Archive for July 12, 2021

Monday, July 12, 2021

Gatekeeper and File Quarantine Bypass

Zack Whittaker:

Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. Indeed, macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn’t reviewed the app — a process Apple calls notarization — or if it doesn’t recognize its developer, the app won’t be allowed to run without user intervention.

But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run.

Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS’ built-in defenses when opened.

Patrick Wardle (Hacker News):

This bug trivially bypasses many core Apple security mechanisms, leaving Mac users at grave risk[…]


…and especially worrisome, turns out malware authors are already exploiting it in the wild as an 0day.


The core of the blog post digs deep into the bowels of macOS to uncover the root cause of the bug. In this section, we’ll detail the flaw which ultimately results in the misclassification of quarantined items, such as malicious applications. Such misclassified apps, even if unsigned (and unnotarized), will be allowed to run uninhibited. No alerts, no prompts, and not blocked.


Finally, we’ll wrap things up with a brief discussion on protections, most notably highlighting the fact that BlockBlock already provided sufficient protection against this 0day.

Jaron Bradley:

The details behind how the vulnerability can be abused by attackers are:

  1. An attacker manually crafts an application bundle by using a script as the main executable. (example: where “myapplication” is a bash script). For this to work, the script name must match the application name and they must not create an Info.plist file.
  2. The application can then be placed in a dmg for distribution.
  3. When the dmg is mounted and the application is double-clicked, the combination of a script-based application with no Info.plist file executes without any quarantine, signature or notarization verification. This will work on any system running macOS versions 10.15 to 11.2.

It’s fixed in macOS 11.3.

Lorenzo Franceschi-Bicchierai:

An Apple spokesperson said that the company deployed rules to detect malware abusing this bug to its anti-virus app XProtect. These rules are automatically installed in the background, meaning all MacOS devices, including those running older versions of MacOS will get this protection as well.


Dynamic Libraries Bypass Gatekeeper

Csaba Fitzl:

Patrick Wardle had a talk a couple of years ago about GK issues, which can be found here: Gatekeeper Exposed He showed that during that time someone could bypass GK with loading a dylib external to the main application.


The problem is that an attacker can load a dylib through other means as well, using the deprecated NSCreateObjectFileImageFromMemory API.


I found this odd behavior when I wrote about screensavers for my Beyond the good ol’ LaunchAgents series. I noticed that if I place a downloaded screensaver in its location, it will be loaded without any user prompts, which was really weird as I expected GateKeeper to shout in my face.


Shared libraries, like dylibs, frameworks, plugins, etc… will be loaded by macOS without any user prompt if they were notarized. This bypasses Gatekeeper effectively as an attacker has plenty of options to get the user to drag and drop a plugin to a certain location, or drag and drop a framework to an existing application overwriting a previous one. Once the shared library is in its place it can be loaded.

Update (2021-07-15): Csaba Fitzl:

Ok, so this only works if LV is disabled. Basically this allows you to “install” any system plugin like screensaver, colorpickers, etc… without prompting the user. This is just 1 option but you can get really creative.

This is referring to the entitlement. Screensaver plug-ins, at least, are sandboxed, though they can access the network.


Apple’s Camera Design Choices

System Plus Consulting (PDF, via Hacker News):

This report aims to offer insight into the physical and cost evolution of the camera modules and CMOS image sensors in the last six years of Apple flagship smartphones.

The analysis covers the rear and front-facing RGB camera modules as well as the front-facing Near Infrared (NIR) module. This includes the complete structure, design, and all components of the camera modules. It covers the dimensions, technology nodes and stacking technology in the CMOS image sensors.


All rear sensors have 12 megapixels (Mp) despite the trend among other leading OEMs to go as high as 108 Mp. This has allowed Apple to sometimes retain image sensors between iPhone generations while improving camera performance from module upgrades and algorithm tweaks.

Update (2021-07-15): Rob Jonson:

DXOMARK have a shootout amongst their top scoring cameras. The winner in the zoom category is the Samsung using a dedicated 64MP tele lens.

It’s a pretty clear win.

States v. Google Play Store

Jon Porter (Hacker, News, MacRumors):

Google used anticompetitive practices in an attempt to “preemptively quash” Samsung’s Galaxy Store, and prevent it from becoming a viable competitor to its own Play Store. That’s according to an antitrust lawsuit filed by a coalition of three dozen state attorney general, which accuses Google of illegally attempting to control app distribution on Android. The suit also alleges Google paid off app developers to stop them circumventing its store.

The allegations challenge one of Google’s core defenses of its policies, which is that unlike Apple’s iOS rules, Android allows both competing app stores and side-loading apps directly. The lawsuit is effectively claiming that this openness is a facade, because while customers technically have the choice of where to get their apps from, Google’s business practices have prevented a viable app store competitor from emerging.

Makena Kelly and Russell Brandom:

The lawsuit, filed by 36 states and Washington, DC, in California federal court, challenges Google’s policy forcing Google Play app developers to pay a 30 percent commission fee on sales made through the app. Google recently expanded the fees to cover more digital goods purchased on the Play Store, taking particular aim at a number of prominent apps that had previously been able to sidestep the tax. The full complaint, which you can view here or at the bottom of this article, lists the defendants as Google, Alphabet, and subsidiaries in Ireland and Asia.

Dieter Bohn:

Pre-installing apps and not allowing companies or users to delete them is a classic carrier move.

Later this year, streaming apps will have to offer Google in-app purchases. If they don’t, they’re disallowed from even hinting that there are other ways to subscribe outside the Play Store.

Just like on iOS.

Florian Mueller:

The fact that Epic’s and the class-action plaintiffs’ complaints are going to be amended, while 36 states take action as well (and in the same district, the Northern District of California), makes it likely that Judge Donato will consolidate all of those cases pretty soon. And then Google will have to take on not only Epic Games and the class-action plaintiffs but also 36 states at the motion-to-dismiss stage.


The damage that Google has been doing and continues to do to customer choice, competition, and innovation with its Google Play terms and policies becomes clearer and clearer. For example, the state AGs note that Google even tried to bully Samsung into giving up its Galaxy Store in the sense of just allowing Samsung to let it look like a Galaxy Store, while actually letting Google run it all (including in-app payments, of course). If Samsung had agreed to that “white-label” approach, Samsung’s customers wouldn’t have access to Fortnite now after Google threw it out of the Google Play Store last summer.

Dieter Bohn:

Here’s Google’s initial response to the lawsuit in blogpost form. It’s a classic in the “we are confused this is so strange why is anybody mad?” genre