Sneaky Gatekeeper Flaw Could Let Hackers Run Malware on Macs

Among the most fundamental security features on Macs, Gatekeeper is near the top of the list. A first line of defense against malicious software, Gatekeeper’s job is to verify code signatures, which ensures that the software you’re running is genuine and hasn’t been tampered with by outside forces. Gatekeeper also helps to keep unauthorized software from running without your permission and provides help to users through warning messages letting you know when something might not be safe. Recently, though, a security researcher named Filippo Cavallarin unveiled a flaw in Gatekeeper that Apple has not yet patched, even in the most recent versions of macOS Mojave. 

If triggered, this Gatekeeper exploit could allow a bad guy to gain access to a digital space with unrestricted ability to run arbitrary code while Gatekeeper believes that it is all legitimate behavior authorized by the user. The actual mechanics of the exploit are a bit tricky, but in short, it involves unexpectedly using two legitimate system functions, causing an exceptional scenario which fools Gatekeeper into thinking everything is okay. This occurs because your Mac intrinsically trusts specific actions, such as connecting to a shared local network. 

How would an attacker pull it off? An attacker would use a ZIP file with the exploitative system pointers built inside of it.  When a user downloads and opens it, macOS automatically processes the instructions — and Gatekeeper is none the wiser. In fact, the process is practically invisible to users, potentially allowing for quite an intrusive attack once the hacker gains access to system permissions. 

Right now, there is no patch for the bug — in fact, Cavallarin says that he originally notified Apple back in February and was in communication with the company up until mid-May. That was the point at which Apple said they expected to publish a fix, but as yet, none has appeared in recent macOS updates. With no fix on the horizon and the expiration of a self-imposed 90-day deadline, Cavallarin went public with a demonstration of the flaw. Whether that will trigger a more rapid response from Apple remains to be seen.

There is a workaround available, though it may be a little tricky for the average user. Since the attack requires a malicious ZIP file, though, the best course for users right now is to simply be wary of what you download, and – as always – avoid anything that claims to be an update for Adobe Flash. Avoid opening archive files you aren’t expecting, and verify attachments were included purposefully by the sender before you open them.