Presented at
Objective by the Sea version 5.0 (2022),
Oct. 6, 2022, 10:10 a.m.
(25 minutes)
A recent vulnerability, CVE-2022-22616, existed in the Safari browser for years that allowed a specially crafted zip to bypass all checks performed by Gatekeeper. This resulted in the execution of an application that was completely unsigned and un-notarized. \n\n Join us on this journey through macOS internals on the discovery of the flaw and a deep dive into the root cause of the issue within the BOM framework. We will investigate how the BOM framework is used to extract an archive and how an attacker can leverage a logic flaw to bypass Gatekeeper. Lastly, we will cover how we were able to re-discover the flaw in other components of macOS to bypass security controls yet again (CVE-Pending) and discuss how we’ve used ESF to protect from these vulnerabilities as well.
Presenters:
-
Jaron Bradley
- macOS Detections Team Lead at Jamf
Jaron Bradley has worked on various incident response, engineering and threat hunting teams throughout his career where he has focused mostly on Unix-based intrusions. He is author of OS X Incident Response Scripting and Analysis and manages themittenmac.com — a website dedicated to helping those further understand threat hunting on macOS — in his free time.
-
Ferdous Saljooki
- Detection Developer at Jamf
Ferdous Saljooki is a Detection Developer for Jamf where he hunts and analyzes threats on macOS to build reliable detections. Prior to joining Jamf, he worked for organizations as a threat hunter and researcher focused on application and network threats. Ferdous has a passion for macOS security and enjoys researching malware and understanding system internals to better protect users.
Links:
Similar Presentations: