{"id":15665,"date":"2019-06-27T10:45:18","date_gmt":"2019-06-27T18:45:18","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/06\/27\/news-9413\/"},"modified":"2019-06-27T10:45:18","modified_gmt":"2019-06-27T18:45:18","slug":"news-9413","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/06\/27\/news-9413\/","title":{"rendered":"Hackers Are Poking at a MacOS Gatekeeper Flaw Apple Left Unfixed"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.wired.com\/photos\/5d13dfe2a38afe00081d6f63\/master\/pass\/security_macos_1125671756.jpg\"\/><\/p>\n<p><strong>Credit to Author: Brian Barrett| Date: Wed, 26 Jun 2019 21:16:33 +0000<\/strong><\/p>\n<p><span class=\"lede\">On February 22, <\/span>cybersecurity researcher Filippo Cavallarin told Apple that he had found a bug in <a href=\"https:\/\/www.wired.com\/tag\/macos\/\">macOS<\/a>. Left unchecked, the vulnerability could let malware slip past the operating system\u2019s Gatekeeper security feature undetected. <a href=\"https:\/\/www.fcvl.net\/vulnerabilities\/macosx-gatekeeper-bypass\" target=\"_blank\">According to Cavallarin<\/a>, Apple said it would fix the problem by mid-May. When the company still hadn\u2019t done so by the time a standard 90-day disclosure deadline had passed, Cavallarin went public, publishing a full description and proof-of-concept code on May 24. And now, hackers have clearly taken notice.<\/p>\n<p>As ZDNet <a href=\"https:\/\/www.zdnet.com\/article\/new-mac-malware-abuses-recently-disclosed-gatekeeper-zero-day\/\" target=\"_blank\">first reported<\/a>, cybersecurity firm Intego recently spotted malware authors testing out what the researchers call OSX\/Linker, which uses a variation on Cavallarin\u2019s proof-of-concept to sneak malicious code past Gatekeeper\u2019s defenses. While it looks like this specific attempt hasn\u2019t yet been used in the wild, its existence points to a looming threat to Mac owners\u2014and Apple\u2019s apparent reluctance to fix it.<\/p>\n<p class=\"paywall\">Apple first introduced Gatekeeper in 2012, as part of OS X Mountain Lion. It works by scanning apps that you download from outside of Apple\u2019s Mac App Store to check if they\u2019ve been \u201ccode-signed,\u201d a process that verifies whether software comes from the developer it claims to, and that it hasn\u2019t been tampered with. Gatekeeper also maintains a blacklist of known malware, to flag problematic downloads before you open them.<\/p>\n<p class=\"paywall\">What Cavallarin realized, and what hackers have since glommed on to, is that Gatekeeper doesn\u2019t treat all files equally. Specifically, it considers applications coming from external drives, or shared over a network, as safe. So if you can trick someone into opening a .zip file that contains a so-called symbolic link to a Network File System server you control, you can place whatever malware you want on the victim\u2019s system without Gatekeeper batting an eye. It\u2019s a little bit like getting past the bouncer because you\u2019re dressed in the uniform of the catering company.<\/p>\n<p class=\"paywall\">If that still sounds like a technical jumble, here\u2019s a video Cavallarin made that shows how it unfolds in practice.<\/p>\n<p><iframe loading=\"lazy\"  src=\"https:\/\/www.youtube.com\/embed\/m74cpadIPZY\" width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<p class=\"paywall\">Rather than a .zip file, Intego spotted malware authors tinkering with a bogus Adobe Flash installer designed to link back to an application on an NFS. It appeared to be a trial run; Malwarebytes threat researcher Adam Thomas later deduced that the NFS in this case contained only a placeholder application rather than actual malware. But in an active campaign, when a victim opened the disk image to update Flash, they\u2019d instead install a malicious app from some far-flung, hacker-controlled server.<\/p>\n<p class=\"paywall\">The proof of concept Intego found appears to come from the same group behind an adware family called OSX\/Surfbuyer\u2014not all that alarming in and of itself. But the underlying vulnerability could lead to all manner of much worse mischief. \u201cBasically any application could be used instead of adware. You could just as easily have a server that is hosting some really nasty spyware, a backdoor,\u201d says Intego chief security analyst Joshua Long. \u201cIt\u2019s certainly not outside the realm of possibility for any other threat actor, or advanced persistent threat, to also use the same technique to get malware installed on somebody\u2019s computer.\u201d<\/p>\n<p class=\"paywall\">Not only that, the nature of the vulnerability means that the same imposter disk image could lead to a variety of malware day to day, depending on what the hackers place on their server. \u201cYou can use it to infect anybody with anything,\u201d says Long.