We always advise that you should keep your Mac up to date and today is no different - macOS 11.3 is here and you should update immediately because there is a security flaw in earlier versions of the macOS that is being exploited.

macOS 11.3 closes a particularly serious vulnerability.

According to security company Jamf Protect, a group of hackers were exploiting a security gap in macOS and distributing Shlayer malware. The company had discovered this malware on a customer’s Mac in January 2021.

Shlayer is adware that displays targeted advertisements on the infected computer. It is reasonably widespread and, on Macs, it mainly comes in via search engines. Read about the different viruses found on Macs.

In the case mentioned, the victim searched Google for an Alexa Skill using the search term "Alexa and Disney" and was redirected to a page hosting the malware. The user then installed the adware thinking it was an Alexa Skill.

Normally this wouldn’t be a danger because Apple has security measures built into the macOS that mean new programs are stopped by Apple’s GateKeeper and a whole series of tests undergone before they can be opened. For example, the app must have valid developer certificate and notarization, and the file will be compared with a list of known malware. If the app doesn’t pass these tests it cannot be started.

However, prior to 11.3 there was a bug in Apple's test system that meant that apps that were based on scripts were being treated as a bundle and could be executed without warning. Malware authors apparently knew of this 0day vulnerability and were exploiting it, according to ObjectiveSee.

The attackers were creating an application bundle, using a script as the main executable application, and placing that in a dmg for distribution. Once the dmg was mounted and the application double clicked, the script-based application with no Info.plist file would execute without any quarantine, signature or notarization verification.

Normally before an app is installed the user should see a warning, but in these cases users were seeing no warning so considered the software to be harmless.

In the Big Sur 11.3 update Apple has fixed this error and the execution of these files is now blocked. An update to this system is therefore highly recommended. Updates for Mojave and Catalina are also available, these versions were also affected.

This article is adapted from one that appeared on Macwelt. Translation and additional reporting by Karen Haslam.