macOS Big Sur 11.3: Upgrade ASAP for fix to 0-Day Gatekeeper Security Exploit (Apple CVE-2021-30657)
If you are running macOS Big Sur, update to 11.3 ASAP to get an urgent security fix.
In essence, you could do little more than double-click to open a document faking-it as an app, and compromise your entire machine.
It’s hard to operate in today’s internet environment without risk. But when Apple has bugs like this one, hardly anyone is safe, not even highly-knowledgeable people (including me). Break these rules at your own risk, since this latest Apple bug is an existence proof of that nothing is safe.
- Unless you are CERTAIN that a file comes from a trusted party, do not download or open files received in email. Even then there is a risk since a friend or acquaintance could have been tricked, or infected.
- Prefer plain-text emails.
- Do not open attachments from unknown parties, particularly those forwarded by others.
- Do not click on links in emails. Yeah it’s convenient—don’t.
- Disable auto-loading of images in Apple Mail ( = unchecked/off).
- Communicate by phone (voice) with persons sending you attachments/links to verify validity. And only those you already know.
Years of risk from sloppy practices at Apple?
Apple’s zealous security lockdowns have resulted in numerous impacts on those who use their computers for real work. Bars on the windows, rear doors locked, concrete bunker inside—but here we have the front door left wide open.
It took nearly TWO YEARS to find and fix this outrageous bug. Which is one more reason why waiting at least 6 months for a major macOS update is the smart move. But even that wouldn’t have worked in this case.
Ever wonder why Apple’s operating system releases require numerous updates in just 6 months? Check your premises on quality control—Apple ships by schedule, not by software quality.
About the bug
See also: Apple Security Bounty
CVE-2021-30657 was discovered and reported to Apple by security engineer Cedric Owens on March 25, 2021.
An unsigned, unnotarized, script-based proof of concept application [...] could trivially and reliably sidestep all of macOS's relevant security mechanisms (File Quarantine, Gatekeeper, and Notarization Requirements), even on a fully patched M1 macOS system," security researcher Patrick Wardle explained in a write-up. "Armed with such a capability macOS malware authors could (and are) returning to their proven methods of targeting and infecting macOS users.
Ironic that macOS Catalina introduced the bug, what with all its extra security hassles. Of course, Catalina was a dismal failure in terms of so many other security bugs.
When Apple released the latest version, 11.3, for macOS on Monday, it didn't just introduce support for new features and optimizations. More importantly, the company fixed a zero-day vulnerability that hackers were actively exploiting to install malware without triggering core Mac security mechanisms, some that were in place for more than a decade.
..the flaw appears to have existed since the introduction of macOS 10.15 in June 2019, which is when notarization was introduced.
MPG: if the bug was being “actively exploited”, how can Apple be so out-of-the-loop to not know that after nearly two years? Why isn’t there a team at Apple that infiltrates the hacker community and/or actively buys exploits, so as to fix them?
Why doesn’t Apple owe compensation to the victims of this bug? A constant barrage of buggy macOS releases has a long track record of sloppy work—Apple should be liable given that track record.