About three months ago, web application security specialists reported to Apple a vulnerability that allows hackers to trick an intelligent device user into running malicious applications by bypassing the Gatekeeper function. Now, it has been reported that the company hasn’t patched the vulnerability yet.
Gatekeeper is an Apple mechanism for verifying code signing and applications downloading; when a user downloads an application from unofficial platforms, Gatekeeper is enabled and prevents execution of the application, as the user must first express their consent to install and run unknown source software.
Web application security specialists who reported the vulnerability mention that it is possible to bypass the enabling of Gatekeeper to run unknown source code in macOS version 10.14.5 and earlier without users’ permission. “Apple assured us that the vulnerability would be corrected before May 15, although the flaw is still active”, the specialists mention. Due to the deadline of 90 days for the company to correct the flaw, the specialists decided to publish their report.
The vulnerability exists because Gatekeeper considers that external storage units and network shares are safe locations, allowing an app hosted in these forms to be executed. By combining this with the auto-mount feature to mount a network share using a “special” path, the vulnerability can be exploited by a skilled enough threat actor.
The web application security specialists from the International Institute of Cyber Security (IICS) consider that many users of Apple computers are exposed to this vulnerability, as the latest version of the macOS operating system was launched just a few days ago, so users may be running past versions of the system.
The company has not corrected this flaw, so it only remains for the users to find a workaround to mitigate the risks. The experts who reported the vulnerability mention that although there is a possible temporary solution, it is not available to users without technical knowledge about Apple’s operating system.