Keeping Safe From The New Vulnerability 'Cavallarin' Found In MacOS

For a long time, macOS's Gatekeeper has been tasked with checking whether the installed applications match apps that Apple has certified. As for the work, in case of installing an application without receiving an "all clear" message from Apple, Gatekeeper will cancel this application. If users still want to install the app, they must re-confirm their installation. However, the feature has been disclosed with the “Cavallarin” exploit.

The "Cavallarin Exploit"

Filippo Cavallarin, a security researcher, (the exploit is named after him) has found out this serious vulnerability in Gatekeeper that makes it possible for non-trusted apps to take advantage of this weakness to steal the free pass. The reason is the installation whitelisting ò Gatekeeper from network shares and external drives and here is the way to penetrate the flaw.

A few weeks ago Cavallarin discovered the issue and reported that Apple had 90 days for fixing it. However, no response was received from the Apple, so on April 5, Cavallari announced the exploit. Even when the notification has been published, the error is still not corrected by Apple. Currently, Intego's malware research team has begun to receive signs of Gatekeeper displayed on the internet.

Four samples of malware uploaded to Virustotal as of July 6 were followed by Intego. As a result, all disk images show the same malicious application that is connected to a single server. This issue was soon identified as an initial test of a malware named "OSX / Linker". Team Intego suspects that this test is done by the same developers that created the OSX/Surfbuyer malware.

When "testing" has not become serious at this time, Joshua Long - security analyst at Intego, has explained this vulnerability's nature leaves the way for the worst situations.

Prevention Methods

At the moment, it's hard to know when Apple can completely fix this, so users need to carry along some methods to self-prevention. The simplest is to follow Apple-certified apps from the App Store and to question about applications that you download without any authenticity of the source.

Users can check their system if there is an exploit related to threats via free VirusBarries - allowing threats to be displayed in the form of OSX / Linker, due to the Os/Link threat is added into Intego registries by Intego’s premium antivirus programs VirusBarrier X9 and Flexivity. Intego also announced that infected users can submit their online form.

On Intego's blog, in Cavallarin exploit part also suggests a few other precautions but quite risky because they require MacOS security measures to be disabled and edited. For simplicity, we recommend users to create a habit of being alert when online and doubting the application installed and scanning the virus before continuing.