CVE-2021-1847
📋 TL;DR
This is a memory corruption vulnerability in macOS that allows arbitrary code execution when opening malicious files. It affects macOS Big Sur, Catalina, and Mojave systems. Attackers can exploit this to crash applications or take control of affected systems.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root privileges and persistent access to the system.
Likely Case
Application crashes leading to denial of service, with potential for limited code execution in user context.
If Mitigated
No impact if systems are fully patched and users avoid opening untrusted files.
🎯 Exploit Status
Exploitation requires user interaction to open malicious files. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Big Sur 11.3, Security Update 2021-002 Catalina, Security Update 2021-003 Mojave
Vendor Advisory: https://support.apple.com/en-us/HT212325
Restart Required: Yes
Instructions:
1. Open System Preferences > Software Update. 2. Install available updates. 3. Restart system when prompted.
🔧 Temporary Workarounds
Restrict file execution
allUse application whitelisting to prevent execution of untrusted applications
sudo spctl --master-enable
sudo spctl --enable --label "Developer ID"
User education
allTrain users to avoid opening files from untrusted sources
🧯 If You Can't Patch
- Implement application control/whitelisting to restrict which applications can run
- Use endpoint detection and response (EDR) tools to monitor for suspicious file execution
🔍 How to Verify
Check if Vulnerable:
Check macOS version: sw_vers -productVersionCheck Version:
sw_vers -productVersionVerify Fix Applied:
Verify version is at least: Big Sur 11.3, Catalina with Security Update 2021-002, Mojave with Security Update 2021-003📡 Detection & Monitoring
Log Indicators:
- Application crashes in Console logs
- Unexpected file opening events
- Process creation from suspicious file types
Network Indicators:
- Downloads of suspicious file types from untrusted sources
SIEM Query:
source="macos" AND (event="application_crash" OR event="file_open") AND file_extension IN ("dmg", "pkg", "app", "zip")