Mac Gatekeeper vulnerability allows installation of malware

Posted:
in macOS
A flaw with the Gatekeeper authentication feature in macOS, a tool designed to keep malware off Mac, is reportedly being exploited to deliver a malicious software package nicknamed "OSX/Linker."

macOS Gatekeeper vulnerability


The exploit, discovered by security researcher Filippo Cavallarin, relies on two basic Mac features to function: automount and Gatekeeper.

As detailed by Tom's Guide, Gatekeeper funnels files downloaded from the internet to Apple's XProtect antivirus screener, but grants files from a local storage device -- mounted via automount -- safe passage without scrutiny. Cavallarin was able to trick Gatekeeper into thinking a downloaded file originated from a local drive, bypassing the normal screening protocols.

Cavallarin reportedly contacted Apple about the issue in February, but published details on May 24 since the problem was left unfixed.

The accompanying OSX/Linker malware attempts to hijack a Mac, at which point the computer can be used for any malicious activity attackers want, from crytpo mining to data theft.

The code has been uploaded four times to VirusTotal, a repository researchers use to detect and share malware samples. That's a relatively small amount, and the malware is already being screened by Intego software and likely other antivirus tools as well.

It should therefore be relatively easy to avoid OSX/Linker, especially by following standard protocols like refusing downloads from unknown sources. It's also possible to disable automounting, though that would require users to manually connect and disconnect external drives each time they're used.



Comments

  • Reply 1 of 17
    lkrupplkrupp Posts: 10,557member
    Another report said the vehicle for this and many other malware is infected Adobe Flash updates. I get them all the time on various websites, even well known and popular ones. Sometimes they actually download themselves.

    1. Don’t EVER accept a Flash update from anywhere other than Adobe. In fact don’t use Flash unless you absolutely have to.

    2. Make sure your browser settings prohibit launching any download automatically.

    3. If it smells fishy it probably is. Don’t open it.

    But people being people... well you know.
    edited June 2019 macplusplusmacxpressRayz2016welshdogracerhomie3jony0olsAlex1N
  • Reply 2 of 17
    seanismorrisseanismorris Posts: 1,624member
    lkrupp said:
    Another report said the vehicle for this and many other malware is infected Adobe Flash updates. I get them all the time on various websites, even well known and popular ones. Sometimes they actually download themselves.

    1. Don’t EVER accept a Flash update from anywhere other than Adobe. In fact don’t use Flash unless you absolutely have to.

    2. Make sure your browser settings prohibit launching any download automatically.

    3. If it smells fishy it probably is. Don’t open it.

    But people being people... well you know.
    #1 Die! Flash Die!
    #2 MacOS needs a good antivirus program 

    Apple’s lack of transparency, lack of a bug bounty program, and (in this case) lack of bugs getting fixed in a timely manner, means additional steps are needed to protect yourself.

    MacOS provides a better user experience than Windows, but in some ways it’s inferior.  I suspect MacOS are just a lower priority vs iOS, and doesn’t get Apple’s full attention.

    I agree, common sense is a good start to security, but who isn’t void of common sense occasionally...?
    Alex1N
  • Reply 3 of 17
    macplusplusmacplusplus Posts: 2,112member
    Use an effective ad blocker and disable "Open safe files after downloading" option in Safari and note that "safe" is written in double quotation marks. Remember that there is no safe file on the Internet. 

    Ad networks distribute malware by means of several obscure redirections. Even if you don't click anything on the infected page, anything as in not only the ad but nothing on that page, the payload is sent to your computer. The display of the wrapper ad is enough to infect your computer. The payload mostly comes in one of the archive formats such as .zip, .dmg, .pkg, that list being not exhaustive. You may want to check your Downloads folder right now and move all of the said archive files to the Trash, don't even try to open any of them, you can download legitimate installers anytime from the legitimate sources.

    Download by redirection may occur on any web page, not only ads. Be careful when binge browsing expecially on questionable sites, watch what your browser does after clicking a link, does the link open a pop-up window or does it redirect to a download before opening the target page? And check your Downloads folder frequently to spot any suspicious download.
    edited June 2019 lostkiwiracerhomie3Alex1N
  • Reply 4 of 17
    lostkiwilostkiwi Posts: 639member
    Use an effective ad blocker and disable "Open safe files after downloading" option in Safari and note that "safe" is written in double quotation marks. Remember that there is no safe file on the Internet. 

