macOS gatekeeper and file quarantine bypass | Better HN

macOS gatekeeper and file quarantine bypass | Better HN

119 comments

Fascinating article. Short version: there was a bug in the part of Apple’s Gatekeeper code that checked whether a file was an application bundle. Bundles that only contained a script, and not a plist file, were considered “not a bundle,” and this bypasses the Gatekeeper checks.

The issue is fixed in the latest version of Big Sur. Be sure to upgrade. It’s being exploited in the wild.

What about macOS Catalina users? Any updates / fixes for them? Do you happen to know?

It appears this behavior was introduced in Catalina, so I’d assume a complimentary fix to 11.3 will be available for 10.x - no word on timing AFAIK.

therealmarv4y ago

The bad thing is: They patched Catalina less than Big Sur with the new update :(

Compare "Gatekeeper" fixed issues here:

https://support.apple.com/en-us/HT212326 Catalina

https://support.apple.com/en-us/HT212325 Big Sur

Feels for me that they only patched one part of it on Catalina but gates are more open on the older macOS. Really don't like that.

LeoPanthera4y ago

Is this how early versions of the Zoom installer bypassed gatekeeper for a zero-click install?

Xeago4y ago

That worked by using the preinstall check that Installer.app invokes to do the installation. It would finish by force quitting Installer.

> Be sure to upgrade.

This is a technical crowd, so some of us don't need to rush to download things like this. I'll upgrade when it's convenient, thank you very much.

sildur4y ago

Funny that when you started with "this is a technical crowd" I thought you will continue with "we don't need to be reminded to upgrade".

Why is the technical crowd less in need of an upgrade? My proverbial “grandmother” only accesses her gmail and one news page. Arguably she’s at less risk than someone testing new software.

healsjnr14y ago

Given the ease and severity of this I don't think being technical does anything for you.

I am grateful for the "upgrade now" message being pushed it. As a technical user I can't trust my skills and knowledge to truly keep me safe from this one.

Gatekeeper is one of the most frustrating things I have to fight whenever I try using MacOS. It feels like DRM for my applications, which in turn makes everything feel clunkier, and less integrated. I would genuinely pay Apple extra for a version of MacOS that just trusts me and lets me install what I want without the some esoteric mechanism stopping me at every step of the way...

Wowfunhappy4y ago

Then turn it off. Open the Terminal and run:

    sudo spctl --master-disable

That's it, it will never bother you again, unless you turn it back on or reinstall the OS from scratch. If macOS is still too limiting, you can also turn off System Integrity Protection, at which point you can do just about whatever the heck you want.

I personally kept both Gatekeeper and SIP turned off, back when I used modern macOS. But if they are turned on, they ought to work.

jcelerier4y ago

No, this still keeps some gatekeeper checks, popups when downloading files, weird arguments being passed to apps on first launch, etc. Even if doing it in the root recovery mode.

joshspankit4y ago

Does turning those off still leave the logs redacted?

Or do you also have to install the profile after you tell it to get out of your way?

unicornporn4y ago

What would I need to get it down to a Mojave level of inconvenience?

gdavisson4y ago

It's not that macOS doesn't trust you, it's that macOS doesn't trust the programs you're running. Specifically, it doesn't trust the programs to do what you want them to, and only what you want them to.

And it's not just a matter of protecting you against out-and-out malware (although that's certainly part of it), it's a matter of protecting you against developers whose interests don't entirely align with yours. Developers who really want to spy on their users seem to be the biggest group (see, for example, the recent Apple vs. Facebook kerfuffle).

Unfortunately, distrusting software does add friction, especially if you add (/update-via-unsupported-mechanisms) new software frequently. "Are you sure you meant to run this program? It looks weird to me; I think you should get rid of it. Should it really have access to your contacts/camera/etc?" macOS is acting a little like an overprotective parent here, and it's certainly annoying. But the threats it's trying to protect you from are real. You can turn the protections off (with a certain amount of work), but then you're vulnerable to all the stuff it's there to protect you from.

