Security & Privacy + Security News

Microsoft discovers new Gatekeeper bypass; Apple updates past security advisories

Posted on December 22nd, 2022 by

Last week, on December 13, Apple released security updates for all of its currently supported operating systems, including all three recent versions of macOS. In total, at that time Apple named 36 vulnerabilities that it had patched in macOS Ventura, of which 23 were patched for macOS Monterey, and 20 for macOS Big Sur.

But earlier this week, and again as recently as this morning, new details have come to light about what was patched in these updates, as well as other previous Apple updates. Here’s the full story—including details you won’t find anywhere else.

In this article:

Timeline of events

  • July 27 – Microsoft discovers new Gatekeeper bypass vulnerability; Apple later names it “CVE-2022-42821”
  • Late July – Microsoft develops Achilles proof-of-concept exploit and reports vulnerability to Apple
  • October 24 – Apple patches vulnerability, but only for macOS Ventura 13.0, and makes no public mention of it
  • December 13 – Apple patches vulnerability for macOS Monterey and Big Sur, and updates Ventura 13.0’s release notes to reveal it was patched previously
  • December 19 – Microsoft publishes full details of its discovery of CVE-2022-42821 and development of Achilles PoC exploit
  • December 22 – Apple adds additional (unrelated) vulnerability disclosures to release notes for macOS Ventura 13.0 and various software updates from December 13

Microsoft discovers new Gatekeeper bypass vulnerability

One of the vulnerabilities that was patched in both macOS Monterey 12.6.2 and macOS Big Sur 11.7.2 last week had been silently patched in macOS Ventura 13 nearly two months earlier:

BOM
Impact: An app may bypass Gatekeeper checks
Description: A logic issue was addressed with improved checks.
CVE-2022-42821: Jonathan Bar Or of Microsoft

In a new Microsoft report released on December 19, Jonathan Bar Or revealed that Microsoft had discovered the vulnerability back on July 27, and shared it with Apple the same month.

If a malicious app were to leverage this vulnerability, it could potentially bypass Apple’s Gatekeeper technology. Gatekeeper is supposed to prevent Mac malware and other untrusted software from being able to run.

Microsoft says that it developed a proof-of-concept exploit dubbed “Achilles” to test the vulnerability.

This is not the first time that a Gatekeeper-bypass vulnerability has been discovered. Microsoft shared examples of half a dozen other such vulnerabilities that have been patched in recent years, including another from earlier in 2022, and three from 2021. We’ve previously covered various other Gatekeeper bypasses on The Mac Security Blog.

Microsoft also noted that macOS Ventura’s optional new Lockdown Mode feature does not prevent the exploitation of this vulnerability.

The vulnerability’s discovery was inspired by reconsidering a past Gatekeeper bypass that Apple fixed in 2021. The new vulnerability leverages the persistence of file metadata using AppleDouble files, which are usually named with a “._” (dot-underscore) prefix and are hidden in the Finder by default, and Access Control Lists (ACLs).

The relative triviality of circumventing built-in security features in macOS is a sobering reminder of why it’s important to use additional Mac protection software from a trusted developer like Intego.

The full technical details of the Gatekeeper bypass vulnerability can be found in Microsoft’s report.

Apple updates security advisory for macOS Ventura 13.0

Interestingly, Apple had not previously disclosed the existence of the Gatekeeper bypass vulnerability patch in the original release of macOS Ventura on October 24. Instead, Apple opted to patch it silently at the time—without any publicly acknowledgment. (As a reminder, it’s virtually always safest to run the current major macOS version.) Apple sometimes chooses to delay disclosing the fact that a vulnerability has been patched, particularly if the same vulnerability affects other operating systems that may not be patched until a later date. On December 13, Apple finally revised its existing macOS Ventura 13 security update release notes to add an entry about the vulnerability.