    Ad networks distribute malware by means of several obscure redirections. Even if you don't click anything on the infected page, anything as in not only the ad but nothing on that page, the payload is sent to your computer. The display of the wrapper ad is enough to infect your computer. The payload mostly comes in one of the archive formats such as .zip, .dmg, .pkg, that list being not exhaustive. You may want to check your Downloads folder right now and move all of the said archive files to the Trash, don't even try to open any of them, you can download legitimate installers anytime from the legitimate sources.

    Download by redirection may occur on any web page, not only ads. Be careful when binge browsing expecially on questionable sites, watch what your browser does after clicking a link, does the link open a pop-up window or does it redirect to a download before opening the target page? And check your Downloads folder frequently to spot any suspicious download.
    Some great advice here. So many people don’t use a good content blocker. It is very important these days. 
  • Reply 5 of 17
    9secondkox29secondkox2 Posts: 2,666member
    Some of these vulnerabilities are just stupid. 

    As in easy to have secured them 

    begs the the question about backdoors. Rather than build one outright, just leave a quiet vulnerability. 

    This is one in particular is ridiculous. 
    macplusplusAlex1N
  • Reply 6 of 17
    mojo66mojo66 Posts: 20member
    Some of these vulnerabilities are just stupid. 

    As in easy to have secured them 

    begs the the question about backdoors. Rather than build one outright, just leave a quiet vulnerability. 

    This is one in particular is ridiculous. 
    I agree. This "exploit" doesn't exploit any vulnerabilty because it just sym links a trusted source (the local disk drive) to a trusted destination (an NFS share). It is not Gatekeepere's responsibilty to verify that locally mounted NFS share can be trusted. If you don't trust your LAN then don't access it.

    This is just clickbait and everybody and their dog jumps on it because it has "Apple" and "vulnerabilty" in the headline.

    I had expected a bit more research from AI
     before publishing on such a delicate topic. 
    edited June 2019 macplusplusFileMakerFeller
  • Reply 7 of 17
    neilmneilm Posts: 985member
    lkrupp said:
    Another report said the vehicle for this and many other malware is infected Adobe Flash updates. I get them all the time on various websites, even well known and popular ones. Sometimes they actually download themselves.

    1. Don’t EVER accept a Flash update from anywhere other than Adobe. In fact don’t use Flash unless you absolutely have to.
    2. Make sure your browser settings prohibit launching any download automatically.
    3. If it smells fishy it probably is. Don’t open it.
    But people being people... well you know.
    I don't allow Flash to be installed on our office Macs. Wish there were some practical way to auto-prevent that, but instead it's hunt-and-kill by me.

    In the very few cases of people genuinely needing to use the Flash flash player (legacy web sites, etc.), people should use Chrome. It has Flash baked in and uses its own update mechanism, avoiding the whole fake Flash installer issue.

    But yeah, people being people...
    Alex1N
  • Reply 8 of 17
    davgregdavgreg Posts: 1,036member
    “Cavallarin reportedly contacted Apple about the issue in February, but published details on May 24 since the problem was left unfixed.“

    I guess they were too busy updating the Animoji to be bothered with something minor like online security of the OS.
    Alex1N
  • Reply 9 of 17
    davgregdavgreg Posts: 1,036member

    lkrupp said:
    Another report said the vehicle for this and many other malware is infected Adobe Flash updates. I get them all the time on various websites, even well known and popular ones. Sometimes they actually download themselves.

    1. Don’t EVER accept a Flash update from anywhere other than Adobe. In fact don’t use Flash unless you absolutely have to.

