Mac users take heed: A recently disclosed vulnerability present in the macOS Gatekeeper—otherwise known as the “Cavallarin” exploit—has reportedly been leveraged by adware creators. It’s times like these when we’re reminded of the best advice for keeping your Mac protected from these kinds of issues: When in doubt, install apps from the Mac App Store or trusted third-party sources, not just any ol’ thing you found on the internet.
How the Cavallarin exploit works
The macOS Gatekeeper checks all app installations to confirm they’re Apple-certified apps. If an app hasn’t received the “all clear” from Apple, the Gatekeeper will stop the installation and notify the user. You can still install your app, you just have to expressly confirm the installation—in other words, a “do you really want to do this?” check on Apple’s part.
Security researcher Filippo Cavallarin (hence the “Cavallarin” part of the exploit’s name) discovered that Gatekeeper’s criteria for “trustworthy” apps has a serious flaw that allows untrustworthy apps to trick the Gatekeeper into giving them a free pass. Due to Gatekeeper’s whitelisting of installations from external drives and network shares, here’s how an attack could play out:
“An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim.
The victim downloads the malicious archive, extracts it and follows the symlink.
Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot.”
Cavallarin discovered the bypass several weeks ago and gave Apple 90 days to fix it. Apple didn’t respond, so Cavallarin disclosed the exploit on May 24. Even after the public disclosure, Apple still hasn’t fixed the issue, and now the malware research team at Intego have seen the initial signs of the Gatekeeper exploit showing up online.
Intego tracked four malware samples uploaded to Virustotal on July 6, and each of these disk images pointed to the same potentially malicious app on a single, linked server. It was later determined that these were early tests—for malware now known as “OSX/Linker”—and the Intego team suspects they’re being carried out by the same developers behind the OSX/Surfbuyer malware.
While “testing” doesn’t sound too terrible at this point, Intego security analyst Joshua Long notes that the nature of this vulnerability leaves the door open for worse scenarios:
…because the .app inside the disk images is dynamically linked, it could change on the server side at any time—without the disk image needing to be modified at all. Thus, it’s possible that the same disk images (or newer versions that were never uploaded to VirusTotal) could later have been used to distribute an app that actually executed malicious code on a victim’s Mac.
How to prevent potential Cavallarin exploits on Mac
At this point, the easiest prevention method is to stick to Apple-certified apps from the App Store above all, an