New Gatekeeper Security Flaw Allows Malicious Apps to Run on macOS

George Herman
George Herman
IT Security Expert

Get a FREE scan to check for problems

Some infections like this virus can regenerate themselves. There is no better way to detect, remediate and prevent malware infection, than to use a professional anti-malware software like SpyHunter. One Application that is capable of solving all MAC problems.

Anti-Malware

SpyHunter Anti-Malware FREE 15-day trial available.

Gatekeeper is a mechanism by Apple that enforces the code signing and verification of app downloads. If the user tries to download an app that is not a part of the Mac App Store, Gatekeeper will step in and prevent the application from running without the user’s explicit authorization.

However, researcher Filippo Cavallarin says there is a way to easily bypass Gatekeeper in order to execute untrusted code without any warning or user’s explicit permission on macOS Mojave 10.14.5 and older.

Cavallarin reports that he contacted the company on February 22 to let them know of the security flaw. According to Cavallarin, there was a 90-day disclosure deadline, which Apple was aware of, but since it had passed, he made the issue public.

Since the issue was brought to Apple back in February, you’d think the security flaw should’ve been fixed by now. But no. Cavallarin claims that the vulnerability was supposed to get fixed in macOS 10.14.5, but it wasn’t. He also says that since then, Apple started dropping my emails.

How can this flaw be exploited? Well, Gatekeeper considers network shares and external drives as “safe locations” and therefore allows any applications they contain to run.

By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behaviour. The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a “special” path, in this case, any path beginning with “/net/”. The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS that is responsible to decompress zip files do not perform any check on the symlinks before creating them.”

For now, there is no solution for this issue. But in his report, Cavallarin proposes this workaround:

1. Edit /etc/auto_master as root;

2. Comment the line beginning with ‘/net’;

3. Reboot.

Leave a Reply

Your email address will not be published.