About three months ago, web application security specialists reported to Apple a vulnerability that allows hackers to trick an intelligent device user into running malicious applications by bypassing the Gatekeeper function. Now, it has been reported that the company hasn’t patched the vulnerability yet.
Gatekeeper is an Apple
mechanism for verifying code signing and applications downloading; when a user
downloads an application from unofficial platforms, Gatekeeper is enabled and
prevents execution of the application, as the user must first express their
consent to install and run unknown source software.
Web application security specialists who
reported the vulnerability mention that it is possible to bypass the enabling
of Gatekeeper to run unknown source code in macOS version 10.14.5 and earlier
without users’ permission. “Apple assured us that the vulnerability would
be corrected before May 15, although the flaw is still active”, the
specialists mention. Due to the deadline of 90 days for the company to correct
the flaw, the specialists decided to publish their report.
The vulnerability exists because Gatekeeper
considers that external storage units and network shares are safe locations,
allowing an app hosted in these forms to be executed. By combining this with the auto-mount feature
to mount a network share using a “special” path, the vulnerability
can be exploited by a skilled enough threat actor.
The web application security specialists from
the International Institute of Cyber Security (IICS) consider that many users
of Apple computers are exposed to this vulnerability, as the latest version of
the macOS operating system was launched just a few days ago, so users may be
running past versions of the system.
The company has not corrected this flaw, so it
only remains for the users to find a workaround to mitigate the risks. The
experts who reported the vulnerability mention that although there is a
possible temporary solution, it is not available to users without technical
knowledge about Apple’s operating system.
