Apple released a number of updates to macOS operating systems, WebKit Storage, and iCloud for Windows to address actively exploited zero-day vulnerabilities. macOS flaws could allow attackers to circumvent all security protections and install unverified software on Macs. While the bug in iCloud could allow attackers to run cross-site scripting attacks and corrupt kernel memory.
The macOS CVE-2021-30657 flaw was reported to Apple by security engineer Cedric Owens on March 25, 2021.
Apple’s macOS comes with a protective feature, Gatekeeper, which makes sure only trusted apps can run on the system by ensuring that the app has passed an automated “app notarization” process that scans the software for malicious content.
A flaw in the Gatekeeper app notarization process allowed cybercriminals to circumvent the security checks:
“An unsigned, unnotarized, script-based proof of concept application […] could trivially and reliably sidestep all of macOS’s relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system,” security researcher Patrick Wardle explained in a report. “Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users.”
The flaw uncovered by Owens could enable a hacker to craft a rogue app that would deceive Gatekeeper. The researcher explained the app achieves it by packaging a malicious shell script as a “double-clickable app” so that the malware could be run like a regular app.
“It’s an app in the sense that you can double click it and macOS views it as an app when you right click -> Get Info on the payload,” Owens said. “Yet it’s also shell script in that shell scripts are not checked by Gatekeeper even if the quarantine attribute is present.”
The operators behind Shlayer malware, according to macOS security firm Jamf, have been abusing this Gatekeeper flaw since January 9, 2021. Shlayer was found in almost 30% of all malware on macOS, according to Kaspersky statistics for 2019.
Attackers distributed the fake app via search engines using a technique called search engine poisoning or spamdexing. Attackers managed to manipulate search engine results so that malicious links were shown to users and redirected them to a web page that prompts users to download a fake app update. The update contained additional payloads, including Bundlore adware and more serious malware such as ransomware and surveillanceware.
Another patch addressed a critical CVE-2021-30661 flaw in WebKit Storage that allowed arbitrary code execution in iOS, macOS, tvOS, and watchOS. The attackers may have exploited the bug with the help of maliciously crafted web content, Apple says.
“Apple is aware of a report that this issue may have been actively exploited,” the company said in a security report, adding it addressed the use-after-free weakness with improved memory management.
Finally, Apple has also updated iCloud for Windows to add patches for four security issues in WebKit and WebRTC. The flaws allowed an attacker to perform cross-site scripting attacks (CVE-2021-1825) and corrupt kernel memory (CVE-2020-7463).
