Mac users take heed: A recently disclosed vulnerability present in the macOS Gatekeeper—otherwise known as the “Cavallarin” exploit—has reportedly been leveraged by adware creators. It’s times like these when we’re reminded of the best advice for keeping your Mac protected from these kinds of issues: When in doubt, install apps from the Mac App Store or trusted third-party sources, not just any ol’ thing you found on the internet.
How the Cavallarin exploit works
The macOS Gatekeeper checks all app installations to confirm they’re Apple-certified apps. If an app hasn’t received the “all clear” from Apple, the Gatekeeper will stop the installation and notify the user. You can still install your app, you just have to expressly confirm the installation—in other words, a “do you really want to do this?” check on Apple’s part.
Security researcher Filippo Cavallarin (hence the “Cavallarin” part of the exploit’s name) discovered that Gatekeeper’s criteria for “trustworthy” apps has a serious flaw that allows untrustworthy apps to trick the Gatekeeper into giving them a free pass. Due to Gatekeeper’s whitelisting of installations from external drives and network shares, here’s how an attack could play out:
“An attacker crafts a zip file containing a symbolic link to an automount endpoint she/he controls (ex Documents -> /net/evil.com/Documents) and sends it to the victim.
The victim downloads the malicious archive, extracts it and follows the symlink.
Now the victim is in a location controlled by the attacker but trusted by Gatekeeper, so any attacker-controlled executable can be run without any warning. The way Finder is designed (ex hide .app extensions, hide full path from titlebar) makes this technique very effective and hard to spot.”
Cavallarin discovered the bypass several weeks ago and gave Apple 90 days to fix it. Apple didn’t respond, so Cavallarin disclosed the exploit on May 24. Even after the public disclosure, Apple still hasn’t fixed the issue, and now the malware research team at Intego have seen the initial signs of the Gatekeeper exploit showing up online.
Intego tracked four malware samples uploaded to Virustotal on July 6, and each of these disk images pointed to the same potentially malicious app on a single, linked server. It was later determined that these were early tests—for malware now known as “OSX/Linker”—and the Intego team suspects they’re being carried out by the same developers behind the OSX/Surfbuyer malware.
While “testing” doesn’t sound too terrible at this point, Intego security analyst Joshua Long notes that the nature of this vulnerability leaves the door open for worse scenarios:
How to prevent potential Cavallarin exploits on Mac
At this point, the easiest prevention method is to stick to Apple-certified apps from the App Store above all, and have a healthy suspicion about apps you’re downloading from sources you don’t recognize. It’s unclear how long it might take Apple to patch up this vulnerability in macOS.
Intego’s premium VirusBarrier X9 and Flexivity antivirus programs have added the OS/Linker threat to their registries, and you can also use the free VirusBarrier scanner to check your system for any known threats related to the exploit. These will show up under detected threats as “OSX/Linker.” Intego is asking users who have been infected to contact them through their online submission form.
There are other prevention methods you can investigate for your system, but they are riskier, since they require disabling and editing critical macOS security measures. You can consult Intego’s blog post on the Cavallarin exploit for more information, but we recommend that you simply practice safer online habits. And if you have any doubts about what you’re about to install on your machine, give it a quick virus scan before you continue.