On February 22, cybersecurity researcher Filippo Cavallarin told Apple that he had found a bug in macOS. Left unchecked, the vulnerability could let malware slip past the operating system’s Gatekeeper security feature undetected. According to Cavallarin, Apple said it would fix the problem by mid-May. When the company still hadn’t done so by the time a standard 90-day disclosure deadline had passed, Cavallarin went public, publishing a full description and proof-of-concept code on May 24. And now, hackers have clearly taken notice.

As ZDNet first reported, cybersecurity firm Intego recently spotted malware authors testing out what the researchers call OSX/Linker, which uses a variation on Cavallarin’s proof-of-concept to sneak malicious code past Gatekeeper’s defenses. While it looks like this specific attempt hasn’t yet been used in the wild, its existence points to a looming threat to Mac owners—and Apple’s apparent reluctance to fix it.

Gatekeeping

Apple first introduced Gatekeeper in 2012, as part of OS X Mountain Lion. It works by scanning apps that you download from outside of Apple’s Mac App Store to check if they’ve been “code-signed,” a process that verifies whether software comes from the developer it claims to, and that it hasn’t been tampered with. Gatekeeper also maintains a blacklist of known malware, to flag problematic downloads before you open them.

What Cavallarin realized, and what hackers have since glommed on to, is that Gatekeeper doesn’t treat all files equally. Specifically, it considers applications coming from external drives, or shared over a network, as safe. So if you can trick someone into opening a .zip file that contains a so-called symbolic link to a Network File System server you control, you can place whatever malware you want on the victim’s system without Gatekeeper batting an eye. It’s a little bit like getting past the bouncer because you’re dressed in the uniform of the catering company.

If that still sounds like a technical jumble, here’s a video Cavallarin made that shows how it unfolds in practice.

[#video: https://www.youtube.com/embed/m74cpadIPZY

Rather than a .zip file, Intego spotted malware authors tinkering with a bogus Adobe Flash installer designed to link back to an application on an NFS. It appeared to be a trial run; Malwarebytes threat researcher Adam Thomas later deduced that the NFS in this case contained only a placeholder application rather than actual malware. But in an active campaign, when a victim opened the disk image to update Flash, they’d instead install a malicious app from some far-flung, hacker-controlled server.

The proof of concept Intego found appears to come from the same group behind an adware family called OSX/Surfbuyer—not all that alarming in and of itself. But the underlying vulnerability could lead to all manner of much worse mischief. “Basically any application could be used instead of adware. You could just as easily have a server that is hosting some really nasty spyware, a backdoor,” says Intego chief security analyst Joshua Long. “It’s certainly not outside the realm of possibility for any other threat actor, or advanced persistent threat, to also use the same technique to get malware installed on somebody’s computer.”

Not only that, the nature of the vulnerability means that the same imposter disk image could lead to a variety of malware day to day, depending on what the hackers place on their server. “You can use it to infect anybody with anything,” says Long.

And until Apple decides to patch it, hackers will likely try to do just that. “If one bad actor has been caught red-handed experimenting with this,” says Thomas Reed, director of Mac research at Malwarebytes, “you can bet there are others who haven't been caught.”

Slipping By

The issue of vulnerability disclosure can be fraught. On the one hand, companies need time to fix the problems that researchers find. But they also shouldn’t drag their heels. And so the industry has coalesced around a 90-day window as a reasonable amount of time to set the clock.

"It could certainly be used against anybody and everybody." Joshua Long, Intego

It’s not a perfect system, and it’s created plenty of tensions, particularly between Google’s bug-hunting Project Zero team and Microsoft, a frequent target of its disclosures. But with the very occasional exception, Apple has historically hit its deadlines. Which is what makes the case of this Gatekeeper bug so curious.