Apple has patched a nasty macOS bug that could have allowed malicious applications to circumvent the operating system’s in-built security protections.
The vulnerability could allow a specially crafted, script-based application to be launched on a Mac device without Gatekeeper (an antivirus service that verifies the authenticity of all downloaded apps) ever triggering an alarm.
For the app to work, it would need to use a script starting with a shebang (!#) character, but with the rest of the line empty. That way, Unix shell would run the script without specifying a shell command interpreter.
The syspolicyd daemon will perform various policy checks and ultimately prevent the execution of untrusted applications, such as those that are unsigned or unnotarized
The AppleSystemPolicy decides that the syspolicyd daemon not invoked. The process is allowed and if this decision is made incorrectly, well then, you have a lovely File Quarantine, Gatekeeper, and notarization bypass.
The attackers can mask the malicious app as a harmless PDF file which, as well all know, can be delivered in numerous ways, be it through email, poisoned search results, fake updates, or malware downloaded from shady websites. After the victim runs the script, the attacker can also use it to download and run more potent malware.
Apple released a patch for the vulnerability in its September 2021 update, bringing the OS to version 11.6. Users of macOS 12 beta 6 are also protected, researchers confirmed.