OSX.Linker Gatekeeper bypass threat
Background
Gatekeeper is an Apple security feature built into the Mac operating system, beginning with OS X Lion, version 10.7.3. It is designed to check that apps downloaded from the internet have been produced with a valid Apple Developer certificate and do not contain malware before allowing them to be opened and run.
Gatekeeper is an Apple security feature built into the Mac operating system, beginning with OS X Lion, version 10.7.3. It is designed to check that apps downloaded from the internet have been produced with a valid Apple Developer certificate and do not contain malware before allowing them to be opened and run.
Vulnerability
A recent vulnerability in this technology identified by researcher Filippo Cavallarin back in February 2019, highlighted that this security technology can be circumvented by downloading an archive file or disk image file containing a symbolic link (symlink) to a malicious app on a remote Network File System server.
Currently, any app downloaded from an NFS server is not checked by Gatekeeper, even if there is a Developer signing issue or it contains a threat recognised by Gatekeeper. Thus far Apple have not stated when they plan to fix this Gatekeeper flaw.
To date virus writers have produced a number of proof-of-concept threats to test this vulnerability and posted them as disk image files with associated payloads to an NFS server - these files have since been removed.
ProtectWorks AntiVirus detects this threat as OSX.Linker.A.
Customers should contact Support for further assistance if required: support@protectmac.com
A recent vulnerability in this technology identified by researcher Filippo Cavallarin back in February 2019, highlighted that this security technology can be circumvented by downloading an archive file or disk image file containing a symbolic link (symlink) to a malicious app on a remote Network File System server.
Currently, any app downloaded from an NFS server is not checked by Gatekeeper, even if there is a Developer signing issue or it contains a threat recognised by Gatekeeper. Thus far Apple have not stated when they plan to fix this Gatekeeper flaw.
To date virus writers have produced a number of proof-of-concept threats to test this vulnerability and posted them as disk image files with associated payloads to an NFS server - these files have since been removed.
ProtectWorks AntiVirus detects this threat as OSX.Linker.A.
Customers should contact Support for further assistance if required: support@protectmac.com