On Monday, researchers from the Microsoft 365 Defender Research Team released details on CVE-2022-42821, a vulnerability that Apple patched on 13 December. Dubbed “Achilles,” the exploit would enable malware to bypass Gatekeeper, Apple’s solution for checking software for valid certificates or for known malware. This is not the first Gatekeeper bypass; 6 such vulnerabilities have been disclosed since 2014. This exploit follows half of the previous Gatekeeper bypasses by interfering with the assignment of a quarantine extended attribute, preventing Gatekeeper from triggering. More specifically, CVE-2022-42821 exploits an older compatibility mechanism called AppleDouble to manually apply an Access Control List (ACL) to the device, preventing applications from writing the quarantine attribute to the file.
Companies should strive to patch MacOS devices as soon as their change management allows. Exploitation of this vulnerability is not particularly involved, according to Microsoft’s reporting, so malware packaged to use Achilles could surface very soon. Additionally, malware leveraging Achilles would not be prevented by Lockdown Mode, Apple’s optional protection feature for stopping zero-click code execution, since Gatekeeper requires the end user to open the malicious file.