Apple Patches Worst Zero-Day Bug 'in Recent Memory'Attackers Have Been Exploiting Flaw to Sneak Adware Onto macOS Systems
There's one industry that has a particular knack for getting its hands on clever software vulnerabilities in macOS: the adware industry.
That ability has been demonstrated once again as Apple on Tuesday patched a zero-day vulnerability, CVE-2021-30657, that, if exploited, allows an attacker to effortlessly route around three essential anti-malware defenses in macOS: Notarization, Gatekeeper and File Quarantine.
The flaw was discovered by Cedric Owens, a lead offensive security engineer with Twilio, who reported the bug to Apple. It has been patched in macOS 11.3, which was released on Monday.
"In my opinion, it's the most problematic bug in recent memory in terms of its potential impact to end users," says Patrick Wardle, an Apple security expert who runs the Objective-See Mac security tool site. "This bug undermines essentially myriad foundational security components of macOS."
More bad news: After Wardle, Owens and other researchers started exploring the bug, they discovered that it was already being used to install first-stage malware called Shlayer, which leads to advertising software being installed. Such attacks have been occurring since at least Jan. 9, according to a blog post by Jaron Bradley of Jamf, which makes enterprise management tools for Apple products.
Shlayer is often encountered by victims through poisoned search engine results that lead to specially crafted malicious websites or legitimate sites that have been hijacked to hit users with malware, Bradley writes. Shlayer is a common Trojan encountered by Mac users: Kaspersky estimated that in 2019, one in 10 users running its Mac security software encountered Shlayer.
One of the most common Mac infection vectors is when users are tricked into downloading a malicious file, such as a fake Flash update, or advertising software. To defend against that scenario, Apple has improved its security defenses to give users plenty of warning if a file looks suspicious.
App developers can get their app "notarized" by Apple, which involves an automated scan for malicious content. Whenever a user tries to install an application, macOS checks to see if the software has passed Notarization. Another security technology, Gatekeeper, ensures only applications signed with a valid Apple developer certificate and Notarization get installed. A third check, called File Quarantine, warns if an application comes from an unknown source, such as the internet.
The vulnerability that's been patched by Apple, however, allows malware to avoid all of those checks, Wardle says.
"You can send someone an application disguised as a PDF document. You can host this on a website, and if they click it, it will run with no prompts, no alerts - it will skirt File Quarantine, it will skirt Gatekeeper and it will even skirt Notarization," Wardle says.
Owens, who posted a technical write-up that describes the bug, says he does macOS research in his free time to find issues that might help him in red-teaming exercises. That's how he discovered a subtle logic flaw deep in the macOS policy subsystem that occurs when a file is going through security checks.
"I had an idea where I started thinking about the macOS directory structure," Owens says. "I started thinking, 'Well, what if you put a script in place of a Mach-O?'" (Mach-O is an executable file that's part of a macOS application bundle.)
Owens says that he bundled up a proof-of-concept script using Appify, which can package shell scripts with long command strings into apps, for convenience. He ran it a couple of times, including downloading the POC from the internet, which triggered no security warnings from Apple.
"I'm, like: 'Oh, man, this is bad,'" Owens says. Referring to both Wardle and himself, he adds: "We both came to the conclusion that this is probably one of the worst - from an attacker payload perspective - we've seen on macOS because it gets around all of the security controls."
An application for macOS is actually a directory - or in Apple parlance, a bundle. Those bundles contain an info.plist file, which is metadata that contains extensive amounts of information, including the application's name and languages it supports.
Normally, the executable is a Mach-O executable. But that Mach-O file can be a script rather than a standard executable. That means when it runs, it is run by bash, which is Unix's shell and command language.
Usually, the system does its normal Gatekeeper, Notarization and File Quarantine checks. But if the info.plist file is missing from the bundle, the policy subsystem appears to get confused and OKs a file, regardless of whether it passed Apple's checks.
Wardle says he helped figure out the machinations behind the bug and why it was happening, which he's detailed in an extensive blog post.
Valuable Zero-Day - Used for Adware?
Apple's security mechanisms have been very successful in blunting attempts to sneak adware onto Macs, so it's no wonder that the adware industry stumbled across the bug while trying to figure new ways to circumvent those checks, Wardle says.
Advertising software is often composed of scripts, and it makes sense to try to bundle one without the info.plist file due to the potentially revealing metadata inside, he says.
"If shipping malware, you really don't want that metadata anyways, and it also creates a smaller application to deploy," Wardle says.
This particular zero-day bug was a slam dunk for adware purveyors because it let them return to old-school tactics of distributing malicious attachments via email, seeding fake updates onto websites and inserting Trojans into other software to get their script installed, he says.
But the bug would arguably be very valuable to anyone with malicious or unethical goals. Owens notes that the bug could have been used to do so much more damage than installing adware, such as installing network penetration and exploit tools or grabbing keys for Amazon Web Services and other cloud services.
Why would the adware industry restrict the flaw for just its own use? Wardle says the answer appears to be simple: The bug was a license to print money. "The adware authors, I think, are hugely financially motivated to continue to evolve and adapt," he says.