Friday, August 7, 2020

Infecting macOS via Macro-laden Documents

Patrick Wardle (also: Lorenzo Franceschi-Bicchierai):

Here, we’ll detail the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!


Though one could not longer create a launch agent (due to Microsoft’s patch), I discovered that macOS had no problem allowing malicious code running in the sandbox from creating a login item! Similar to launch agents, login items are automatically launched by macOS each time the user logs in …and run outside the sandbox[…]

See also: The Art Of Mac Malware (tweet).


1 Comment RSS · Twitter

Leave a Comment