CVE-2021-30975
📋 TL;DR
This vulnerability allows malicious OSAX scripting additions to bypass macOS Gatekeeper security checks and sandbox restrictions, potentially enabling arbitrary code execution. It affects macOS users running vulnerable versions who open untrusted scripting dictionaries. The issue was addressed by disabling JavaScript execution in scripting dictionary viewers.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the macOS system, bypassing all sandbox protections and Gatekeeper security checks.
Likely Case
Local privilege escalation or arbitrary code execution when a user opens a malicious scripting dictionary file, potentially leading to malware installation or data theft.
If Mitigated
No impact if systems are patched or if users avoid opening untrusted scripting dictionary files.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious scripting dictionary file. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Monterey 12.1, Security Update 2021-008 Catalina, macOS Big Sur 11.6.2
Vendor Advisory: https://support.apple.com/en-us/HT212978
Restart Required: Yes
Instructions:
1. Open System Preferences > Software Update. 2. Install the available security update for your macOS version. 3. Restart your Mac when prompted.
🔧 Temporary Workarounds
Disable automatic opening of scripting dictionaries
macosConfigure macOS to not automatically open scripting dictionary files or use alternative viewers
Use Gatekeeper command-line restrictions
macosTemporarily increase Gatekeeper security settings via terminal commands
sudo spctl --master-enable
sudo spctl --enable
🧯 If You Can't Patch
- Avoid opening untrusted scripting dictionary (.osax) files from unknown sources
- Implement application allowlisting to restrict execution of unauthorized OSAX scripting additions
🔍 How to Verify
Check if Vulnerable:
Check macOS version in System Preferences > About This Mac. If version is earlier than Monterey 12.1, Catalina with Security Update 2021-008, or Big Sur 11.6.2, system is vulnerable.Check Version:
sw_versVerify Fix Applied:
Verify macOS version shows as patched version and check that scripting dictionary JavaScript execution is disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual OSAX scripting addition loading in system logs
- Gatekeeper bypass attempts in security logs
Network Indicators:
- Unexpected outbound connections following scripting dictionary file access
SIEM Query:
source="macos_system_logs" AND (event="osax_load" OR event="gatekeeper_bypass")