A massive bug, affecting all recent versions of macOS was actively exploited as an 0day by malware 👾🍎
Read our blog post, #100
"All Your Macs Are Belong To Us"
objective-see.com/blog/blog_0x64…
PoC.gif 🔥
The majority of Mac infections are "user-assisted", which Apple combats via:
✅Notarization
✅Gatekeeper
✅File Quarantine
...these have proven problematic for attackers
But oops, this bug sidesteps all, allowing unsigned (unnotarized) items to be launched ...with no alerts!😭
In this blog post, we dig deep into the bowels of macOS to uncover the root cause of the bug.
Turns out a subtle (logic) flaw in the policy subsystem is to blame!
In collaboration w/ @JamfSoftware, we uncovered the fact that attackers were *already* exploiting this flaw successfully as an 0day 😱
Shortly, they'll be posting more about their findings & analysis: "Shlayer Malware Abusing Gatekeeper Bypass On Macos": jamf.com/blog/shlayer-m…
Reversing Apple's patch in macOS 11.3, we find in the system policy engine, (as expected), an improved bundle detection algorithm.
This appears to (adequately?) address the flaw 🙌
Far before Apple's patch, BlockBlock (objective-see.com/products/block…) with “Notarized Mode” enabled, would generically detect and thwart this 0day attack! 🔥
BlockBlock is 100% free and 100% open-source 🔥🔥
Also releasing a simple (PoC) Python script that queries and parses macOS's undocumented ExecPolicy database to proactively uncovered exploitations! 👀
🐍 scan.py script:
objective-see.com/downloads/blog…
A big shoutout to:
Cedric Owens (@cedowens) for finding the bug!
Jamf (@JamfSoftware) for collabs that led to the discovery of malware exploiting it as an 0day!
The amazing "Friends of Objective-See" for supporting this research: @1Password / @JamfSoftware / @mosyle_biz 😍
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.