Mishandling of Long Paths Leads to Gatekeeper Bypass in Archive Utility
Archive Utility on macOS had a bug when encountering long file paths during extraction that would result in the extracted files not recieving the com.apple.quarantine
attribute that Gatekeeper looks for.
The root cause of this is that iterator that applies the quarantine attribute will exit early when it encounters a filename that exceeds the PATH_MAX
value and the return code is never checked. By not having the attribute applied the file will avoid usual code signing checks that would apply to quarantined files.
An actual attack utilizing this trick is a bit more complicated as the path still needs to be accessible in the Finder application so a user can be coerced into executing the no-longer quarantined executable. To do this the author made use of symlinks and some ceever naming to make it appear like a normal application bundle.