June 27, 2019 at
Unlike Android, Apple’s software is mostly
considered to be much more secure, with a lot fewer security issues, flaws, and
vulnerabilities. While this was true for a long time, things started to shift
in recent years, when hackers started focusing more heavily on iOS and macOS.
As a result, these systems’ flaws also started to emerge, and one major
vulnerability was reported to Apple earlier this year, on February 22nd.
The flaw was discovered by a cybersecurity
researcher Filippo Cavallarin, who reported that a vulnerability might allow
malware to slip past the Gatekeeper security feature, if left unchecked. Not
only that, but it would likely remain undetected on the device.
Cavallarin stated that Apple acknowledged his discovery and that the firm said it would fix the issue by mid-May. However, they had still not done it, and after a 90-day disclosure deadline ran out, Cavallarin decided to go public with it. On May 24th, he published the full description of his findings, as well as the proof-of-concept code. It has been over a month since, and it seems that Apple still did not patch the flaw. However, if the company ignores it, the hackers do not, and many have apparently taken notice.
The way around the Gatekeeper
There are already reports of cybersecurity
firms, such as Intego, noticing malware creators testing their new creations.
According to researchers, they have been conducting tests of OSX/Linker, which uses the published
proof-of-concept to infect macOS with malware. It appears that the new threat
is still in its testing phase, and has yet to be used in the wild. However, the
very fact that it exists means that Mac users will soon have quite a serious
problem. Meanwhile, Apple still does nothing to fix the issue.
Its Gatekeeper was originally introduced back
in 2012, and it came as a part of OS X Mountain Lion. Ever since, it has been a
part of security on Mac devices, scanning downloaded apps, and checking if they
were code-signed. In other words, it checks whether or not the downloaded
software was published by verified developers, or if someone altered it. It
also has a database filled with known malware, so that it can recognize and
report any that might try to invade the device.
However, the issue lies in the fact that not all of the files are treated equally by the Gatekeeper. For example, apps that are coming from external drives or shared networks are considered to be safe. According to Cavallarin, if someone was to trick the Mac user into opening .zip files that contain a symbolic link to the Network File System server that the hacker controls — the hacker would be able to safely infect the Mac with any malware they want, with Gatekeeper not even trying to check the files.
Difficult times for Mac users are
As for Intego, they did not report .zip files,
but rather malware authors trying to tamper with Adobe Flash installers that
would link back to an application found on an NFS. So far, it appears that
hackers are performing trials and perfecting the threat.
A security researcher from Malwarebytes, Adam Thomas, also stated that the NFS might contain a placeholder application, and not the malware itself. However, as soon as the tests are done, and the actual campaign takes place, these harmless apps will undoubtedly be replaced by malicious ones.
As for the proof-of-concept that Intego itself
uncovered, it is likely that it comes from the same group that was behind an
OSX/Surfbuyer adware family. This is not a particularly serious threat, but the
flaw itself could lead to some greater problems. The group did use adware in
the past, but with a flaw like this — they could install basically anything,
and that includes things far worse than adware.
The flaw is a major one, and it can be used
for infecting anyone with anything. This makes it all the more troubling that
Apple is seemingly doing nothing to address it, even after four months since
the flaw was originally reported. Until a fix is released, there is no way to
tell what the hackers might come up with. So far, only one group was caught
doing this kind of experiments. And, according to researchers, if one was
caught experimenting, there are likely numerous others that managed to stay
under the radar.
As for Apple itself, it is understandable that fixing issues requires time and a lot of work. However, the company had over 90 days before the vulnerability was made public, and they still did nothing for over 30 days after the publishing of the details regarding the flaw. This is also quite unusual for Apple, which typically meets its deadlines. In other words, something regarding the Gatekeeper must be causing problems to the company, which is what makes this particular case all the more curious.
And, since the company did not publish any
official warning, update, or anything else to address the flaw — nobody is
really sure if they plan to fix it at all, or if they do — when?