Apple has released a brand new update for its macOS Big Sur operating system, and you really should install it.
Amongst other fixes, Big Sur 11.3 patches a zero-day vulnerability that could allow an attacker to craft malicious payloads that will not be checked by Gatekeeper, the security check built into Apple’s operating system that is supposed to block the execution of software from untrusted sources.
Researcher Cedric Owens says that all recent versions of macOS prior to Big Sur 11.3 are vulnerable to an attack that could easily be launched against unsuspecting users:
“[The] bug that I uncovered in macOS Catalina 10.15 (specifically tested on 10.15.7) and in macOS Big Sur before Big Sur 11.3 allows an attacker to very easily craft a macOS payload that is not checked by Gatekeeper. This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop ups or warnings from macOS are generated.”
Security researchers at Jamf report that the zero-day exploit has been used in in-the-wild attacks, by a version of the Shlayer adware dropper, as far back as January 9 2021.
Separately, a different vulnerability in macOS Gatekeeper has been discovered that could also allow malicious apps to bypass security checks – when wrapped in a ZIP file.
The vulnerability, dubbed CVE-2021-1810, was found by the boffins at F-Secure in December 2020, could be exploited by any software stored within a specially-crafted ZIP file.
Apple patched the flaw found by F-Secure’s experts in updates issued this week: macOS Big Sur 11.3 and Security Update 2021-002 for macOS Catalina.
The vulnerability discovered by Cedric Owens was also patched at the same time.
Although no evidence has been seen of malicious attacks exploiting the CVE-2021-1810 flaw, it obviously makes good sense to protect against both vulnerabilities by updating the operating system on your Macs and MacBooks at the earliest opportunity.
F-Secure says that it is not releasing full details of the vulnerability it uncovered at the moment, as it waits for more users to update their vulnerable devices.
In addition, the firm notes that applications downloaded from Apple’s App Store are not affected by this issue.