OSX/Linker Malware Exploits macOS GateKeeper

1 minute read
| News

Security researchers have discovered a piece of Mac malware called OSX/Linker that can exploit a zero day vulnerability in macOS GateKeeper.

OSX/Linker

On May 24, security researcher Filippo Cavallarin publicly disclosed a vulnerability in macOS GateKeeper. He had contacted Apple about it, and was told it would be fixed within 90 days, but the company missed the deadline and stopped correspondence. Mr. Cavallrin found that macOS treats apps loaded from a shared network resource are treated differently than apps downloaded via the internet.

By creating a symbolic link (or “symlink”—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple’s rudimentary XProtect bad-download blocker.

The simpler explanation: This trick makes it easier for malware to infect a Mac—even if Apple has a built-in signature that’s supposed to protect your Mac from that malware.

He posted a YouTube video demonstrating the GateKeeper bypass:

The team at Intego found the first known attempts to use this vulnerability. Four samples of malware were uploaded to VirusTotal. The first one came from an Israeli IP address, and the rest came from an IP in the United States.

Intego’s blog post has more detail, but right now there isn’t an easy solution unless Apple either patches the vulnerability or you can find antivirus that can detect OSX/Linker.

Further Reading:

[Spotify Anti-Trust Argument Questioned by Apple]

[iOS 13: How to Set Apple Books Reading Goals]

6
Leave a Reply

Please Login to comment
3 Comment threads
3 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Lee Dronickarchimedes1252 Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
archimedes
Member
archimedes

Probably you’re fine disabling automounting of /net by default via /etc/auto_master.
That setting is somewhat of an anachronism, mainly useful if you regularly connect to NFS shares from the Finder.
I wonder if the same issue affects other network shares such as smb, ftp, webdav, afp, etc..
If I recall correctly there was a similar issue with disk image mounts, where gatekeeper would approve something but then you could maliciously change the image behind its back.

1252
Member
1252

90 days is enough, unfortunately @ apple the right hand has no idea what the left is doing.

Lee Dronick
Member
Lee Dronick

Filippo Cavallarin publicly disclosed a vulnerability in macOS GateKeeper… right now there isn’t an easy solution unless Apple either patches the vulnerability or you can find antivirus that can detect OSX/Linker.

Then he should have acted like an adult and kept it quiet. It might not be, and probably isn’t, a simple fix.

archimedes
Member
archimedes

Simple fix is probably to remove or comment out /net in /etc/auto_master.

archimedes
Member
archimedes

Regarding disclosure, you might want to consider Bruce Schneier’s argument:

1. Full disclosure after a reasonable time limit is necessary leverage to force companies to patch their software in a timely manner.

2. The bad guys already know about this vulnerability, so it makes no sense to keep users in the dark.

https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html

Lee Dronick
Member
Lee Dronick

I would say that reasonable amount of time is more than 90 days does anyone really think that Apple doesn’t want to fix this situation as soon as possible.