If you haven’t updated your Mac to the newest version of Ventura, Monterey, or Big Sur, you should rush to do that. A nasty new bug that was patched in last week’s updates could be used by an attacker to bypass Apple’s strict security protections and install malware on your Mac.
Discovered by Microsoft, the company posted in its Security blog about the vulnerability dubbed Achilles. Essentially, Achilles uses a file format within macOS called AppleDouble that includes Access Control Lists with restrictive permissions to trick Gatekeeper, a macOS feature that prevents malware installations. Once Gatekeeper is bypassed, the software installation can proceed without the user being warned or any part of the system preventing it, even when in Lockdown mode.
Achilles is filed with the National Vulnerability Database as CVE-2022-42821 and it was discovered by Microsoft in July. It is customary for discoverers of vulnerabilities to post about their findings after patches have been released. Microsoft posted a proof of concept video for Achilles, which can be viewed here. Microsoft notes that since Apple’s new Lockdown mode is “aimed to stop zero-click remote code execution exploits,” it is defenseless against Achilles.
According to Apple’s security notes when macOS Ventura was released in October, Achilles was fixed, however, the notation about the fix wasn’t in the original version of the notes and was only added on December 13. Apple also patched Achilles in macOS Monterey and Big Sur in updates issued last week.
Gatekeeper was introduced in Mac OS X Mountain Lion in 2012, and has had a few security holes patched over the years–Microsoft’s blog lists six recent vulnerabilities besides Achilles. While Gatekeeper is an important feature to protect the Mac, it’s not perfect, so it’s just another reason why it’s a good idea to install OS updates as soon as possible.