Hello, welcome to the Tuesday, May 28, 2019 edition of the San San Antonio's StormCast. My name is Johannes Ulrich.

And today I'm recording from San Antonio, Texas.

To start out with today, we have a macOS vulnerability, and it was discovered by Philippo Kavallarney and does result in a bypass of

Gatekeeper.

Gatekeeper is a tool that was introduced by Apple in order to flag any downloads as suspicious

and the user typically has to acknowledge that the file was downloaded before it's being executed.

The trick that Philippo found could lead to an attacker sending a remote file to a victim

that will then execute the file without gatekeeper interfering.

It's actually pretty simple. The way it would start out

with is that the attacker would send a SIP file to the victim. The victim then opens the SIP file

and within the Sip file there is a symbolic link. Now this symbolic link does point to a special path within

macOS that points to a network share that the attacker is set up. Now this doesn't have to be

just SMB, could be NFS and the like, and gatekeeper does consider network shares as safe. So gatekeeper does not warn the user in this

case of downloaded files, but these network shares will be mounted automatically as soon as

the user clicks on the link that directs them to a path that does imply network drive.

So overall, a pretty neat trick, and I think the root problem here is that network shares are considered safe,

and that's not necessarily easy fixed because network shares of course happen they exist in companies

all over the place and if you would mark all files on network shares as unsafe that of course

would be quite disruptive to users in these scenarios maybe a compromise would be

the only mark new network shares as unsafe and

then ask the user whether or not they actually would like to connect to them instead of automatically

connecting to these network shares. Overall reminds me a little bit of some of the problems that we

...