Apple has patched a zero-day bug in macOS exploited by Shlayer malware

Apple has patched a zero-day vulnerability in macOS that was being used by Shlayer malware in the wild to bypass Apple’s File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads.

 

Shlayer is a multi-stage Trojan that has infected over 10% of all Macs worldwide.

 

Shlayer’s creators had previously been able to get their malicious payloads via Apple’s automated notarizing mechanism.

 

If macOS apps undergo this automated security audit, Gatekeeper—a macOS security feature that verifies whether downloaded apps have been tested for known malicious content—allows them to run on the device.

 

Also read: Apple bug allows hackers to steal phone numbers and email addresses from AirDrop users

 

Starting in January 2021, the Jamf Protect detection team discovered that the Shlayer malware threat actors were developing unsigned and unnotarized Shlayer samples that were exploiting a zero-day vulnerability (CVE-2021-30657).

 

Apple has received a similar report from security engineer Cedric Owens.

 

This now-fixed bug takes advantage of a logic flaw in the way Gatekeeper tested whether app bundles were notarized to run on completely patched macOS systems, according to security researcher Patrick Wardle.

 

You might also like: REvil ransomware gang threatens to leak Apple products blueprints

 

Double-clicking can be used to unleash malware variants that take advantage of this zero-day vulnerability and spread across corrupted search engine results and infected websites.

 

Apple has now released a security update for macOS Big Sur 11.3 that patches the vulnerability and prevents malware operations from exploiting it.

 

Users are now advised to eject the installed disc image because it could contain malware because malicious apps “cannot be opened because the developer cannot be identified”.

 

Latest in Cybersecurity: BigBasket Data Breach: 20 million users’ personal information leaked