Security researchers have unveiled a recently patched vulnerability in Apple’s macOS operating system that poses a significant risk of enabling unauthorized execution of malicious applications. The flaw, identified as CVE-2022-32910, originates from the built-in Archive Utility, which is essential for decompressing various file formats.
This vulnerability allows an attacker to craft a specially designed archive file that bypasses the necessary security prompts typically mandated by Apple’s Gatekeeper. According to analysis from the device management company Jamf, this flaw could enable malicious, unsigned, and unnotarized applications to run without user intervention, which undermines Apple’s stringent security measures.
Responsible disclosure of the vulnerability occurred on May 31, 2022, and Apple subsequently addressed the issue in updates for macOS Big Sur 11.6.8 and Monterey 12.5, released on July 20, 2022. Apple’s revisions to older advisories as of October 4 also included notes about this newly discovered flaw.
The security oversight is attributed to a logic error within the Archive Utility, allowing archive files to skirt past Gatekeeper checks—a mechanism crucial for confirming that only verified and trusted applications can run on macOS environments. This technology verifies that downloaded applications originate from legitimate developers and have been notarized by Apple to prevent malicious modifications during distribution.
Gatekeeper also safeguards against unintentional execution. It prompts users for approval before running software downloaded from the internet for the first time, ensuring that genuine data files aren’t misidentified as executable code, a point emphasized in Apple’s support documentation.
Files downloaded from the internet are typically tagged with the com.apple.quarantine attribute, which triggers a necessary Gatekeeper check. However, an unexpected behavior identified by Jamf reveals that the Archive Utility does not apply this quarantine attribute to folders when extracting archives that contain multiple files or folders in their root directory. This lack of tagging opens the door for exploitation.
By creating a malicious archive labeled “exploit.app.zip,” an attacker can exploit this weakness, resulting in an extracted folder named “exploit.app” devoid of the quarantine attribute. As a result, this application can evade all Gatekeeper checks, enabling the execution of unnotarized and potentially harmful binaries. Jamf researcher Ferdous Saljooki, who identified the flaw, confirmed that improved checks were implemented by Apple to mitigate this risk.
This entrenched vulnerability is reminiscent of another significant flaw remedied by Apple earlier in the year, which also allowed ZIP archives to dodge Gatekeeper’s protective measures across versions of macOS such as Catalina and Big Sur. Understanding and evaluating these vulnerabilities in the context of the MITRE ATT&CK Matrix reveals potential adversary tactics, including initial access through social engineering combined with exploitation of application vulnerabilities, illustrating the multifaceted nature of modern cybersecurity threats.