Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security OS X Technology

New Mac Malware Abuses Recently Disclosed Gatekeeper Zero-Day (zdnet.com) 53

puddingebola writes: In May, security researcher Filippo Cavallarin made public a vulnerability in macOS's Gatekeeper. The vulnerability can allow an attacker to use a symlink and an NFS server to bypass Gatekeepers authentication and run malicious code. The malware has been named OSX/Linker and has been tied to the same group that operates the OSX/Surfbuyer adware. All macOS versions are affected, including the latest 10.14.5, and Apple has yet to release a patch to this day, a full month after Cavallarin's public disclosure.
This discussion has been archived. No new comments can be posted.

New Mac Malware Abuses Recently Disclosed Gatekeeper Zero-Day

Comments Filter:
  • by indytx ( 825419 ) on Saturday June 29, 2019 @05:54AM (#58844952)

    My big question is whether there will be a patch available on older versions that are no longer supported. I have a couple of old MacBooks which haven't been supported in several years but are still functional. I wonder whether Apple will do the right thing. Probably not. I don't have the courage to throw away a working piece of equipment and buy something with sticky keys.

    • by Anonymous Coward

      I'm afraid you'll have to buy a new mac to get support. Or do the right thing and put linux in your mac.

      • Good luck with that as the T2 Macs come off OS support. The chip doesn't allow Linux to see the internal SSD, even when set on "Low security". Your only real alternative will be Windows.

    • by Anonymous Coward

      Talk about simplicity. It would appear much much later in the process, if at all. Door is closing.

    • I have a couple of 2008 maxed out iMacs and I'm loath to retire them.

      Firewalled them from the external network. It's not perfect, but it keeps them running.

      Rock solid stable, why should I mess with them?

    • They just recently patched [apple.com] the entire discontinued AirPort base station line with updated firmware to address security issues, so I don't see why they wouldn't do this for macOS which is still an active product.

    • Or if you must mount only the parts of it you trust.
      How many people realistically mount nfs shares these days on macs?
      Even when you might usually the server supports a protocol like SMB or Apple's File system.

    • by beckett ( 27524 )
      in his spare time, DosDude1 [dosdude1.com] extends support of mojave to recently-'obsolete' macs:

      - Early-2008 or newer Mac Pro, iMac, or MacBook Pro

      - Late-2008 or newer MacBook Air or Aluminum Unibody MacBook:

      - Early-2009 or newer Mac Mini or white MacBook:

      - Early-2008 or newer Xserve:

      If your mac is old but not too old, you can still get unofficial support through our hero, DosDude1
  • Install from the command line. Gatekeeper is just a nanny program for the plebs - a security hole wont be relevant to power users anyway.

  • I get that the zip file creates a symlink to an NFS mounted share, but I don't understand how the NFS share got mounted in the first place.

    Does OS/X mount NFS shares automatically by default? Or is it that the installer application is doing that unbeknownst to the victim?
    • You are right, you have to mount an NFS share. I'm not sure an application can even have permission to do that...

      One other thought is, what is Gatekeeper even supposed to do about this? Scan the file and the remote end and see if it's dangerous - even though if it's not at any time later it could easily be replaced by something it is?

      Maybe by default a good OS choice is to make a user enable cross-network symbolic links...

      • The ideal is that anything GateKeeper is executing gets checked for a signature, or if it doesn't have one, some manifest file with a hash of the executable is stored so if a user allowed "foo" to run, if "foo" gets changed, it would either deny executing, or tell the user.

    • I get that the zip file creates a symlink to an NFS mounted share, but I don't understand how the NFS share got mounted in the first place.

      I know for SMB and AFS shares, if you have an Alias on your desktop (or anywhere else) to a folder on a shared drive, the OS will automatically mount that shared drive when you double-click on the Alias. I suspect it works the same for NFS shares.

      Thus, if your installer creates an alias called "catpic.jpg" on your desktop to an entity that exists on a shared drive, when you try to open the file the OS will auto-mount the share, and then load the file as appropriate. It's still in response to user interacti

  • So a user would have to download an app with a symlink in the package, where Gatekeeper would overlook a symbolic link to a network share....

    How is it going to reach that network share? Does that have to be local?

    Then the user also has to execute the symlink, why would they?

    It's probably good to fix but I seriously doubt we'll see anyone affected.

  • Edit the file /etc/auto_master and comment out (using #) any lines starting with "/net".
  • It's not a zero-day (Score:4, Informative)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday June 29, 2019 @11:50AM (#58845954) Homepage Journal

    It was a zero-day, but now it is just a vulnerability, much in the way that today is tomorrow's yesterday.

    • by tepples ( 727027 )

      What makes a vulnerability a "zero-day" is exploitation before a patch becomes available.

He who steps on others to reach the top has good balance.

Working...