SecureMac, Inc.

Mac 0-day bug can bypass key macOS security features

April 30, 2021

A Mac 0-day bug can bypass key macOS security features — and it’s being actively exploited by the bad guys. Background | Details | Staying Safe

Mac 0-day bug can bypass key macOS security features

This week’s macOS 11.3 update patches a very serious Mac 0-day bug — one that has already been exploited by bad actors. The bug allows malware to bypass core macOS security features (one researcher has called it “the worst flaw in recent macOS history”). In this article, we’ll tell you about the vulnerability, explain a bit about how it works, and let you know how to protect yourself.

Background and impact

The Mac 0-day bug (CVE-2021-30657) is a flaw in way macOS evaluates files. It allows bad guys to create malware that is basically ignored by a Mac’s internal security features.

Normally, macOS requires apps to pass a few security checks before they can run. File Quarantine warns users that they’re about to launch an app downloaded from the Internet. Gatekeeper makes sure that the app hasn’t been tampered with, and that it has been signed with valid Apple Developer credentials. And App Notarization ensures that an app has passed an automated scan for malicious components.

These safeguards are there to make it harder for users to accidentally infect themselves with malware. But in this case, something went very, very wrong. An executable file that a.) wasn’t signed and b.) contained malicious components would simply run if double-clicked. To make matters worse, this would happen without any system dialogs or warnings at all! 

Unfortunately, this vulnerability is not just theoretical: Bad actors have already exploited it. Security teams at Jamf, an Apple device management company, have discovered a variant of the Shlayer adware dropper abusing this flaw in the wild.

How the Mac 0-day bug works

So how is it possible to create malware that bypasses fundamental macOS security features?

The answer is that this Mac 0-day bug is essentially an error in the way that macOS evaluates files. To quote security researcher Patrick Wardle (whose technical deep-dive is well worth reading in full):

Any script-based application that does not contain an Info.plist file will be misclassified as “not a bundle” and thus will be allowed to execute with no alerts nor prompts.

Applications (both malicious and legitimate) use a variety of code and resources. These constitute a “bundle”, and Gatekeeper always checks bundles. So how does macOS know that something is a bundle? Well, for starters, it treats certain file formats as bundles by default. This includes Mach-O files, which is the standard format for Mac executables. It also includes, as Wardle notes, “script-based applications”, which are “subject to policy checks”. App bundles, however, normally contain an Info.plist file (basically a directory of the app’s resources and configurations). This applies to script-based apps as well as standard Mach-O executables. The presence of an Info.plist file is one of the ways that macOS knows that something is an app.

So here’s where the bug comes in. If a script-based app is missing the Info.plist file, macOS will simply treat it as “not a bundle” (i.e. “not an executable”), and skip over all of the normal security checks for apps! This means that bad actors can create script-based malware, leave the Info.plist file out, and it will run. If a user downloads and double-clicks on a malicious app disguised as a non-executable file type (e.g. a PDF or an image file), the malware will launch without any warnings at all.

How to protect yourself

The good news about this bug is that Apple has already patched it. If you’re running macOS Big Sur, update to version 11.3 immediately and your Mac will no longer be vulnerable. If you’re using Catalina, install Catalina update 2021–002. The bug does not appear to affect older versions of macOS.

Cedric Owens, the security researcher who discovered the 0-day, says that he reported the bug to Apple in late March 2021. Jamf, for its part, says that the version of Shlayer they discovered was active as early as January 2021. This means that Mac users who installed the security update this week could still have been infected before the patch was available. For this reason, you should take a moment scan your Mac with a good malware detection and removal tool

Get the latest security news and deals