A new vulnerability highlighted in a blog post by security researcher Filippo Cavallarin which continues to exist even in the latest version of MacOS 10.14.5, allows a user to completely bypass the security feature of the macOS Gatekeeper, ” width=”639″ height=”206″ border=”0″/>
For those who are not known, MacOS Gatekeeper verifies programs downloaded from the Mac App Store immediately after they are downloaded and prevents them from running without user consent. If the code is not signed, the app will not open without the user giving direct permission. According to Cavallarin, however, this functionality can easily be circumvented.
The researcher explains that Gatekeeper assesses both external drives and network shares as "secure locations", which means that all applications in these locations can be run without checking the code again:
To better understand how this exploitation works, we can think of the following scenario: An attacker handles a zip file containing a symbolic link to an automount endpoint that he / she controls (ex Documents -> / net / evil .com / Documents) and sends it to the victim.
The victim downloads the malicious archive, pulls it out and follows the symlink.
Now the victim is in a position controlled by the attacker, but cleared by the Gatekeeper, so that any attacker-driven executable can run without warning. The way Finder is designed for (hide .app extensions, hide full path from the title bar) makes this technique very efficient and difficult to see.
Although Cavallarin informed Apple of this error on February 22, the company has not yet addressed the problem. He has therefore made the details of the error public today when the 90-day window he gave Apple has passed.