Apple has plugged a security flaw in macOS and more specifically in Gatekeeper. The vulnerability was discovered by Microsoft engineers. She has the identifier CVE-2022-42821 and the nickname Achilles (Achilles).
The flaw was plugged with macOS Ventura, macOS 12.6.2 and macOS 11.7.2. Apple has distributed updates for the past week.
Gatekeeper is a macOS security feature that automatically allows all applications downloaded from the Internet to be developer-certified and signed (approved by Apple), asking the user to confirm before launching or issuing an alert that the says ‘application is not trusted. To do this, the system judged a value named com.apple.quarantine which is assigned by web browsers to all downloaded files.
The flaw allows payloads to set restrictive Access Control List (ACL) permissions that prevent web browsers from setting the com.apple.quarantine attribute for downloading payloads as ZIP files. As a result, the malicious application contained in an archived payload launches on the target’s system instead of being blocked by Gatekeeper, allowing attackers to download and exhaust malware.
You should know that macOS Ventura embeds an isolation mode which aims to offer “an extremely high level of protection” according to Apple. The problem is that the mode in question was not enough to block the flaw. It is therefore recommended to install the updates (the latest being macOS 13.1) to take advantage of the fix.