The Shlayer threat actors began targeting macOS users with unsigned and unnotarized malware that exploited the zero-day bug (tracked as CVE-2021-30657) starting with January 2021, as the Jamf Protect detection team discovered. In April, Apple patched a zero-day vulnerability exploited in the wild by Shlayer malware operators to bypass macOS automated security checks and deploy additional payloads on compromised Macs. This is not the first macOS bug fixed by Apple that would enable threat actors to completely circumvent OS security mechanisms such as Gatekeeper and File Quarantine on fully patched Macs. Image: Patrick Wardle Similar bugs exploited by malware This leads to a Gatekeeper bypass because the syspolicyd daemon automatically commonly invoked by the AppleSystemPolicy kernel extension to perform security checks (signing and notarization) no longer gets triggered for inspection when launching a script without specifying an interpreter.īasically, if the script used a shebang (!#) but did not explicitly specify an interpreter, it would bypass Gatekeeper security checks. The "specially-crafted" part requires creating an app that uses a script starting with a shebang (!#) character but leaving the rest of the line empty, which tells the Unix shell to run the script without specifying a shell command interpreter. He found that specially-crafted script-based applications downloaded from the Internet would launch without showing an alert even though automatically quarantined.
![how to disable gatekeeper on mac 10.12.6 how to disable gatekeeper on mac 10.12.6](https://i1.wp.com/osxdaily.com/wp-content/uploads/2012/07/app-cant-be-opened-unidentified-developer.jpg)
![how to disable gatekeeper on mac 10.12.6 how to disable gatekeeper on mac 10.12.6](http://www.rawinfopages.com/mac/sites/default/files/sites/default/files/img16/gatekeeper-command3.jpg)
The CVE-2021-30853 Gatekeeper bypass bug was discovered and reported to Apple by Box Offensive Security Engineer Gordon Long.
![how to disable gatekeeper on mac 10.12.6 how to disable gatekeeper on mac 10.12.6](https://res.cloudinary.com/practicaldev/image/fetch/s---qiP1Yi0--/c_imagga_scale,f_auto,fl_progressive,h_1080,q_auto,w_1080/https://dev-to-uploads.s3.amazonaws.com/i/gqx8jl81bo0z4uc851e1.png)
#How to disable gatekeeper on mac 10.12.6 update#
Once malicious script-based apps targeting the bypass flaw ( CVE-2021-30853) are launched on a target's system, they can be used by attackers to download and deploy second-stage malicious payloads.Īpple has addressed this vulnerability in macOS 11.6 through a security update released in September 2021 that adds improved checks. If they circumvent automated notarization security checks (which scans for malicious components and code-signing issues), the applications are allowed to launch by Gatekeeper, a macOS security feature designed to verify if downloaded apps are notarized and developer-signed. Apple has addressed a macOS vulnerability that unsigned and unnotarized script-based apps could exploit to bypass all macOS security protection mechanisms even on fully patched systems.