macOS 11.3 Patches Security Vulnerability That Bypassed Built-In Malware Protections

[MacRumors]

Apple today confirmed to TechCrunch that the just-released macOS 11.3 software update patches a security vulnerability that reportedly could have allowed a hacker to remotely access a user's sensitive data by tricking a user into opening a spoofed document.

"All the user would need to do is double click — and no macOS prompts or warnings are generated," said security researcher Cedric Owens, who discovered the vulnerability in mid-March, according to the report. Owens developed a proof-of-concept app masquerading as a harmless document that exploits the bug to launch the Calculator app, but he said the vulnerability could be exploited for more nefarious purposes.

According to security researcher Patrick Wardle, the vulnerability was the result of a logic bug in macOS's underlying code.

"In simple terms, macOS apps aren't a single file but a bundle of different files that the app needs to work, including a property list file that tells the application where the files it depends on are located," explains TechCrunch. "But Owens found that taking out this property file and building the bundle with a particular structure could trick macOS into opening the bundle — and running the code inside — without triggering any warnings."

In addition to fixing the bug in macOS 11.3, Apple told TechCrunch it patched earlier macOS versions to prevent abuse, and updated macOS's built-in anti-malware system XProtect to block malware from exploiting the vulnerability. The report says the bug was exploited for months, but it's unclear how many users were impacted.

Article Link: macOS 11.3 Patches Security Vulnerability That Bypassed Built-In Malware Protections

 

[TheYayAreaLiving 🎗️]

Apple is definitely protecting the consumers.

 

[RedTheReader]

In simple terms, macOS apps aren't a single file but a bundle of different files that the app needs to work,

Everything Is a File™

 

[centauratlas]

"The report says the bug was exploited for months, but it's unclear how many users were impacted."

Talk about a serious bug.

 

[GeoStructural]

Owens developed a proof-of-concept app masquerading as a harmless document that exploits the bug to launch the Calculator app, but he said the vulnerability could be exploited for more nefarious purposes.

"The report says the bug was exploited for months, but it's unclear how many users were impacted."

This is why the Mac App Store should remain closed, walled and protected... oh, wait...

 

[MauiPa]

"The report says the bug was exploited for months, but it's unclear how many users were impacted." What report? A report is not mentioned in the article.

 

[lkrupp]

Security updates for Mojave and Catalina out now that patch the same security issues.

 

[genovelle]

This is why the Mac App Store should remain closed, walled and protected... oh, wait...

If it were not it would remain unpatched especially for older versions. When a nasty attack came for Android a few years back, their solution was just to discontinue support for all but the most recent version. That was problematic because unlike Apple users who 85-90% are on the latest version with ing 6-8 months, 80% Google users were on the older versions that were less than 2 years old or older and suddenly unsupported.

To Google’s defense, the wild Wild West is nearly impossible to manage all the threats, so they were doing the best they could.

 

[Ethosik]

This is why the Mac App Store should remain closed, walled and protected... oh, wait...

And the solution is to......remove the store and protected systems in place? There will always be bad things that slip through. The only....ONLY way to achieve 100% secure system is if the Apple App Review process takes months. Have Apple developers look through your code and REALLY test it. But would developers like this?

There are still murders, robberies, other criminal acts. Does that mean the police does nothing?

 

[Rodney Dangerfield]

Apple is definitely protecting the consumers.

Thus, the high price that a consumer pays to gain access to the "Walled Garden".

 

[LV426]

Apple is definitely protecting the consumers.

Well, Apple definitely wasn’t protecting customers when they introduced this vulnerability.

There‘s a good write up of the disastrous security flaw here.

 

[iworshiphisshadow]

does it fix the issue with save dialogs having to be resized every time? please?!

 

[Westside guy]

As with any operating system, it’s still important that Mac / iOS / iPadOS users stay vigilant.

 

[noahbjohnson]

There are still murders, robberies, other criminal acts. Does that mean the police does nothing?

No they still kill minorities

 

[piattj]

The report confirm that XProtect has been updated as part of 11.3 but I can't find the xprotect.plist AND I see the latest definitions are still showing 16th April. Has something gone wrong? Any others with this experience?

 

[jdb8167]

This is why the Mac App Store should remain closed, walled and protected... oh, wait...

This was exploiting something that would never have been allowed in the App Store so your whole point is negated. This exploits a bug when an installer package (.pkg) application folder (.app) only contains a Unix shell script.

 

[SecuritySteve]

Well, Apple definitely wasn’t protecting customers when they introduced this vulnerability.

There‘s a good write up of the disastrous security flaw here.

You make it seem like this was intentional. It was not, and every company has security vulnerabilities. If you want to see a company's true commitment to security, check to see if they have a bug bounty program for independent researchers who can report these vulnerabilities responsibly before malicious actors use them. Apple has had a bug bounty program for all of their platforms for some time now, and is rolling out specialized devices to assist third party researchers in finding bugs in their code.

Its an intellectual disservice to act as if one vulnerability is indication of a company's competence. Either that, or they have a lack of education about the state of the security industry.

 

[LV426]

You make it seem like this was intentional. It was not, and every company has security vulnerabilities. If you want to see a company's true commitment to security, check to see if they have a bug bounty program for independent researchers who can report these vulnerabilities responsibly before malicious actors use them. Apple has had a bug bounty program for all of their platforms for some time now, and is rolling out specialized devices to assist third party researchers in finding bugs in their code.

