ON FEBRUARY 22, cybersecurity researcher Filippo Cavallarin told Apple that he had found a bug in macOS. Left unchecked, the vulnerability could let malware slip past the operating system’s Gatekeeper security feature undetected. According to Cavallarin, Apple said it would fix the problem by mid-May. When the company still hadn’t done so by the time a standard 90-day disclosure deadline had passed, Cavallarin went public, publishing a full description and proof-of-concept code on May 24. And now, hackers have clearly taken notice.
As ZDNet first reported, cybersecurity firm Intego recently spotted malware authors testing out what the researchers call OSX/Linker, which uses a variation on Cavallarin’s proof-of-concept to sneak malicious code past Gatekeeper’s defenses. While it looks like this specific attempt hasn’t yet been used in the wild, its existence points to a looming threat to Mac owners—and Apple’s apparent reluctance to fix it.
Apple first introduced Gatekeeper in 2012, as part of OS X Mountain Lion. It works by scanning apps that you download from outside of Apple’s Mac App Store to check if they’ve been “code-signed,” a process that verifies whether software comes from the developer it claims to, and that it hasn’t been tampered with. Gatekeeper also maintains a blacklist of known malware, to flag problematic downloads before you open them.
What Cavallarin realized, and what hackers have since glommed on to, is that Gatekeeper doesn’t treat all files equally. Specifically, it considers applications coming from external drives, or shared over a network, as safe. So if you can trick someone into opening a .zip file that contains a so-called symbolic link to a Network File System server you control, you can place whatever malware you want on the victim’s system without Gatekeeper batting an eye. It’s a little bit like getting past the bouncer because you’re dressed in the uniform of the catering company.
If that still sounds like a technical jumble, here’s a video Cavallarin made that shows how it unfolds in practice.
Rather than a .zip file, Intego spotted malware authors tinkering with a bogus Adobe Flash installer designed to link back to an application on an NFS. It appeared to be a trial run; Malwarebytes threat researcher Adam Thomas later deduced that the NFS in this case contained only a placeholder application rather than actual malware. But in an active campaign, when a victim opened the disk image to update Flash, they’d instead install a malicious app from some far-flung, hacker-controlled server.
The proof of concept Intego found appears to come from the same group behind an adware family called OSX/Surfbuyer—not all that alarming in and of itself. But the underlying vulnerability could lead to all manner of much worse mischief. “Basically any application could be used instead of adware. You could just as easily have a server that is hosting some really nasty spyware, a backdoor,” says Intego chief security analyst Joshua Long. “It’s certainly not outside the realm of possibility for any other threat actor, or advanced persistent threat, to also use the same technique to get malware installed on somebody’s computer.”
Not only that, the nature of the vulnerability means that the same imposter disk image could lead to a variety of malware day to day, depending on what the hackers place on their server. “You can use it to infect anybody with anything,” says Long.
And until Apple decides to patch it, hackers will likely try to do just that. “If one bad actor has been caught red-handed experimenting with this,” says Thomas Reed, director of Mac research at Malwarebytes, “you can bet there are others who haven’t been caught.”
The issue of vulnerability disclosure can be fraught. On the one hand, companies need time to fix the problems that researchers find. But they also shouldn’t drag their heels. And so the industry has coalesced around a 90-day window as a reasonable amount of time to set the clock.
“It could certainly be used against anybody and everybody.”
JOSHUA LONG, INTEGO
It’s not a perfect system, and it’s created plenty of tensions, particularly between Google’s bug-hunting Project Zero teamand Microsoft, a frequent target of its disclosures. But with the very occasional exception, Apple has historically hit its deadlines. Which is what makes the case of this Gatekeeper bug so curious.
“I don’t think this happens very often with Apple,” says Long. Apple did not respond to a request for comment.
By not acting, Apple leaves every Mac potentially vulnerable, especially now that hackers have had time to tease out the bug’s practical applications. That doesn’t mean you should panic; again, no one has spotted any active exploits yet, and even if Gatekeeper misses a sneaky malware install, a decent antivirus program would likely still catch it. But the longer the blueprints are out there, the more likely attackers are to follow them. That it works for pretty much any type of attack makes it all the more potentially appealing. “It could certainly be used against anybody and everybody,” says Long.
It’s also unclear if Apple has plans to implement a fix any time soon. It didn’t include one in its latest macOS update, which it pushed in mid-May. “The most concerning part of this is that macOS 10.14.5 is still fully vulnerable to this bug,” says Reed. “This means that it’s entirely possible to use a network share to install malware without the user even knowing it happened. That’s highly concerning.”
To take extra precautions, you can lean on antivirus, although that introduces its own complications. Cavallarin also recommends more advanced maneuvering to prevent your system from automatically mounting a network share.
Most of all, though, hope that a patch comes soon. Until it does, Macs are all a little bit less safe—and more so by the day.