Posted on June 27, 2019 at 1:44 PM

Hackers Strike at the macOS Flaw That Apple Overlooked

Unlike Android, Apple’s software is mostly considered to be much more secure, with a lot fewer security issues, flaws, and vulnerabilities. While this was true for a long time, things started to shift in recent years, when hackers started focusing more heavily on iOS and macOS. As a result, these systems’ flaws also started to emerge, and one major vulnerability was reported to Apple earlier this year, on February 22nd.

The flaw was discovered by a cybersecurity researcher Filippo Cavallarin, who reported that a vulnerability might allow malware to slip past the Gatekeeper security feature, if left unchecked. Not only that, but it would likely remain undetected on the device.

Cavallarin stated that Apple acknowledged his discovery and that the firm said it would fix the issue by mid-May. However, they had still not done it, and after a 90-day disclosure deadline ran out, Cavallarin decided to go public with it. On May 24th, he published the full description of his findings, as well as the proof-of-concept code. It has been over a month since, and it seems that Apple still did not patch the flaw. However, if the company ignores it, the hackers do not, and many have apparently taken notice.

The way around the Gatekeeper

There are already reports of cybersecurity firms, such as Intego, noticing malware creators testing their new creations. According to researchers, they have been conducting tests of OSX/Linker, which uses the published proof-of-concept to infect macOS with malware. It appears that the new threat is still in its testing phase, and has yet to be used in the wild. However, the very fact that it exists means that Mac users will soon have quite a serious problem. Meanwhile, Apple still does nothing to fix the issue.

Its Gatekeeper was originally introduced back in 2012, and it came as a part of OS X Mountain Lion. Ever since, it has been a part of security on Mac devices, scanning downloaded apps, and checking if they were code-signed. In other words, it checks whether or not the downloaded software was published by verified developers, or if someone altered it. It also has a database filled with known malware, so that it can recognize and report any that might try to invade the device.

However, the issue lies in the fact that not all of the files are treated equally by the Gatekeeper. For example, apps that are coming from external drives or shared networks are considered to be safe. According to Cavallarin, if someone was to trick the Mac user into opening .zip files that contain a symbolic link to the Network File System server that the hacker controls — the hacker would be able to safely infect the Mac with any malware they want, with Gatekeeper not even trying to check the files.

Difficult times for Mac users are coming

As for Intego, they did not report .zip files, but rather malware authors trying to tamper with Adobe Flash installers that would link back to an application found on an NFS. So far, it appears that hackers are performing trials and perfecting the threat.

A security researcher from Malwarebytes, Adam Thomas, also stated that the NFS might contain a placeholder application, and not the malware itself. However, as soon as the tests are done, and the actual campaign takes place, these harmless apps will undoubtedly be replaced by malicious ones.

As for the proof-of-concept that Intego itself uncovered, it is likely that it comes from the same group that was behind an OSX/Surfbuyer adware family. This is not a particularly serious threat, but the flaw itself could lead to some greater problems. The group did use adware in the past, but with a flaw like this — they could install basically anything, and that includes things far worse than adware.

The flaw is a major one, and it can be used for infecting anyone with anything. This makes it all the more troubling that Apple is seemingly doing nothing to address it, even after four months since the flaw was originally reported. Until a fix is released, there is no way to tell what the hackers might come up with. So far, only one group was caught doing this kind of experiments. And, according to researchers, if one was caught experimenting, there are likely numerous others that managed to stay under the radar.

As for Apple itself, it is understandable that fixing issues requires time and a lot of work. However, the company had over 90 days before the vulnerability was made public, and they still did nothing for over 30 days after the publishing of the details regarding the flaw. This is also quite unusual for Apple, which typically meets its deadlines. In other words, something regarding the Gatekeeper must be causing problems to the company, which is what makes this particular case all the more curious.

And, since the company did not publish any official warning, update, or anything else to address the flaw — nobody is really sure if they plan to fix it at all, or if they do — when?