Microsoft has just published an article on a flaw discovered in different versions of macOS, named Achille. It was recently fixed with the latest macOS Ventura, Monterey (12.6.2) and Big Sur (11.7.2) updates.
A flaw linked to A/UX, the first Apple Unix
The CVE-2022-48281 flaw (Achilles, therefore) was discovered at the end of July 2022 and makes it possible to bypass some of the protections linked to Gatekeeper. It is based on fairly old Apple technologies, dating back to A/UX, Apple’s first UNIX.
Shoebill: an emulator to run A/UX
In Apple file systems (HFS, HFS+ and now APFS) there are efficient (to put it simply, data about data) used by the operating system to manage certain functions (position in Finder, icon, etc.). With the release of A/UX, a UNIX for 68K Macintoshes, Apple defined two methods (AppleSingle and AppleDouble) to support file systems that do not support advanced. This solution still exists in 2022, these are the files that start with a
._ which you can see on FAT-formatted USB drives or network shares. macOS normally hides the files in question, but some OSes show them anyway.
Now let’s talk about Gatekeeper. If you download a program from the Internet, macOS will place a file
com.apple.quarantine to indicate its origin and display a warning message. The idea of the Achilles flaw is to prevent the creation of this file, thus avoiding the error message. The first attempts were not successful, but by looking in detail at how the AppleDouble technology works, researchers at Microsoft have found a solution.
The details are in the article, but the idea is simple: set permissions that prevent Safari from creating the file. In UNIX systems (like macOS), each file is tied to permissions, which dictates what the user (in the UNIX sense of the term, not the person behind the screen) can do. By manually modifying the information related to AppleDouble, it became possible — before the correction — to create a file which (once unzipped) prevented the file from being created.
com.apple.quarantine. Microsoft released a video to show the problem well.
The flaw did not result in all the measures related to Gatekeeper: the modified program still had to be signed and notarized to be launched without a warning message.