    True. 
    But in 2019, I cannot imagine who needs Flash. I do not have it installed and have not seen media requiring Flash anywhere for a very long time.
    Alex1N
  • Reply 10 of 17
    mojo66mojo66 Posts: 20member
    davgreg said:
    “Cavallarin reportedly contacted Apple about the issue in February, but published details on May 24 since the problem was left unfixed.“

    I guess they were too busy updating the Animoji to be bothered with something minor like online security of the OS.
    This is not about online security, this isn't even a threat.
  • Reply 11 of 17
    StrangeDaysStrangeDays Posts: 12,844member
    lkrupp said:
    Another report said the vehicle for this and many other malware is infected Adobe Flash updates. I get them all the time on various websites, even well known and popular ones. Sometimes they actually download themselves.

    1. Don’t EVER accept a Flash update from anywhere other than Adobe. In fact don’t use Flash unless you absolutely have to.

    2. Make sure your browser settings prohibit launching any download automatically.

    3. If it smells fishy it probably is. Don’t open it.

    But people being people... well you know.
    #1 Die! Flash Die!
    #2 MacOS needs a good antivirus program 
    Why does Mac need a good antivirus program? What viruses? Malware isn’t a virus. Viruses replicate and infect, and I haven’t heard of any significant viruses since OS X and the solid UNIX user security model. 
    FileMakerFellerAlex1N
  • Reply 12 of 17
    IreneWIreneW Posts: 303member
    mojo66 said:
    Some of these vulnerabilities are just stupid. 

    As in easy to have secured them 

    begs the the question about backdoors. Rather than build one outright, just leave a quiet vulnerability. 

    This is one in particular is ridiculous. 
    I agree. This "exploit" doesn't exploit any vulnerabilty because it just sym links a trusted source (the local disk drive) to a trusted destination (an NFS share). It is not Gatekeepere's responsibilty to verify that locally mounted NFS share can be trusted. If you don't trust your LAN then don't access it.
     
    Does the issue report say the NFS has to be on the LAN?
  • Reply 13 of 17
    mojo66mojo66 Posts: 20member
    IreneW said:
    mojo66 said:
    Some of these vulnerabilities are just stupid. 

    As in easy to have secured them 

    begs the the question about backdoors. Rather than build one outright, just leave a quiet vulnerability. 

    This is one in particular is ridiculous. 
    I agree. This "exploit" doesn't exploit any vulnerabilty because it just sym links a trusted source (the local disk drive) to a trusted destination (an NFS share). It is not Gatekeepere's responsibilty to verify that locally mounted NFS share can be trusted. If you don't trust your LAN then don't access it.
     
    Does the issue report say the NFS has to be on the LAN?
    Since when can NFS be routed? It is always local.
  • Reply 14 of 17
    coolfactorcoolfactor Posts: 2,239member
    lkrupp said:
    Why does Mac need a good antivirus program? What viruses? Malware isn’t a virus. Viruses replicate and infect, and I haven’t heard of any significant viruses since OS X and the solid UNIX user security model. 

    Malware is a general term for all types of harmful or deceptive and unruly software. 

    Malign
    Malignent
  • Reply 15 of 17
    axcess99axcess99 Posts: 47member
    1) disable "open 'safe' files"
    2) enable "show all file extensions" for finder
    3) notice his PDF.app file doesn't have the folder twister like the parent folder he just opened (granted this is subtle)

    Can someone explain:
     He says PDF is an app with a folder icon, why when he opens it does it update finder view to a list of Document.pdf files?
     Why does opening document.pdf open a terminal inside what appears to be a xubuntu VM? That seems needlessly indirect vs just having it pop open textedit or something... on the mac itself.
    edited June 2019
  • Reply 16 of 17
    mojo66mojo66 Posts: 20member
    Apparently

    1) most of the paranoids here don't read what other people write
    2) you all use untrusted NFS mounts 

    This is the only explanation why people are still posting tips about dealing with this overblown non-existant "exploit".

    99.99% of all Mac users don't use an NFS share and if they do, they trust them in 99.99% of all cases. So why are you guys still discussing this click bait crap???
  • Reply 17 of 17
    mojo66 said:
    IreneW said:
    Does the issue report say the NFS has to be on the LAN?
    Since when can NFS be routed? It is always local.

    I'm pretty sure NFS has been routable since forever? It certainly was back in the mid 90s. 
Sign In or Register to comment.