Threat To macOS Security: Gatekeeper Bypass
Some third-party utilities and apps related to archiving, virtualisation and Apple's native command-line tools do not enforce the quarantine attribute.
(Source: Apple)
Certain third-party utilities and applications can pose a threat to the integrity of a security feature on Apple macOS known as Gatekeeper. If Gatekeeper is bypassed, the user might not be protected from dangerous apps that could try to run malicious content, cybersecurity company Palo Alto Networks’ Unit 42 has reported.
Gatekeeper is a security mechanism that ensures only trusted software runs on macOS. When a user downloads software from sources other than the Apple App Store, Gatekeeper verifies that the software is authenticated and not malicious or has not been tampered with.
One of the elements of Gatekeeper security is a metadata quarantine attribute that the browser adds to newly downloaded files. This attribute makes Gatekeeper verify and examine the binary before permitting execution of a freshly downloaded file. The user's consent is requested as part of this verification procedure.
However, some third-party utilities and apps related to archiving, virtualisation and Apple's native command-line tools—including Archiver, VMware Fusion and BetterZip—do not enforce the quarantine attribute, according to Unit 42 researchers.
The report noted that in recent years, attackers and security researchers have attempted to bypass the Gatekeeper mechanism in the absence of the quarantine attribute, making the macOS vulnerable to malware.
Malware and adware families like CoinTicker, Bundlore and Shlayer use Curl, a built-in utility, to download payload and bypass Gatekeeper since curl does not set the quarantine attribute, the report added.
Apple, on the other hand, assumes third-party application developers will adhere to their security guidelines to ensure that this scanning mechanism can operate as intended. However, multiple archiving tools and applications reportedly do not comply with the standard, which may result in a weakness in the Gatekeeper mechanism.
When Unit 42 researchers reached out to Apple regarding this security issue, they received the following response: "We have determined this issue is best addressed by you sending your report to the third-party app developer. It's up to the developer to implement quarantining, and this isn't an app we can directly support."
The report suggested that third-party developers should enforce the quarantine attribute on every file their applications handle in order to comply with Gatekeeper's security requirements. By doing so, the possibility of malicious Gatekeeper bypasses can be decreased.
