For home users, unfortunately there isn't a simple solution for preventing this type of attack, until or unless Apple releases a macOS security update to mitigate the vulnerability. Cavallarin describes a possible temporary mitigation (opening /etc/auto_master in a text editor and adding # to the beginning of the line that starts with /net).
Cavallarin explains it in a bit more detail on his blog[1]:
The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a "special" path, in this case, any path beginning with "/net/". [..]
> However, because the .app inside the disk images is dynamically linked, it could change on the server side at any time—without the disk image needing to be modified at all.
Wait, what? This makes no sense: dynamic linking means that it would pull in different libraries on the user’s machine…
Oh, that makes more sense. That sentence would be much improved by switching those words around, because I’m too conditioned to apps being dynamically linked in the library/framework :)
The article author means filesystem links, not libraries. Earlier in the article:
> [...] creating a symbolic link (or "symlink"—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink [...]
> it seems reasonable to speculate that all four files may have been uploaded by the same person, who forgot to mask his or her IP address until after uploading the first sample.
Or turned it off after the first sample. Or switches proxies randomly. It's good they brought up that the IP can be masked, but they could go one step further...
> The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware.
Most Mac users know that Flash is a piece of malware itself and would never be fooled into installing it.
It was a tongue in cheek statement about the fact that Mac users have long ago sworn off using Flash on their systems. It's a bloated CPU-intensive piece of crapware.
That's intentional. The most successful fishing emails, sketchy ads, etc are obviously bad to anyone savvy. They design it so that only computer illiterate people end up falling for it, as they have no chance of fixing the problem themselves.
18 comments
[ 12.2 ms ] story [ 101 ms ] threadsudo vi /etc/auto_master
#/net -hosts -nobrowse,hidefromfinder,nosuid
For home users, unfortunately there isn't a simple solution for preventing this type of attack, until or unless Apple releases a macOS security update to mitigate the vulnerability. Cavallarin describes a possible temporary mitigation (opening /etc/auto_master in a text editor and adding # to the beginning of the line that starts with /net).
The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a "special" path, in this case, any path beginning with "/net/". [..]
[1] https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypas...
Assumably commenting out the line quoted by gp disables automount for network shares which start with "/net" in their path.
Wait, what? This makes no sense: dynamic linking means that it would pull in different libraries on the user’s machine…
> [...] creating a symbolic link (or "symlink"—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink [...]
Or turned it off after the first sample. Or switches proxies randomly. It's good they brought up that the IP can be masked, but they could go one step further...
[0] https://news.ycombinator.com/item?id=20008313
Most Mac users know that Flash is a piece of malware itself and would never be fooled into installing it.