P.s. I don't mean to completely defend Apple here. Their preferred solution is to have all software distribution go through their App store... where they get a cut of the price. Which means they're also on the list of developers whose interests don't entirely align with yours.

I understand what Apple's intentions here are, but abstracting away a security risk is only inviting disaster, and it's kinda endemic of an issue throughout Apple's ecosystem: their whole game is about reducing the power of the end user. It makes sense from some angles, security being one, but it also impedes the freedom of choice. Instead of engineering their software to appeal to the lowest common denominator, they should be empowering people who want to push beyond that envelope and offering extensibility to those who want to take advantage of it.

This is a weird way to justify it.

I told macOS to run that program because I trust it. If macOS trusts me then it transitively trusts the program I told it to run.

In other words macOS doesn't trust me to validate programs before I try to run them.

kstrauser4y ago

What frustrates you about it? I rarely bump into Gatekeeper and I'm doing the normal dev things.

Isthatablackgsd4y ago

I'm assuming you don't use the package manager like Homebrew or MacPorts? this is where the gatekeeper will annoy the hell out of me. Apps installed via Homebrew often will encounter Gatekeeper alerts. Half of them will give the option to open it and the other half, the gatekeeper --demands-- gently ask me to put it in the Trash without the option to open it.

11 more replies

lovelyviking4y ago

Sometimes I compile my program and when I move it to the Applications folder and trying to run MacOS says, you do not have permission to do it. May be it's not a gatekeeper, who knows.

The keyword here is sometimes This is what I Love about current state of MacOS.

To fix it nothing works until you delete it completely and only then if you lucky etc ... It just reminds me those old good days with Microsoft many years ago. Turn it off then turn it on few times .. it may work ...

cloogshicer4y ago

Agreed. It's ridiculous that we can't even fully disable it in the latest macOS releases (the commands others posted below don't work in Big Sur to completely disable quarantine).

Thankfully there is a simple workaround: https://hiringengineersbook.com/post/disable-quarantine/

Wowfunhappy4y ago

Note, the single command does turn off Gatekeeper. File quarantine is separate and needs a separate command. That is as it should be IMO, they’re completely different things.

You can disable Gatekeeper.

https://disable-gatekeeper.github.io/

fiddlerwoaroof4y ago

Apple has been moving toward a capability-based security model for a while now, I think: it’s a bit annoying because their implementation also acts like DRM, but I think the mode itself is a better security model than standard POSIX file permissions and ACLs

pehtis4y ago

I will never understand why "Show all filename extensions" is unchecked by default in Finder.

Closi4y ago

It's also unchecked in Windows by default - I suspect that in reality the concept of extensions probably confuses some users, who end up changing the extension and then struggle to work out how to open their saved files.

( I always prefer to see the extensions too though :) )

setr4y ago

Windows gives you a big warning when you change the extension, which seems to me both sufficient and better than hiding the extension altogether (which, like URL hiding, is a fairly dangerous and largely unnecessary convenience)

ziml774y ago

Isn't it also confusing for the average user when they end up with identical looking files? I didn't realize that macOS had per-file extension hiding until I synced some images over from my iPad. I ended up with files that I couldn't tell apart at a glance because they had the same name but were different image file types. I'm now torn if I actually want to force all extensions to show because I think showing applications as "Foo.app" is ugly (I know, it's a stupid reason to dislike the option...)

This is an outdated mindset. Literally everyone knows the difference between .docx and .jpg in 2021.

elliekelly4y ago

Is there any way to turn this off only for applications? Or even just in the applications directory? I find it irrationally annoying that everything in the applications folder shows the ".app" extension.

floatingatoll4y ago

If you use the dashboard app switcher (iirc the F3 or F4 key), it hides .app in that list, it has a search field and I believe it accepts drag-and-drops.

