How to Protect Against a New MacOS Security Vulnerability
Mac users should be aware that a recently discovered vulnerability present in macOS Gatekeeper, also known as the “Cavallarin” exploit, was reportedly exploited by adware creators. In times like these, we are reminded of the best advice for keeping your Mac safe from problems like this: When in doubt, install apps from the Mac App Store or trusted third-party sources, not just anything you find. in the Internet.
How the Cavallarin exploit works
MacOS Gatekeeper checks all installed applications to make sure they are Apple certified. If the app does not receive “everything cleared” from Apple, the gatekeeper will stop the installation and notify the user. You can still install your application, you just need to explicitly confirm the installation – in other words, “do you really want to do this?” check from Apple.
Security researcher Filippo Cavallarin (hence the Cavallarin part of the exploit’s name) discovered that the gatekeeper criteria for “trusted” applications had a serious flaw that allowed untrusted applications to trick the gatekeeper into giving them free access. Due to the fact that Gatekeeper whitelisted installations from external drives and network resources, the attack could end as follows:
“The attacker creates a zip file containing a symbolic link to an automatic mount endpoint that he / she controls (for example, Documents -> /net/evil.com/Documents) and sends it to the victim.
The victim downloads the malicious archive, extracts it, and follows the symbolic link.
The victim is now in a location controlled by the attacker but trusted by the Gatekeeper, so any executable file controlled by the attacker can be run without any warning. The way the Finder is designed (like hiding .app extensions, hiding the full path from the title) makes this method very efficient and difficult to find. “
Cavallarin discovered a workaround a few weeks ago and gave Apple 90 days to fix it. Apple did not respond, so Cavallarin exposed the exploit on May 24. Even after publicly disclosing the information, Apple still hasn’t fixed the problem, and now the malware research team at Intego has seen the first signs of a Gatekeeper exploit being used on the Internet. …
Intego tracked four malware samples uploaded to Virustotal on July 6, and each of these disk images pointed to the same potentially malicious application on a single linked server. It was later revealed that these were early tests of the malware now known as “OSX / Linker” and the Intego team suspects that they are being carried out by the same developers as the OSX / Surfbuyer malware.
While “testing” doesn’t sound too bad at the moment, Intego security analyst Joshua Long notes that the nature of this vulnerability leaves the door open to worst-case scenarios:
… because the .app is dynamically linked inside the disk images, it can change on the server side at any time – without having to change the disk image. Thus, it is possible that the same disk images (or newer versions that were never loaded into VirusTotal) could later be used to distribute an application that actually executed malicious code on the victim’s Mac.
How to prevent possible Cavallarin exploits on Mac
For now, the easiest prevention method is to stick to Apple-certified apps from the App Store first and foremost, and have a healthy suspicion about apps you download from sources you don’t know. It is unclear how long it might take for Apple to fix this vulnerability in macOS.
The premium antivirus programs Intego VirusBarrier X9 and Flextivity have added the OS / Linker threat to their registries, and you can also use the freeVirusBarrier scanner to check your system for any known exploit-related threats. They will appear in the list of detected threats as “OSX / Linker”. Intego asks infected users to contact them via an online form .
There are other prevention methods you can look into for your system, but they are more risky as they require disabling and editing critical macOS security controls. You can check out the Intego blog post on the Cavallarin exploit for more information, but we recommend that you just practice safer online habits. And if you have any doubts about what you are going to install on your computer, do a quick virus scan before proceeding.