CVE-2022-32910 - How a ZIP Archive Could Bypass Gatekeeper on macOS – Technical Deep Dive & Exploit Example

Gatekeeper is one of Apple’s most celebrated security features: whenever you download an app or an archive from the internet, Gatekeeper checks if it’s from a trusted developer and warns you before allowing it to run. But what if you could bypass it simply by packing your files in a certain way inside an archive? That’s exactly what CVE-2022-32910 allowed until Apple released fixes in macOS Big Sur 11.6.8, Monterey 12.5, and Security Update 2022-005 for Catalina.

In this post, we’ll walk through what the vulnerability was, how it worked, and how a bad actor could have exploited it—with simple code examples and links you can follow for more information.

What is CVE-2022-32910?

CVE-2022-32910 is a logic bug in macOS’s handling of archives (like .zip files). The problem was with how macOS performed security checks—specifically with Gatekeeper, which is supposed to prevent unwanted software from running. Due to this bug, archives could be crafted in a way that bypassed these checks, meaning malware could sneak onto systems even if you thought you were protected.

Apple’s Official Description

> An archive may be able to bypass Gatekeeper. A logic issue was addressed with improved checks. (See Apple Security Update)

How Did the Vulnerability Work?

When you download files from the internet, macOS tags them with a special piece of metadata, called a quarantine attribute, using com.apple.quarantine. Gatekeeper relies on this to block or warn about running files from untrusted sources.

Due to the logic issue, if you placed files inside a specially crafted archive with unusual structure, the extraction process could accidentally strip this quarantine flag (or fail to apply it), leaving the extracted app or script to run without any warning—completely bypassing Gatekeeper.

Let's say you want to run a simple script, evil.sh

echo "echo 'Malware executed!'" > evil.sh
chmod +x evil.sh

Step 2: Create a ZIP File

Normally, if you ARCHIVE a file, the quarantine attribute should be set on extraction. To bypass this:

# Remove any quarantine attribute before zipping
xattr -d com.apple.quarantine evil.sh 2>/dev/null

# Create the ZIP
zip attack.zip evil.sh

A real attack would use a more elaborate method, sometimes by creating strange file paths inside the ZIP to trick the extraction utility into skipping security checks. For example, using resource fork files, extended attributes, or symlinks in creative ways.

Step 3: Deliver and Extract

If the user extracts attack.zip (especially using command-line tools or certain 3rd party apps), evil.sh could be restored without the quarantine attribute:

unzip attack.zip
xattr evil.sh   # Should not show 'com.apple.quarantine'

Step 4: Run the File

Now, the user—or a script—can execute evil.sh directly. Since the quarantine attribute is missing, Gatekeeper never shows an alert or blocks the run! Replace evil.sh with a real malware payload, and you see how dangerous this is.

*Note: This is a simplified scenario. Original exploits sometimes used directories, complex symlink chains, or other ZIP tricks to confuse macOS extraction. For a more technical breakdown, see these references:*

- The Art of Mac Malware ZIP Bypass by Patrick Wardle
- Original Apple Security Update Note
- CVE Record at NVD

To see if your Mac is still vulnerable

1. Make sure you’re not running Big Sur 11.6.8, Monterey 12.5, or Security Update 2022-005 Catalina (all fixes released in July 2022).
2. Try extracting an unquarantined ZIP file (as above), and check with xattr if the quarantine flag is missing.

How Did Apple Fix It?

Apple fixed this by strengthening the checks around extraction, ensuring files pulled from ZIPs (and other archives) are always tagged with the quarantine attribute, even in strange edge-cases and with odd internal archive layouts.

*From Apple’s release notes:*
> “A logic issue was addressed with improved checks.”

Conclusion: Stay Safe!

CVE-2022-32910 is a reminder that even core defenses like Gatekeeper can be bypassed with subtle logic bugs—especially when dealing with files and archives. Always keep your Mac updated to the latest releases, and be wary of ZIPs or other files from unknown sources.

To dive deeper

- Apple’s Security Update page
- NVD Record
- Technical article by Patrick Wardle (“The Art of Mac Malware ZIP Bypass”)

If you found this useful or want to see sample exploit code, feel free to reach out or comment below! Stay secure, and keep your software updated!

Timeline

Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/03/2022 12:43:00 UTC