Information regarding a now-fixed security hole in Apple’s macOS operating system has been made public by security experts. Thisย flawย might have been used to run malicious programmes in a way that got beyond Apple’s security safeguards.
The built-in Archive Utility is the source of the vulnerability, designated CVE-2022-32910, which “could result in the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive,” according to an analysis by Apple device management firm Jamf.
Apple rectified the problem as part of macOS Big Sur 11.6.8 and Monterey 12.5, which were published on July 20, 2022, after making a responsible disclosure on May 31, 2022. As of October 4, theย techย giant included an entry for the bug to the prior warnings that it had previously released.
Gatekeeper checks, which are created to make sure that only trusted software is installed on the operating system, might be circumvented by an archive file, according to Apple, which defined theย defectย as a logic flaw.
To ensure that the user hasn’t been duped into launching executable code when they thought it was just a data file, Gatekeeper also asks for permission before opening downloaded software for the first time, according to Apple’s support literature.
It’s also important to note that all contents contained in ZIP files obtained from the internet are marked with the “com.apple.quarantine” extended attribute to cause a Gatekeeper check before execution.
But strangely, Jamf found that when extracting an archive with two or more files or folders in its root directory, the Archive Utility failed to apply the quarantine attribute to a folder.
{
"event": "ES_EVENT_TYPE_NOTIFY_RENAME",
"file": {
"proc_path": "/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService",
"destination": "/Users/jpcore/Downloads/myPictures",
"original": "/private/var/folders/pp/slmzl7sd41z3h1rc4wqdndxr0000gn/T/com.apple.fileprovider.ArchiveService/TemporaryItems/NSIRD_ArchiveService_0uhVx9",
"pid": 3718
},
"timestamp": "2022-09-16 14:43:19"
}
Thus, by producing an archive file with the extension “exploit.app.zip,” it creates a situation where an unarchival produces a folder with the name “exploit.app,” but without the quarantine attribute.
Ferdous Saljooki, a Jamf researcher who found the bug, stated that this programme “would circumvent all Gatekeeper checks enabling an unnotarized and/or unsigned binary to execute.” Apple said that it used better tests to close the problem.
The discoveries come more than six months after Apple patched a related bug that may have allowed a malicious ZIP package to circumvent Gatekeeper inspections in macOS Catalina, Big Sur 11.6.5, and Monterey 12.3 (CVE-2022-22616).