Roger Fingas
A flaw with the Gatekeeper authentication feature in macOS, a tool designed to keep malware off Mac, is reportedly being exploited to deliver a malicious software package nicknamed "OSX/Linker."
The exploit, discovered by security researcher Filippo Cavallarin, relies on two basic Mac features to function: automount and Gatekeeper.
As detailed by Tom's Guide, Gatekeeper funnels files downloaded from the internet to Apple's XProtect antivirus screener, but grants files from a local storage device — mounted via automount — safe passage without scrutiny. Cavallarin was able to trick Gatekeeper into thinking a downloaded file originated from a local drive, bypassing the normal screening protocols.
Cavallarin reportedly contacted Apple about the issue in February, but published details on May 24 since the problem was left unfixed.
The accompanying OSX/Linker malware attempts to hijack a Mac, at which point the computer can be used for any malicious activity attackers want, from crytpo mining to data theft.
The code has been uploaded four times to VirusTotal, a repository researchers use to detect and share malware samples. That's a relatively small amount, and the malware is already being screened by Intego software and likely other antivirus tools as well.
It should therefore be relatively easy to avoid OSX/Linker, especially by following standard protocols like refusing downloads from unknown sources. It's also possible to disable automounting, though that would require users to manually connect and disconnect external drives each time they're used.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
17 Comments
Another report said the vehicle for this and many other malware is infected Adobe Flash updates. I get them all the time on various websites, even well known and popular ones. Sometimes they actually download themselves.
1. Don’t EVER accept a Flash update from anywhere other than Adobe. In fact don’t use Flash unless you absolutely have to.
2. Make sure your browser settings prohibit launching any download automatically.
3. If it smells fishy it probably is. Don’t open it.
But people being people... well you know.
Use an effective ad blocker and disable "Open safe files after downloading" option in Safari and note that "safe" is written in double quotation marks. Remember that there is no safe file on the Internet.
Ad networks distribute malware by means of several obscure redirections. Even if you don't click anything on the infected page, anything as in not only the ad but nothing on that page, the payload is sent to your computer. The display of the wrapper ad is enough to infect your computer. The payload mostly comes in one of the archive formats such as .zip, .dmg, .pkg, that list being not exhaustive. You may want to check your Downloads folder right now and move all of the said archive files to the Trash, don't even try to open any of them, you can download legitimate installers anytime from the legitimate sources.
Download by redirection may occur on any web page, not only ads. Be careful when binge browsing expecially on questionable sites, watch what your browser does after clicking a link, does the link open a pop-up window or does it redirect to a download before opening the target page? And check your Downloads folder frequently to spot any suspicious download.
Some of these vulnerabilities are just stupid.
As in easy to have secured them
begs the the question about backdoors. Rather than build one outright, just leave a quiet vulnerability.
This is one in particular is ridiculous.