fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Apple Fixes MacOS Security Flaw Behind Gatekeeper Bypass

Apple Fixes MacOS Security Flaw Behind Gatekeeper Bypass

Apple has addressed a macOS vulnerability that unsigned and unnotarized script-based apps could exploit to bypass all macOS security protection mechanisms even on fully patched systems.

If they circumvent automated notarization security checks (which scans for malicious components and code-signing issues), the applications are allowed to launch by Gatekeeper, a macOS security feature designed to verify if downloaded apps are notarized and developer-signed.

Once malicious script-based apps targeting the bypass flaw (CVE-2021-30853) are launched on a target’s system, they can be used by attackers to download and deploy second-stage malicious payloads.

Apple has addressed this vulnerability in macOS 11.6 through a security update released in September 2021 that adds improved checks.

Gatekeeper bypass with a shebang

The CVE-2021-30853 Gatekeeper bypass bug was discovered and reported to Apple by Box Offensive Security Engineer Gordon Long.

He found that specially-crafted script-based applications downloaded from the Internet would launch without showing an alert even though automatically quarantined.

The “specially-crafted” part requires creating an app that uses a script starting with a shebang (!#) character but leaving the rest of the line empty, which tells the Unix shell to run the script without specifying a shell command interpreter.

This leads to a Gatekeeper bypass because the syspolicyd daemon automatically commonly invoked by the AppleSystemPolicy kernel extension to perform security checks (signing and notarization) no longer gets triggered for inspection when launching a script without specifying an interpreter.

Basically, if the script used a shebang (!#) but did not explicitly specify an interpreter, it would bypass Gatekeeper security checks.

“The syspolicyd daemon will perform various policy checks and ultimately prevent the execution of untrusted applications, such as those that are unsigned or unnotarized,” explained security researcher Patrick Wardle.

“But, what if the AppleSystemPolicy kext decides that the syspolicyd daemon does not need to be invoked? Well then, the process is allowed! And if this decision is made incorrectly, well then, you have a lovely File Quarantine, Gatekeeper, and notarization bypass.”

As revealed by Wardle, threat actors can exploit this flaw by tricking their targets into opening a malicious app that can also be camouflaged as a benign-looking PDF document.

Such malicious payloads can be delivered on targets’ systems via many methods, including poisoned search results, fake updates, and trojaned applications downloaded from sites linking to pirated software.

macOS infection vectors
Image: Patrick Wardle

Similar bugs exploited by malware

This is not the first macOS bug fixed by Apple that would enable threat actors to completely circumvent OS security mechanisms such as Gatekeeper and File Quarantine on fully patched Macs.

In April, Apple patched a zero-day vulnerability exploited in the wild by Shlayer malware operators to bypass macOS automated security checks and deploy additional payloads on compromised Macs.

The Shlayer threat actors began targeting macOS users with unsigned and unnotarized malware that exploited the zero-day bug (tracked as CVE-2021-30657) starting with January 2021, as the Jamf Protect detection team discovered.

Microsoft also discovered a macOS vulnerability in October, dubbed Shrootless and tracked as CVE-2021-30892), that could be used to bypass System Integrity Protection (SIP) and perform arbitrary operations, elevate privileges to root, and install rootkits on compromised devices.

“A malicious application may be able to modify protected parts of the file system,” Apple said in a security advisory issued after patching the Shrootless bug.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us