Security researcher exposes macOS malware vulnerability

Security researcher Filippo Cavallarin has worked out a way that malware makers can bypass the macOS Gatekeeper protections to run malicious code. The bypass remains unaddressed by Apple as of last week’s macOS 10.14.5 release.

Gatekeeper is a macOS security tool that verifies applications immediately after they are downloaded. This prevents applications from being run without user consent. When a user downloads an app from outside of the Mac App Store, Gatekeeper is used to check that the code has been signed by Apple. If the code has not been signed, the app won’t open without the user giving direct permission.

Cavallarin writesthe security hole on his blog and explains how it gets around Gatekeeper – the feature that prompts users to confirm they want to install applications from outside the Mac App Store.

Gatekeeper considers network shares to be ‘safe’ locations that don’t require permission checks, an intruder just has to trick the user into mounting one of those shares to run the apps they like.

Cavallarin said he notified Apple of the vulnerability on February 22nd, and that was supposed to have been resolved as of macOS 10.14.5. He said it wasn’t, though, and that Apple had stopped responding to his emails. He was publishing the flaw after giving Apple 90 days to address the issue.