Security researchers have released details about a new macOS vulnerability in Archive Utility that could be exploited to execute malicious applications in a way that bypasses Apple’s security checks.
The vulnerability, tracked as CVE-2002-32910, was discovered in macOS Monterey 12.5 by Jamf Threat Labs, an Apple device management firm. Jamf noted this new flaw “could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specifically crafted archive” in its recent blog post.
Jamf reported its findings to Apple on May 31, 2022. Apple said it patched the issue in macOS Big Sur 11.6.8 and Monterey 12.5 in July 2022. The tech giant also revised the advisories released on October 4 to add an entry for the vulnerability.
Jamf said the problem began when its researchers found a flaw in Safari that could go around Mac endpoint security by leveraging a crafted ZIP archive vulnerability, tracked under CVE-2022-22616. After reporting this vulnerability to Apple, researchers tested other archiving features and found the macOS Archive Utility flaw.
“We discovered that creating an Apple Archive with a similar command will also result in bypassing Gatekeeper and all security checks upon execution,” Jamf noted in the post.
Although the command looks like the ZIP command that could be used to attack CVE-2022-22616, this flaw is different as it does not exist with the Bill of Materials (BOM), according to Jamf.
An Apple Archive is the company’s proprietary format that allows for multithreaded lossless compression, with files having an extension “.aar” when shown in the finder. However, the vulnerability is not limited to Apple Archives.
Jamf explained that an archive will have an extended attribute titled “com.apple.quarantine” when it is downloaded from the internet. This attribute informs macOS that the file is downloaded from a remote source and needs to be checked before it is allowed to run. When Archive Utility extracts an archive, it applies the quarantine attribute to all the extracted items to ensure that any opened executable files will be checked by Gatekeeper.
But researchers found that in certain cases, Archive Utility fails to give some of the unarchive files the quarantine attribute. Therefore, the gatekeeper cannot check the files before they run. This flaw could lead to malicious applications automatically running, without users ever getting notified.
Aaron Kiemele, chief information security officer at Jamf, told SC Media that the risk of emerging vulnerability can be reduced with a focus on the fundamentals.
“Operating systems and applications need to be patched regularly, and anti-malware software will help in those instances where a patch isn’t applied,” Kiemele said. “These two controls, effective device management and anti-malware, support each other to reduce the security and privacy risks.”