Posted on May 27, 2019 at 8:12 AM
Opening apps on macOS puts users at risk. Security consultant Filippo Cavallarin has publicly reported that a flaw in macOS makes it possible to bypass Apple’s security system, Gatekeeper easily. The system is intended to prevent users from running potentially malicious apps. Cavallarin stated that Apple was made aware of the vulnerability on February 22, 2019. Cavallarin says that Apple knew about his 90-day confidentiality agreement, and is now coming forward with full disclosure.
Cavallarin used his website to disclose Apple’s failure. He also posted on his website that Apple was supposed to address the issue on May 15th. According to Cavallarin, Apple began to drop his emails. However, the latest macOS version 10.14.5 (Mojave) still contains the vulnerability. It is a serious threat to users that must be resolved immediately, and the public had to be made aware.
Filippo Cavallarin is a cybersecurity expert and software engineer who works for Segment Srl, in Italy. He has spoken about security issues for TedX Treviso.
On his website, Cavallarin describes the issue in detail and his attempts to warn Apple of the hole in Gatekeeper.
How it works
Created in 2012, Gatekeeper is the Apple tool that verifies application downloads and enforces code signing. If a user tries to download apps from outside of the Mac App Store, Gatekeeper is supposed to prevent it from running without the consent of the user.
According to Cavallarin, Gatekeeper generally verifies if apps are code-signed by Apple. However, users can force launch apps if they choose to, which can be done easily and even by accident. Not all users are aware of the dangers of this action.
Gatekeeper is also designed to consider external drives and network shares as safe locations. Any application these ‘safety zones’ contain are allowed to run. Once a user has downloaded it and decided that they want to launch the app, Gatekeeper won’t keep checking it every time it is opened. Users can also be tricked into mounting a network share that they didn’t create. The folder could contain anything, including zip files that may contain other parts of the vulnerability.
If the user mounts a network share, unzips a file, and clicks the link, the victim is in a location controlled by the attacker. However, the location is also trusted by Gatekeeper. Any executable file under the control of the attacker can then be run without warning.
Whatever OS people are using, all incoming files should be treated with suspicion. This especially applies to those that are able to run code on your computer. A rapid rise in cybercrime worldwide necessitates using extreme caution in all areas of technology.
As Apple has yet to comment, Cavallarin’s explanation of how the vulnerability works cannot be completely confirmed. Until company representatives respond to these allegations, there is no way to predict when, or if, the issue will be amended.
The fact is, the problem is real (and real serious), and Apple was made aware of it over three months ago. Apple has also knowingly refused to patch the vulnerability. The next few weeks will reveal Apple’s intentions, as well as if their silence will impact customer trust.