In reviewing those release notes this morning (December 22), Intego noticed that Apple had just added four additional vulnerabilities to macOS Ventura 13.0’s security release notes today, disclosing that these vulnerabilities were also patched in Ventura’s initial release nearly two months ago on October 24:

CoreMedia
Impact: A camera extension may be able to continue receiving video after the app which activated was closed
Description: An issue with app access to camera data was addressed with improved logic.
CVE-2022-42838: Halle Winkler (@hallewinkler) of Politepix

 

GPU Drivers
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2022-42833: Pan ZhenPeng (@Peterpan0927)

 

WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A use after free issue was addressed with improved memory management.
WebKit Bugzilla: 246669
CVE-2022-42826: Francisco Alonso (@revskills)

 

WebKit Storage
Impact: An app may be able to bypass Privacy preferences
Description: The issue was addressed with improved handling of caches.
CVE-2022-32833: Csaba Fitzl (@theevilbit) of Offensive Security, Jeff Johnson

This is the fifth time that Apple has retroactively added additional vulnerability disclosures to the macOS Ventura 13 security release notes in less than two months. After initially releasing the notes on October 24, Apple has quietly added entries on October 25, October 27, November 9, December 13, and December 22.

Apple updates security advisories for December 13 updates

Apple also added additional vulnerability disclosures on December 22 to the release notes for several of the software updates released on December 13 that Intego covered here on The Mac Security Blog last week. Specifically, Apple added new entries to the security release notes for macOS Ventura 13.1, macOS Monterey 12.6.2, macOS Big Sur 11.7.2, Safari 16.2 for Monterey and Big Sur, and iOS 16.2 and iPadOS 16.2. The vulnerabilities are as follows:

PackageKit
Impact: An app may be able to modify protected parts of the file system
Description: A logic issue was addressed with improved state management.
CVE-2022-46704: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of Offensive Security

 

WebKit
Impact: Visiting a malicious website may lead to address bar spoofing
Description: A spoofing issue existed in the handling of URLs. This issue was addressed with improved input validation.
CVE-2022-46705: Hyeon Park (@tree_segment) of ApplePIE

The PackageKit vulnerability was addressed in all three versions of macOS. The WebKit vulnerability was addressed for all macOS versions as well (directly in the Ventura 13.1 update, and via the Safari 16.2 update for Monterey and Big Sur), and was also addressed in iOS 16.2 and iPadOS 16.2.

Additionally, Apple added a new entry to the iPadOS 16.2 release notes the morning of December 22 to confirm that an “actively exploited” vulnerability had, in fact, been addressed for iPads, as we speculated about in our article last week. Prior to the December 13 updates, Apple had issued an emergency patch exclusively for iPhones, namely iOS 16.1.2, on November 30, without a corresponding patch for iPads or other Apple devices at the time. Users of Macs, iPads, and Apple TVs had to wait almost an additional two weeks for the same patch:

WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.
Description: A type confusion issue was addressed with improved state handling.
CVE-2022-42856: Clément Lecigne of Google’s Threat Analysis Group

It still remains unclear whether the vulnerability may have been applicable to, or silently patched in, watchOS 9.2 or iCloud for Windows 14.1. Apple patched other WebKit vulnerabilities in both of these software updates on December 13, but did not specify whether CVE-2022-42856 was applicable to, or patched in, those updates.

If CVE-2022-42856 does impact watchOS 9, then it likely also impacts watchOS 8, which hasn’t been patched since August 17. Several vulnerabilities (at least two of which were actively exploited) remain unpatched for the Apple Watch Series 3, the lone model that cannot upgrade from watchOS 8 to 9. This is significant because Apple still sells the Apple Watch Series 3 (as a Certified Refurbished product) in its online store, in spite of its incompatibility with watchOS 9. Apple’s refurbished Series 3 sells for a whopping $369—which is more expensive than, and vastly technologically inferior to, the Apple Watch SE model released this year which starts at $249 and can run the latest watchOS. Furthermore, Apple’s refurb Series 3 costs nearly as much as the five-generations-newer Series 8, which starts at $399 brand new.

Apple has not responded to our requests for comment about the applicability or patch status of CVE-2022-42856 to watchOS 9, watchOS 8, or iCloud for Windows. We are also still awaiting any response from Apple regarding whether it plans to release further security updates for watchOS 8 for the Apple Watch Series 3 that it still sells.

How can I learn more?

For additional details about the Gatekeeper bypass vulnerability, see Microsoft’s write-up. You can also read our previous article covering other vulnerabilities that Apple patched on December 13.

Apple releases macOS Ventura 13.1, iOS 16.2, and more; fixes zero-day vuln

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We talked about Apple’s latest operating system updates on episode 271:

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 20 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →