Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

macOS had a vulnerability that Lockdown Mode wouldn't defeat

Lockdown Mode enhances iPhone security well beyond what regular users need

Following Apple's patching of the issue, Microsoft has revealed it discovered a way to bypass Gatekeeper in macOS, and even Lockdown Mode to run malware.

The vulnerability, called "Achilles" by Microsoft and now CVE-2022-42821 by Apple, was discovered in July 2022 and reported to Apple. In a blog post about the issue, Microsoft says that "fixes for the vulnerability... were quickly released by Apple," though it appears these updates were not issued until December 13, 2022.

Jonathan Bar Or of the Microsoft 365 Defender Research Team in the blog post that "Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple's Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices."

"We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call 'Achilles'," he continued. "Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS."

Microsoft goes into detail about the team's discovery and the method of access that attackers could have used if the vulnerability had not been patched. Significantly, though, the company also warns that Apple's new Lockdown Mode would not have prevented such an attack.

"We note that Apple's Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles," said Microsoft in the post.

"End-users should apply the fix regardless of their Lockdown Mode status," concludes Microsoft. "We thank Apple for the collaboration in addressing this issue."

How Gatekeeper protects users

Apple's Gatekeeper is the security feature that alerts users when they launch an app that is not from the App Store, is "from an unidentified developer," or is "from the internet." Despite the protection it gives users, Gatekeeper has been found to have flaws before, including in October 2022, and May 2019.

Coincidentally, Lockdown Mode was unveiled in July 2022, the same month that Microsoft discovered the new vulnerability. Intended as an optional and extreme protection system for users facing "grave, targeted threats to their digital security," it deliberately severely limits system functionality.



8 Comments

bloggerblog 16 Years · 2520 comments

That's what happens when you're handed a bleeping gag order for backdoors

auxio 19 Years · 2766 comments

...and in related news for consideration: 10 Apple Privacy Problems That Might Surprise You

https://www.msn.com/en-us/news/technology/10-apple-privacy-problems-that-might-surprise-you/ss-AA150PHp#image=1

And they hide it behind a click-wall. :D  The companies who live off of data harvesting are trying so hard to convince everyone that Apple is the same as them. How about they start by laying bare all the ways they harvest data and what it's used for, then compare to Apple? They wouldn't dare lift the curtain like that.

FileMakerFeller 6 Years · 1561 comments

That's a really clever exploit. Well done to the research team.

macxpress 16 Years · 5913 comments

As much as we may not like Google or Microsoft it's nice to see they see and report this stuff to Apple. Nothing is 100% foolproof and never will be. It's also nice to see Apple fixing these issues ASAP. Maybe not in the next update if it's too far into development but usually within the next update.