macOS had a vulnerability that Lockdown Mode wouldn't defeat
William GallagherLockdown Mode enhances iPhone security well beyond what regular users need
Following Apple's patching of the issue, Microsoft has revealed it discovered a way to bypass Gatekeeper in macOS, and even Lockdown Mode to run malware.
The vulnerability, called "Achilles" by Microsoft and now CVE-2022-42821 by Apple, was discovered in July 2022 and reported to Apple. In a blog post about the issue, Microsoft says that "fixes for the vulnerability... were quickly released by Apple," though it appears these updates were not issued until December 13, 2022.
Jonathan Bar Or of the Microsoft 365 Defender Research Team in the blog post that "Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple's Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices."
"We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call 'Achilles'," he continued. "Gatekeeper bypasses such as this could be leveraged as a vector for initial access by malware and other threats and could help increase the success rate of malicious campaigns and attacks on macOS."
Microsoft goes into detail about the team's discovery and the method of access that attackers could have used if the vulnerability had not been patched. Significantly, though, the company also warns that Apple's new Lockdown Mode would not have prevented such an attack.
"We note that Apple's Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles," said Microsoft in the post.
"End-users should apply the fix regardless of their Lockdown Mode status," concludes Microsoft. "We thank Apple for the collaboration in addressing this issue."
How Gatekeeper protects users
Apple's Gatekeeper is the security feature that alerts users when they launch an app that is not from the App Store, is "from an unidentified developer," or is "from the internet." Despite the protection it gives users, Gatekeeper has been found to have flaws before, including in October 2022, and May 2019.
Coincidentally, Lockdown Mode was unveiled in July 2022, the same month that Microsoft discovered the new vulnerability. Intended as an optional and extreme protection system for users facing "grave, targeted threats to their digital security," it deliberately severely limits system functionality.
Marko Zivkovic
Amber Neely
Christine McKee
Malcolm Owen
Mike Wuerthele and Malcolm Owen
