Security researcher finds way to bypass macOS application security

Spread the love

A security researcher has managed to circumvent the security on macOS that checks whether applications are allowed to run. In principle, this makes it possible for users to run malicious applications by hiding them in a zip file.

The vulnerability found relates to Gatekeeper, the software in macOS that checks application code; if not digitally signed by Apple, the code should not be run. This is to prevent rogue applications from getting a chance to do their job if they are downloaded by the user by mistake. However, security researcher Filippo Cavallarin has found a way to bypass Gatekeeper, which makes it easier for attackers to install malware.

Gatekeeper trusts network addresses, so files on the network are not checked again when they are opened. It is then possible to trick the software by pretending to read content from a network share, when in fact it is connecting to an attacker’s server. Cavallarin managed to do this with a modified zip file that included a symlink, appearing to be mounting and opening a network share, but in fact contacting the attacker’s server.

In a demonstration video, the security researcher shows how to install malware on a macOS system using a modified zip file. On his blog he has also put a step-by-step plan to reproduce the hack.

Cavallarin has been in contact with Apple, which has indicated that it will repair the leak. However, with the recently released macOS 10.14.5, no fix had been applied, and the researcher indicates that Apple has since stopped responding to emails. As a result, it is not yet clear when the problems with Gatekeeper will be fixed.

You might also like