According to Apple, Gatekeeper is an essential defence mechanism embedded in macOS to prevent untrusted applications from running on the operating system. Recognizing its importance, Apple has completed an update for its next-generation macOS version (macOS Sequoia) to make it more challenging for users to override Gatekeeper protections.
The update enhances Gatekeeper’s ability to verify the source and authenticity of applications downloaded outside the Apple Store. This verification process includes checking if the application is notarized and malware-free, which could serve as a potential backdoor for threat actors.
A significant feature of this update is the tightening of the user approval mechanism to protect users from installing malware even after taking steps to approve installation from a third party. In a statement, Apple confirmed that “In macOS Sequoia, users will no longer be able to Control-click to override Gatekeeper when opening software that isn’t signed correctly or notarized. They will need to visit System Settings > Privacy & Security to review security information for software before allowing it to run.”
Global System Outage Cause Revealed by CrowdStrike
CrowdStrike, a leading cybersecurity company, has provided more details on the incident that caused a blue screen affecting millions of businesses globally. The incident, Channel File 291 in the company’s Post Incident Review, resulted from a content validation issue caused by a new template designed to enhance visibility into attacks specific to pipes and other Windows interprocess communication (IPC) mechanisms. The crash was due to a combination of shortcomings discovered after the cloud deployment of the updated template, which had not been detected during multiple layers of testing.
A statement from the company explained, “Sensors that received the new version of Channel File 291 containing the problematic content were exposed to a latent out-of-bounds read issue in the Content Interpreter. The new IPC Template Instances were evaluated at the next IPC notification from the operating system, specifying a comparison against the 21st input value. The Content Interpreter expected only 20 values. Therefore, the attempt to access the 21st value produced an out-of-bounds memory read beyond the end of the input data array, resulting in a system crash.”
CrowdStrike confirmed it has addressed the issue by adding runtime input array bound checks to the content interpreter. “The added bounds check prevents the Content Interpreter from performing an out-of-bounds access of the input array and crashing the system,” the statement noted. “The additional check adds an extra layer of runtime validation to ensure the input array size matches the number of inputs expected by the Rapid Response Content.”
The company also mentioned several updates to resolve the issue:
- The Content Validator has been modified to add new checks ensuring that content in Template Instances does not include matching criteria that match more fields than provided as input to the Content Interpreter.
- The Content Validator now only allows wildcard matching criteria in the 21st field, preventing out-of-bounds access in sensors that provide only 20 inputs.
- The Content Configuration System has been updated with new test procedures to ensure every new Template Instance is tested, regardless of the initial Template Instance testing with the Template Type at creation.
- Additional deployment layers and acceptance checks have been added to the Content Configuration System.
- The Falcon platform has been updated to give customers increased control over the delivery of Rapid Response Content.
CrowdStrike also mentioned engaging two independent third-party vendors to further review the Falcon sensor code for security and quality assurance.
Hackers Leveraging Roundcube Webmail Flaws to Steal Emails and Passwords
According to cybersecurity researchers, vulnerabilities CVE-2024-42008, CVE-2024-42009, and CVE-2024-42010 in the Roundcube webmail pose a significant threat to users by enabling threat actors to execute malicious JavaScript in a victim’s web browser, exfiltrating sensitive information, including contacts from their account.
Detailed analysis revealed that CVE-2024-42008 is a cross-site scripting flaw via a malicious email attachment with a dangerous Content-Type header, CVE-2024-42009 is a cross-site scripting flaw arising from the post-processing of sanitized HTML content, and CVE-2024-42010 is an information disclosure flaw due to insufficient CSS filtering.
A researcher from Sonar mentioned, “When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim’s browser. Attackers can abuse the vulnerability to steal emails, contacts, and the victim’s email password, as well as send emails from the victim’s account.”
Oskar Zeino-Mahmalat, another cybersecurity researcher, added, “Attackers can gain a persistent foothold in the victim’s browser across restarts, allowing them to continuously exfiltrate emails or steal the victim’s password the next time it is entered. For a successful attack, no user interaction beyond viewing the attacker’s email is required to exploit the critical XSS vulnerability (CVE-2024-42009). For CVE-2024-42008, a single click by the victim is needed for the exploit to work, but the attacker can make this interaction unobvious for the user.”