Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Mac Gatekeeper vulnerability allows installation of malware

A flaw with the Gatekeeper authentication feature in macOS, a tool designed to keep malware off Mac, is reportedly being exploited to deliver a malicious software package nicknamed "OSX/Linker."

The exploit, discovered by security researcher Filippo Cavallarin, relies on two basic Mac features to function: automount and Gatekeeper.

As detailed by Tom's Guide, Gatekeeper funnels files downloaded from the internet to Apple's XProtect antivirus screener, but grants files from a local storage device — mounted via automount — safe passage without scrutiny. Cavallarin was able to trick Gatekeeper into thinking a downloaded file originated from a local drive, bypassing the normal screening protocols.

Cavallarin reportedly contacted Apple about the issue in February, but published details on May 24 since the problem was left unfixed.

The accompanying OSX/Linker malware attempts to hijack a Mac, at which point the computer can be used for any malicious activity attackers want, from crytpo mining to data theft.

The code has been uploaded four times to VirusTotal, a repository researchers use to detect and share malware samples. That's a relatively small amount, and the malware is already being screened by Intego software and likely other antivirus tools as well.

It should therefore be relatively easy to avoid OSX/Linker, especially by following standard protocols like refusing downloads from unknown sources. It's also possible to disable automounting, though that would require users to manually connect and disconnect external drives each time they're used.



17 Comments

lkrupp 10521 comments · 19 Years

Another report said the vehicle for this and many other malware is infected Adobe Flash updates. I get them all the time on various websites, even well known and popular ones. Sometimes they actually download themselves.

1. Don’t EVER accept a Flash update from anywhere other than Adobe. In fact don’t use Flash unless you absolutely have to.

2. Make sure your browser settings prohibit launching any download automatically.

3. If it smells fishy it probably is. Don’t open it.

But people being people... well you know.

seanismorris 1624 comments · 8 Years

lkrupp said:
Another report said the vehicle for this and many other malware is infected Adobe Flash updates. I get them all the time on various websites, even well known and popular ones. Sometimes they actually download themselves.

1. Don’t EVER accept a Flash update from anywhere other than Adobe. In fact don’t use Flash unless you absolutely have to.

2. Make sure your browser settings prohibit launching any download automatically.

3. If it smells fishy it probably is. Don’t open it.

But people being people... well you know.

#1 Die! Flash Die!
#2 MacOS needs a good antivirus program 

Apple’s lack of transparency, lack of a bug bounty program, and (in this case) lack of bugs getting fixed in a timely manner, means additional steps are needed to protect yourself.

MacOS provides a better user experience than Windows, but in some ways it’s inferior.  I suspect MacOS are just a lower priority vs iOS, and doesn’t get Apple’s full attention.

I agree, common sense is a good start to security, but who isn’t void of common sense occasionally...?

macplusplus 2116 comments · 9 Years

Use an effective ad blocker and disable "Open safe files after downloading" option in Safari and note that "safe" is written in double quotation marks. Remember that there is no safe file on the Internet. 

Ad networks distribute malware by means of several obscure redirections. Even if you don't click anything on the infected page, anything as in not only the ad but nothing on that page, the payload is sent to your computer. The display of the wrapper ad is enough to infect your computer. The payload mostly comes in one of the archive formats such as .zip, .dmg, .pkg, that list being not exhaustive. You may want to check your Downloads folder right now and move all of the said archive files to the Trash, don't even try to open any of them, you can download legitimate installers anytime from the legitimate sources.

Download by redirection may occur on any web page, not only ads. Be careful when binge browsing expecially on questionable sites, watch what your browser does after clicking a link, does the link open a pop-up window or does it redirect to a download before opening the target page? And check your Downloads folder frequently to spot any suspicious download.

lostkiwi 640 comments · 18 Years

Use an effective ad blocker and disable "Open safe files after downloading" option in Safari and note that "safe" is written in double quotation marks. Remember that there is no safe file on the Internet. 

Ad networks distribute malware by means of several obscure redirections. Even if you don't click anything on the infected page, anything as in not only the ad but nothing on that page, the payload is sent to your computer. The display of the wrapper ad is enough to infect your computer. The payload mostly comes in one of the archive formats such as .zip, .dmg, .pkg, that list being not exhaustive. You may want to check your Downloads folder right now and move all of the said archive files to the Trash, don't even try to open any of them, you can download legitimate installers anytime from the legitimate sources.

Download by redirection may occur on any web page, not only ads. Be careful when binge browsing expecially on questionable sites, watch what your browser does after clicking a link, does the link open a pop-up window or does it redirect to a download before opening the target page? And check your Downloads folder frequently to spot any suspicious download.

Some great advice here. So many people don’t use a good content blocker. It is very important these days. 

9secondkox2 3148 comments · 8 Years

Some of these vulnerabilities are just stupid. 

As in easy to have secured them 

begs the the question about backdoors. Rather than build one outright, just leave a quiet vulnerability. 

This is one in particular is ridiculous.