Infections of macOS often result from users running malware, of course, assuming that they are using largely benign software. The gatekeeper, among other things, has been designed to protect against this error for ten years. When a user downloads a file, macOS adds the attribute com.apple.quarantine added. Before opening a file marked with it, the gatekeeper verifies that the code is validly signed and verified. If so, the user still has to allow execution; if no, macOS refuses to process the file further. As simple as that sounds, it is difficult in practice.
Security researchers and attackers keep finding ways to circumvent this protection. Either they find a way to prevent the quarantine attribute from being set. Sometimes absurdly long path names were set to displace the attribute (CVE-2021-1810), sometimes compression archives (CVE-2022-22616) or external data carriers with certain file system formats (CVE-2019-8656) were used to make attributes disappear. Other methods leave the attributes untouched and start with those functions that are supposed to implement the security regulations (e.g. CVE-2014-8826, CVE-2021-30657, CVE-2021-30853).
Where there’s a will, there’s a heel
Microsoft’s security research (“Security Threat Intelligence”) was inspired by the trick with the absurdly long path names and indeed one found another wayto bypass the macOS gatekeeper. Microsoft has dubbed his method Achilles. But instead of letting the attribute disappear, the Microsoft researchers set another, extended attribute: In addition to the basic file modes that determine who can read, change or even execute a file, macOS knows attributes that can determine other rights – for example, who can change attributes, who can change the ownership of a file or delete it altogether.
This is done via the attribute com.apple.acl.text. It can be attached directly to the file (AppleSingle) or in a separate file (AppleDouble, filename starting with “._") that accompanies the main file. In July, Microsoft found that when unpacking archives, macOS always evaluated the AppleDouble files (unless they are extremely large) and appended the attributes they contained to the main file.
Update already rolled out
This prevented macOS from using the intended attribute com.apple.quarantine entered. And without com.apple.quarantine the gatekeeper won’t start. Achilles was born. So an attacker could have put the malware and the AppleDouble file in a zip archive. If a user had downloaded and unzipped this, the gatekeeper would not have prevented the malware from running. After Microsoft warned Apple (CVE-2022-42821), a security patch against Achilles was quickly circulated.
Without an update, however, there is no protection. Incidentally, Apple’s “lockdown mode” does not protect against Achilles, as Microsoft expressly warns. This optional protection is designed for users who are particularly vulnerable to attacks. Lockdown mode is intended to prevent malicious code from being executed remotely without user intervention. However, Achilles relies on the person in front of the device deeming the file to be benign and clicking on it.
(ds)