New Mac Malware Is Abusing Unpatched Gatekeeper Vulnerability

Several security researchers have warned us about the peril of unpatched macOS Gatekeeper vulnerability. An investigation by Joshua Long, Chief Security Analyst for Mac has now revealed that malware developers are actively abusing the vulnerability.

The security researcher has learned that the new malware has been named to OSX/Linker and is associated with the same group that operates OSX/Surfbuyer adware. The malware operates by abusing a previously known Gatekeeper security flaw. Gatekeeper is a feature that scans and approves apps that are downloaded from the internet.

Apple is yet to patch Gatekeeper vulnerability and this has seemingly attracted a swarm of malware attackers. A sample discovered earlier hinted revealed that malware attackers were trying to take advantage of the vulnerability in any possible way.

Last month, security researcher Fillippo Cavallarin pointed out this problem

Gatekeeper’s functionality can be completely bypassed. In its current implementation, Gatekeeper considers both external drives and network shares as “safe locations.” This means that it allows any application contained in those locations to run without checking the code again. He goes on to explain the user can “easily” be tricked into mounting network share drive, and that anything in that folder can then pass Gatekeeper.

Cavallarin apparently gave Apple 90 days to fix the issue. However, Apple stopped responding to his emails and failed to issue a patch.

The test OSX/Linker files are packaged at Adobe Flash Player. According to the report, this is one of the most common ways to trick Mac users into installing malware. Thankfully, OSX/Linker malware is yet to be spotted in real world, however, it is very likely that malware attackers might be prepping the new malware. Long has already notified Apple of the OSX/Linker. The company is working on revoking the abused certificates.

Our Take

The threat of malware attacks still looms large. The best way to steer clear of malware is to avoid clicking on malicious links and installing apps from unknown sources. In my opinion, it is best that we download apps from the App Store. You can always decide to make an exception for sources that you trust. Alternatively, you can install and use antimalware tools.

[via Intego]