Skip to content

macOS Gatekeeper security at risk due to third-party utilities

  • by
  • 3 min read

Several third-party applications, such as VMware Fusion, iZip, Archiver, BetterZip, WinRAR, and 7z Utility, and native command-line tools, are failing to enforce the quarantine attribute, potentially allowing malicious applications to bypass Gatekeeper, the system’s core defence against unauthorised software execution.

These tools fail to ensure that the extracted content inherited the quarantine attribute when extracting files such as ZIP, TAR, and 7ZIP archives, leaving them unchecked by Gatekeeper.

VMware Fusion also drops the quarantine attribute when copying files between host and guest macOS virtual machines. This poses a risk for users who may unknowingly transfer compromised files into their systems.

Gatekeeper is a security mechanism built into macOS that prevents the execution of unverified software. It is crucial to ensure that only trusted applications can run on the system. It requires downloaded files to carry a specific metadata marker, known as the ‘com.apple.quarantine’ attribute.

This attribute triggers Gatekeeper to verify that the file is from a trusted source and has not been altered or tampered with. Without this quarantine attribute, the downloaded software bypasses Gatekeeper’s validation checks, allowing potentially harmful applications to execute without the user’s consent or awareness.

The core issue identified by researchers lies in the failure of certain third-party utilities and applications — particularly those related to archiving, virtualisation, and command-line tools — to enforce the quarantine attribute.

The attack chain explained. | Source: Unit 42

According to them, this weakness arises because Apple assumes developers will follow security guidelines to propagate extended attributes like ‘com.apple.quarantine.’ However, many applications do not inherit these attributes properly, allowing malware and other risky applications to slip past Gatekeeper’s defences.

In addition to third-party tools, Apple’s native command-line utilities, such as ‘curl’ and ‘scp,’ were found to bypass the quarantine attribute entirely, further compounding the issue. These Unix-based tools, commonly used for networking and file management, do not trigger Getekeeper’s checks when downloading or unpacking files.

After researchers reported their findings, the third-party vendors responded and rectified the issue. For instance, BetterZip reported that it has been enforcing the quarantine attribute since version 5, with further updates planned for nested archives. Archiver and iZip also confirmed upcoming updates to address the issue, ensuring extracted files inherit the necessary quarantine metadata.

Meanwhile, VMware acknowledged the limitation of relying on the quarantine attribute for Gatekeeper’s functionality. They advised users in high-security environments to configure macOS only to allow applications from the App Store, thereby enhancing the system’s overall security posture.

Apple said that the developers of third-party applications are responsible for fixing the issue, signalling that Apple may not take direct action to enforce these requirements across the ecosystem.

In the News: Instagram finally launches safety features to combat sextortion

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>