Its an intellectual disservice to act as if one vulnerability is indication of a company's competence. Either that, or they have a lack of education about the state of the security industry.

What a ridiculous thing to say. Of course it wasn't an intentional flaw. Where do you read anything that suggests this was the case? This was a particularly severe and hopelessly incompetent regression error. A real howler. About as a bad a security stinker as you could possibly imagine.

 

[SecuritySteve]

What a ridiculous thing to say. Of course it wasn't an intentional flaw. Where do you read anything that suggests this was the case? This was a particularly severe and hopelessly incompetent regression error. A real howler. About as a bad a security stinker as you could possibly imagine.

That's a very dramatic assessment. The blog you linked is also over exaggerating the impact of the vulnerability.

Let's analyze exactly what this bug is. It is a Gatekeeper Bypass, which allows unsigned and unnotarized applications to run. That's a useful vulnerability, but it also is not the keys to the kingdom.

This vulnerability:

Does not elevate privileges. Exploit code runs with the same security context of the exploited user, which severely mitigates the potential damage it can cause.
Is a local attack vector, meaning that the attack must take place by a local user running the exploit either knowingly or unknowingly.
Requires user interaction, as implied above.

Officially, this CVE is still in a reserved state. That means we don't have access to an official scoring yet. However, using a CVSS 3.1 calculator and the above information, I calculated the following:

A CVSS Base score of 3.9 with a Overall CVSS Score of 3.6 (these numbers are out of 10, with 10 being the most severe vulnerability). This score is rated at the "Low" severity range.

Specifically walking through each of these elections for the scoring:

AV: Local (self explanatory)
AC: Low, the exploit is activated by double clicking on the infected .app bundle.
PR: Low, a user needs to be authenticated, but can have any privilege level to run the exploit.
UI: A user needs to interact with the .app to run the exploit.
S: The exploit does not change the security context (privilege level).
C: Low, there are mitigating factors in the loss of confidential information (no root access).
I: Low, there are mitigating factors in the loss of system integrity (no root access).
A: None, this is not a denial of service, and root privileges would be required to shut down or reboot from exploit code without user approval.

While not shown, the Temporal Score was calculated based off of:

Functional Exploit Exists
Official Fix Exists
Report is Confirmed

The Environmental score was calculated using the same elections as the Base Score Metrics.

 

[LV426]

That's a very dramatic assessment. The blog you linked is also over exaggerating the impact of the vulnerability.

Let's analyze exactly what this bug is. It is a Gatekeeper Bypass, which allows unsigned and unnotarized applications to run. That's a useful vulnerability, but it also is not the keys to the kingdom.

This vulnerability:

Does not elevate privileges. Exploit code runs with the same security context of the exploited user, which severely mitigates the potential damage it can cause.
Is a local attack vector, meaning that the attack must take place by a local user running the exploit either knowingly or unknowingly.
Requires user interaction, as implied above.

Officially, this CVE is still in a reserved state. That means we don't have access to an official scoring yet. However, using a CVSS 3.1 calculator and the above information, I calculated the following:

View attachment 1765160

A CVSS Base score of 3.9 with a Overall CVSS Score of 3.6 (these numbers are out of 10, with 10 being the most severe vulnerability). This score is rated at the "Low" severity range.

Specifically walking through each of these elections for the scoring:

AV: Local (self explanatory)
AC: Low, the exploit is activated by double clicking on the infected .app bundle.
PR: Low, a user needs to be authenticated, but can have any privilege level to run the exploit.
UI: A user needs to interact with the .app to run the exploit.
S: The exploit does not change the security context (privilege level).
C: Low, there are mitigating factors in the loss of confidential information (no root access).
I: Low, there are mitigating factors in the loss of system integrity (no root access).
A: None, this is not a denial of service, and root privileges would be required to shut down or reboot from exploit code without user approval.

While not shown, the Temporal Score was calculated based off of:

Functional Exploit Exists
Official Fix Exists
Report is Confirmed

The Environmental score was calculated using the same elections as the Base Score Metrics.

Your complacency is quite astonishing. You can tart things up by saying there’s a fix available, and say it’s only a teeny weeny bit dangerous because it needs a user running stuff. But anything that easily bulldozes through Gatekeeper, silently, and runs arbitrary code has to be a terrible regression. We will perhaps see the full impact in time, but there are reports this vulnerability has been actively exploited in the wild for some time.

However you dress things up, the OP comment, to which I responded, was very wide of the mark in cheerfully thanking Apple.

 

[jdb8167]

Your complacency is quite astonishing. You can tart things up by saying there’s a fix available, and say it’s only a teeny weeny bit dangerous because it needs a user running stuff. But anything that easily bulldozes through Gatekeeper, silently, and runs arbitrary code has to be a terrible regression. We will perhaps see the full impact in time, but there are reports this vulnerability has been actively exploited in the wild for some time.

However you dress things up, the OP comment, to which I responded, was very wide of the mark in cheerfully thanking Apple.

It might be wormable too. I don’t know what permissions are needed for things like AirDrop but if they are just normal user privileges then someone could send this to everyone on a local network disguised as a company PDF. Same with email for everyone in your address book. That one should definitely be possible.

This was a bad security bug. I think the assessment above is a little weak. I’m glad it’s fixed.

 

[iworshiphisshadow]

does it fix the issue with save dialogs having to be resized every time? please?!

reply to myself. it seems it is fixed!!

 

[M00NPIG]

Bigsur 11.3 does not allow me to open some side loads apps now like My BMW.