Gatekeeper is a mechanism by Apple that enforces the code signing and verification of app downloads. If the user tries to download an app that is not a part of the Mac App Store, Gatekeeper will step in and prevent the application from running without the user’s explicit authorization.
However, researcher Filippo Cavallarin says there is a way to “easily bypass Gatekeeper in order to execute untrusted code without any warning or user’s explicit permission“ on macOS Mojave 10.14.5 and older.
Cavallarin reports that he contacted the company on February 22 to let them know of the security flaw. According to Cavallarin, there was a 90-day disclosure deadline, which Apple was aware of, but since it had passed, he made the issue public.
Since the issue was brought to Apple back in February, you’d think the security flaw should’ve been fixed by now. But no. Cavallarin claims that the vulnerability was supposed to get fixed in macOS 10.14.5, but it wasn’t. He also says that since then, “Apple started dropping my emails“.
How can this flaw be exploited? Well, Gatekeeper considers network shares and external drives as “safe locations” and therefore allows any applications they contain to run.
“By combining this design with two legitimate features of MacOS X, it will result in the complete deceivement of the intended behaviour. The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a “special” path, in this case, any path beginning with “/net/”. The second legit feature is that zip archives can contain symbolic links pointing to an arbitrary location (including automount enpoints) and that the software on MacOS that is responsible to decompress zip files do not perform any check on the symlinks before creating them.”
For now, there is no solution for this issue. But in his report, Cavallarin proposes this workaround:
1. Edit /etc/auto_master as root;
2. Comment the line beginning with ‘/net’;