Latest in Gear

Image credit: AP Photo/Bebeto Matthews

Mac security hole reportedly lets attackers bypass app safeguards

You'd just need to trick the Mac into loading a network share.
582 Shares
Share
Tweet
Share
Save

Sponsored Links

AP Photo/Bebeto Matthews

Apple may have another Gatekeeper security flaw on its hands. Researcher Filippo Cavallarin has detailed a macOS vulnerability that he said would let attackers install malware without the usual permission request. As Gatekeeper considers network shares to be 'safe' locations that don't require permission checks, an intruder just has to trick the user into mounting one of those shares to run the apps they like. A maliciously crafted ZIP file with the right symbolic link could automatically steer you to an attacker-owned site, for example, and it would be easy to trick someone into launching a hostile app -- say, a virus masquerading as a document folder.

In theory, the issue should have been fixed by now. Cavallarin said he notified Apple of the vulnerability on February 22nd, and that was supposed to have been resolved as of macOS 10.14.5. He said it wasn't, though, and that Apple had stopped responding to his emails. He was publishing the flaw after giving Apple 90 days to address the issue.

We've asked Apple for comment. The chances of inadvertent exposure aren't high when you'll have to open a ZIP file as well as whatever's inside the network share, but this could trip up people who aren't familiar with either remote shares or the risks of unsolicited files. It also underscores the risks of explicitly trusting certain network environments, even if there's often a good reason for it.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
582 Shares
Share
Tweet
Share
Save

Popular on Engadget

'Rainbow Six: Siege' adds a 'Fortnite' style Battle Pass

'Rainbow Six: Siege' adds a 'Fortnite' style Battle Pass

View
Three UK rolls out 5G home internet access in London

Three UK rolls out 5G home internet access in London

View
Sonos' portable smart speaker leaks in greater detail

Sonos' portable smart speaker leaks in greater detail

View
Kevin Smith is making a 'He-Man' anime series for Netflix

Kevin Smith is making a 'He-Man' anime series for Netflix

View
SpaceX Starman Roadster completes its first orbit around the Sun

SpaceX Starman Roadster completes its first orbit around the Sun

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr