Last week, Intego researchers discovered new Mac malware, OSX/Linker, that attempts to leverage a recently disclosed zero-day flaw in macOS’ Gatekeeper protection.
Before digging into the OSX/Linker malware, it would be helpful, for context, to discuss the “MacOS X GateKeeper Bypass” vulnerability that was publicly disclosed by Filippo Cavallarin on May 24. Gatekeeper is a technology included in macOS that is supposed to check apps downloaded from the Internet for either a revoked developer signature, or for certain specific malware that Apple chooses to detect, before allowing an app to run… Cavallarin says that he reported the vulnerability to Apple on February 22, and Apple told him that the issue would be fixed within 90 days—but Apple missed its deadline, and Cavallarin believed that Apple was no longer responding to his e-mails, so he released his findings publicly via his blog.
Early last week, Intego’s malware research team discovered the first known uses of Cavallarin’s vulnerability, which seem to have been used — at least at first — as a test in preparation for distributing malware… The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware. The fourth OSX/Linker disk image is code-signed by an Apple Developer ID—Mastura Fenny (2PVD64XRF3)—that has been used to sign literally hundreds of fake Flash Player files over the past 90 days, associated with the OSX/Surfbuyer adware family.
MacDailyNews Take: Ugh. The sooner Apple plugs this one, the better!
This is where the app notarization requirement of Catalina would be helpful.
My only concern there is will it require all apps to be signed and notarized, or will I still be able to run unsigned apps manually like I can currently?
If you WANT/NEED to run unsigned apps, there’s really nothing that can protect you. All of the security methods in place are ultimately rendered useless by any user with the admin password.
Due diligence is always a good idea, but, as even trusted repositories have been breached, the very next unsigned app you install could be the one that you’ll wish that you hadn’t.
Gatekeeper definitions were updated yesterday. Not sure if that helps or not?