MacOS Mojave critical vulnerability actively exploited by cybercriminals

Cybercriminals are actively exploiting a vulnerability in MacOS Mojave, which allows you to bypass Gatekeeper, a technology that only runs trusted software.

Gatekeeper “considers” external media and network file resources as safe and allows launching without verifying the signature of any applications from these resources.

Also, two features of MacOS are used to implement the vulnerability:

1. autofs and paths “/ net / *” - allow users to automatically mount network file shares starting with “/ net /”. For example, when listing an NFS resource: ls /net/evil-resource.net/shared/.
2. zip archives can contain symbolic link files, which lead to auto-mount when unpacking the archive on the target system.

Thus, the following attack scenario can be used to bypass Gatekeeper.

The attacker creates a zip archive with a symbolic link to the resource he controls and sends it to the victim. The victim unpacks the archive, which leads to mounting and adding to the "trusted" resource of the attacker. The monitored resource hosts the * .app application, which, under the standard settings of the Files file manager, is reflected as a local directory or other harmless object. In this case, the .app extension is hidden and the full path to the resource is not displayed.

An example of exploiting a vulnerability:


Details were published a month ago , which allowed attackers to create malware and actively exploit it.

---

MacOS users should refrain from installing applications or downloading files from dubious sources.