CVE-2024-27876
📋 TL;DR
A race condition vulnerability in Apple's archive unpacking functionality allows attackers to write arbitrary files when processing malicious archives. This affects macOS, iOS, iPadOS, and visionOS users who unpack archives from untrusted sources. The vulnerability could lead to file system manipulation and potential privilege escalation.
💻 Affected Systems
- macOS
- iOS
- iPadOS
- visionOS
📦 What is this software?
Ipados by Apple
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file writes leading to privilege escalation, persistence mechanisms, or remote code execution.
Likely Case
Local file system manipulation, data corruption, or installation of malicious files in user-accessible locations.
If Mitigated
Limited impact with proper file permissions and sandboxing, potentially only affecting user's own files.
🎯 Exploit Status
Exploitation requires user interaction to unpack malicious archive and involves race condition timing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Ventura 13.7, iOS 17.7 and iPadOS 17.7, visionOS 2, iOS 18 and iPadOS 18, macOS Sonoma 14.7, macOS Sequoia 15
Vendor Advisory: https://support.apple.com/en-us/121234
Restart Required: Yes
Instructions:
1. Open System Settings > General > Software Update. 2. Install available updates. 3. Restart device when prompted.
🔧 Temporary Workarounds
Disable automatic archive extraction
allPrevent automatic unpacking of archives from untrusted sources
Use alternative archive tools
allUse third-party archive utilities with proper security controls
🧯 If You Can't Patch
- Restrict archive handling to trusted sources only
- Implement application sandboxing and file system permissions
🔍 How to Verify
Check if Vulnerable:
Check current OS version against affected versions listCheck Version:
macOS: sw_vers -productVersion, iOS/iPadOS: Settings > General > About > VersionVerify Fix Applied:
Verify OS version matches or exceeds patched versions📡 Detection & Monitoring
Log Indicators:
- Unusual archive extraction processes
- File system writes from archive utilities
Network Indicators:
- Downloads of suspicious archive files
SIEM Query:
process_name:"Archive Utility" AND file_write_operation🔗 References
- https://support.apple.com/en-us/121234
- https://support.apple.com/en-us/121238
- https://support.apple.com/en-us/121246
- https://support.apple.com/en-us/121247
- https://support.apple.com/en-us/121249
- https://support.apple.com/en-us/121250
- http://seclists.org/fulldisclosure/2024/Sep/32
- http://seclists.org/fulldisclosure/2024/Sep/33
- http://seclists.org/fulldisclosure/2024/Sep/36
- http://seclists.org/fulldisclosure/2024/Sep/39
- http://seclists.org/fulldisclosure/2024/Sep/40
- http://seclists.org/fulldisclosure/2024/Sep/41