That’s not exactly an answer to your question, but there’s a chance it’s an acceptable solution, so duly noted.

boomboomsubban4y ago

Genuine question, does MacOS actually care about file extensions? I would guess not, though there are probably some compatibility features that will do things if they are there.

pehtis4y ago

Yes it cares. If you rename a folder to folder.app then it will change to look and "behave" like an app. Or if you change the extension of a video file to mp3 you'll loose the icon preview.

Finder does try to help with renaming and when you try to rename a file only the filename is selected and not the extension.

bobbylarrybobby4y ago

I was under the impression that unless a file contains some other metadata (most don't), that the extension is the way the OS chooses which app to use to open it.

bigbizisverywyz4y ago

OSX does care, but classic Mac OS didn't used to. It had a separate resource fork that described what the file was, and after that you could name it anything you liked.

trissylegs4y ago

Yes. Take a JPEG with extension. It opens fine. Get a file with .jfif macOS doesn't know what the hell it is. Same file format, weird extension. (For some reason twitter was saving files as .jfif for a while)

benhurmarcel4y ago

Unchecked by default is fine, what bothers me a lot is that it's impossible to display filename extensions on iOS/iPadOS.

spurgu4y ago

Or how to navigate to /Users/<username>. You have to manually add it to the sidebar from Preferences.

gempir4y ago

That part is so perplexing. Apple wants you to use that folder! Multiple useful things are stored in it, but you have to jump through hoops to go do it. It should be added as a favourite by default.

jpeter4y ago

Same on windows

Does anyone know how trustworthy this objective-see project is?

I remember once installing several of his apps, but then coming to the conclusion that i don't know enough - even though he consistently seems to find and fix flaws in OSX.

Why isn't Apple hiring this man?

EDIT: Why are people downvoting this question? If i'm implying something then i'm unaware of it.

The tools are legit, and the bugs are real, but he has a distasteful habit of feeding sensationalist quotes to outlets like Forbes and Vice.

This time, he told Forbes that "the hacks effectively take Mac security back a decade" [1], and Vice quotes him as saying "this is likely the worst or potentially the most impactful bug to everyday macOS users in recent memory". [2]

Forbes ran the story with the headline "The ‘Worst Hack In Years’ Hits Apple Computers", and that's bullshit.

1. https://www.forbes.com/sites/thomasbrewster/2021/04/26/updat...

2. https://www.vice.com/en/article/wx5855/massive-mac-apple-sec...

Thanks for the insight! Seems like quite a talented dude but with the mandatory eccentricity that seemingly often comes with . Great to know that the tools are legit.

savoytruffle4y ago

Some people don't want to be coerced into working remotely near Cupertino …

And that's fair, i wouldn't either, what i mean is they should seriously consider giving him some consultancy fees, bounties / whatever since he's consistently doing good work.

jrochkind14y ago

i don't get it

aledalgrande4y ago

Is it me or Apple isn't even listing the patch in the 11.3 changelog? https://developer.apple.com/documentation/macos-release-note...

infinita7404y ago

Security patches are in a separate article: https://support.apple.com/en-us/HT212325

aledalgrande4y ago

Oh cool thanks!

I’m really disappointed that this blog post didn’t dive into why the bug vanishes with SIP disabled.

tehwebguy4y ago

Does this mean we can trick Big Sur into not treating TypeScript files like DVD rips?

sharikone4y ago

I feel that macOS has slowly become a mess. From Lion, more or less.

Overcomplicated and bloated security features, telemetry, iOSification of the UI, dumbed down settings, bugs..

Perhaps the time has come to shed some legacy and restart again from scratch (like Google Fuchsia) or to invest some of the hundreds of billions they have in refining the software so it actually works

zanethomas4y ago

nice!!!

pier254y ago

Did Apple finally fix the bug where every Big Sur update nukes Xcode tools like Git?

ezfe4y ago

No problems here - I'm on beta cycle so I get new Big Sur updates fairly often (every few weeks) and haven't had any git issues.

Quiark4y ago

Somehow none of this is applied to packaged shell script into an .app which runs on double-click with no message whatsoever. Malware doesn't always have to be a binary...

j / k navigate · click thread line to collapse