Security consultant Filippo Cavallarin says that a bug in the design of macOS makes it "possible to bypass gatekeeper", Apple's system to prevent users from running potentially harmful apps. He reported the error to Apple on February 22, 201
"This issue was to be addressed, according to the vendor, May 15, 2019," writes Cavallarin on his website "but Apple started dropping my emails. Since Apple is aware of my 90-day release deadline, I publish this information . "
Usually, if a user downloads an app from a location other than the Mac App Store, the Gatekeeper will check that it has been coded by Apple and is therefore from a legitimate source. If not, the program does not start and the user is told. The user can then force it to start, but it is a positive choice and takes some effort, it cannot be done accidentally or ignorantly.
According to Cavallarin, however, this can all be bypassed. "As per design, Gatekeeper considers both external drives and network shares as safe locations," he says, "and it allows any program they contain to run."
The idea is that once you've downloaded it and made your choice to start the app, the Gatekeeper doesn't keep the control every time you want to open it.
However, you may be tricked or maneuvered to mount a non-yours network share, and the appropriate folder may contain everything, including zip files with another part of the vulnerability.
"Zip archives may contain symbolic links pointing to an arbitrary location (including automount endpoints)," continues Cavallarin, "and that the software on MacOS responsible for decompressing zip files does not [es] control the symlinks before you make them. "
If the user assembles this network, he therefore shares a file and clicks the link, they open their Macs to problems. "Now the victim is in a place controlled by the attacker, but trusted by the Gatekeeper, so any attacker-driven driver can run without warning," Cavallarin concludes. "The way the Finder is designed … makes this technique very efficient and difficult to spot."
Filippo Cavallarin describes himself as a "cyber security expert and software engineer", and works for Segment Srl, in Venice, Italy.
Apple has not commented.