file with an extension of “exploit.app.zip,” it will subsequently lead to a scenario that involves unarchived results when creating a folder with the name “exploit.app.” Alongside this issue is lack of the critical extended quarantine attribute.
If the problem continues, the malicious app will be allowed to bypass all Gatekeeper checks, eventually permitting all unauthorised or unnotarised binaries to be executed. Because of these discoveries, Apple quickly worked on releasing a patch equipped with improved Gatekeeper checks for macOS.