Security researchers have discovered a piece of Mac malware called OSX/Linker that can exploit a zero day vulnerability in macOS GateKeeper.
OSX/Linker
On May 24, security researcher Filippo Cavallarin publicly disclosed a vulnerability in macOS GateKeeper. He had contacted Apple about it, and was told it would be fixed within 90 days, but the company missed the deadline and stopped correspondence. Mr. Cavallrin found that macOS treats apps loaded from a shared network resource are treated differently than apps downloaded via the internet.
By creating a symbolic link (or “symlink”—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink and getting a victim to download it, the app would not be checked by Apple’s rudimentary XProtect bad-download blocker.
The simpler explanation: This trick makes it easier for malware to infect a Mac—even if Apple has a built-in signature that’s supposed to protect your Mac from that malware.
He posted a YouTube video demonstrating the GateKeeper bypass:
The team at Intego found the first known attempts to use this vulnerability. Four samples of malware were uploaded to VirusTotal. The first one came from an Israeli IP address, and the rest came from an IP in the United States.
Intego’s blog post has more detail, but right now there isn’t an easy solution unless Apple either patches the vulnerability or you can find antivirus that can detect OSX/Linker.
Further Reading:
[Spotify Anti-Trust Argument Questioned by Apple]
[iOS 13: How to Set Apple Books Reading Goals]
Probably you’re fine disabling automounting of
/netby default via/etc/auto_master.That setting is somewhat of an anachronism, mainly useful if you regularly connect to NFS shares from the Finder.
I wonder if the same issue affects other network shares such as smb, ftp, webdav, afp, etc..
If I recall correctly there was a similar issue with disk image mounts, where gatekeeper would approve something but then you could maliciously change the image behind its back.
90 days is enough, unfortunately @ apple the right hand has no idea what the left is doing.
Then he should have acted like an adult and kept it quiet. It might not be, and probably isn’t, a simple fix.
Simple fix is probably to remove or comment out
/netin/etc/auto_master.Regarding disclosure, you might want to consider Bruce Schneier’s argument:
1. Full disclosure after a reasonable time limit is necessary leverage to force companies to patch their software in a timely manner.
2. The bad guys already know about this vulnerability, so it makes no sense to keep users in the dark.
https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html
I would say that reasonable amount of time is more than 90 days does anyone really think that Apple doesn’t want to fix this situation as soon as possible.