<\/p>\n<p class=\"paywall\">And until Apple decides to patch it, hackers will likely try to do just that. \u201cIf one bad actor has been caught red-handed experimenting with this,\u201d says Thomas Reed, director of Mac research at Malwarebytes, \u201cyou can bet there are others who haven&#x27;t been caught.\u201d<\/p>\n<p class=\"paywall\">The issue of vulnerability disclosure can be fraught. On the one hand, companies need time to fix the problems that researchers find. But they also shouldn\u2019t drag their heels. And so the industry has coalesced around a 90-day window as a reasonable amount of time to set the clock.<\/p>\n<p>&quot;It could certainly be used against anybody and everybody.&quot;<\/p>\n<p name=\"inset-left\" class=\"inset-left-component__el\">Joshua Long, Intego<\/p>\n<p class=\"paywall\">It\u2019s not a perfect system, and it\u2019s created plenty of tensions, particularly between <a href=\"https:\/\/www.wired.com\/2014\/07\/google-project-zero\/\">Google\u2019s bug-hunting Project Zero team<\/a> and Microsoft, a <a href=\"https:\/\/nakedsecurity.sophos.com\/2018\/04\/24\/google-project-zero-pulls-the-rug-out-from-under-microsoft-again\/\" target=\"_blank\">frequent target<\/a> of its disclosures. But with the very <a href=\"https:\/\/www.wired.com\/story\/google-project-zero-buggycow-macos-zero-day\/\">occasional exception<\/a>, Apple has historically hit its deadlines. Which is what makes the case of this Gatekeeper bug so curious.<\/p>\n<p class=\"paywall\">\u201cI don\u2019t think this happens very often with Apple,\u201d says Long. Apple did not respond to a request for comment.<\/p>\n<p class=\"paywall\">By not acting, Apple leaves every Mac potentially vulnerable, especially now that hackers have had time to tease out the bug\u2019s practical applications. That doesn\u2019t mean you should panic; again, no one has spotted any active exploits yet, and even if Gatekeeper misses a sneaky malware install, a decent antivirus program would likely still catch it. But the longer the blueprints are out there, the more likely attackers are to follow them. That it works for pretty much any type of attack makes it all the more potentially appealing. \u201cIt could certainly be used against anybody and everybody,\u201d says Long.<\/p>\n<p class=\"paywall\">It\u2019s also unclear if Apple has plans to implement a fix any time soon. It didn\u2019t include one in its latest macOS update, which it pushed in mid-May. \u201cThe most concerning part of this is that macOS 10.14.5 is still fully vulnerable to this bug,\u201d says Reed. \u201cThis means that it&#x27;s entirely possible to use a network share to install malware without the user even knowing it happened. That&#x27;s highly concerning.\u201d<\/p>\n<p class=\"paywall\">To take extra precautions, you can lean on antivirus, although that introduces <a href=\"https:\/\/www.wired.com\/story\/kaspersky-russia-antivirus\/\">its own complications<\/a>. Cavallarin also <a href=\"https:\/\/www.fcvl.net\/vulnerabilities\/macosx-gatekeeper-bypass\" target=\"_blank\">recommends<\/a> more advanced maneuvering to prevent your system from automatically mounting a network share.<\/p>\n<p class=\"paywall\">Most of all, though, hope that a patch comes soon. Until it does, Macs are all a little bit less safe\u2014and more so by the day.<\/p>\n<p class=\"related-cne-video-component__dek\">Many smartphone users get 80 or more notifications a day. WIRED&#39;s Lauren Goode examines how all those notifications are affecting us, what to do about them, and how we even ended up with so many in the first place.<\/p>\n<p><a href=\"https:\/\/www.wired.com\/story\/macos-gatekeeper-vulnerability\" target=\"bwo\" >https:\/\/www.wired.com\/category\/security\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/media.wired.com\/photos\/5d13dfe2a38afe00081d6f63\/master\/pass\/security_macos_1125671756.jpg\"\/><\/p>\n<p><strong>Credit to Author: Brian Barrett| Date: Wed, 26 Jun 2019 21:16:33 +0000<\/strong><\/p>\n<p>The clock&#8217;s ticking to fix a Gatekeeper bug that would let hackers slip malware onto your computer undetected.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10607],"tags":[714,21358],"class_list":["post-15665","post","type-post","status-publish","format-standard","hentry","category-security","category-wired","tag-security","tag-security-cyberattacks-and-hacks"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15665"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15665\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15665"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}