AV-Comparatives found a flaw in a macOS security feature that allowed unidentified apps to run (bypassing Gatekeeper checks)
In spring of 2019, AV-Comparatives ran a team-building event, in which their research team was asked to find security bugs on macOS. This was actually planned as a nice afternoon with co-operative activities and some pizza, but it happened that they found a security flaw on macOS Mojave 10.14.4 and earlier versions. The issue allows Gatekeeper to be bypassed, and unsigned apps from outside the App Store to be executed. The method used does not require any specialist knowledge or programming ability. Anyone who can create, copy and rename folders in Finder could do it, with a few very simple instructions.
AV-Comparatives reported the issue to Apple in March 2019. Apple recognised AV-Comparatives’ discovery and released a security update for Mojave in mid-May 2019, but has so far not patched the earlier versions. Therefore, AV-Comparatives will not disclose details yet, to avoid any possibility of the flaw being exploited. More details of this CVE-2019-8589 will be provided in our Mac Security Test Report, which will be released at the end of June.
Available for: macOS Mojave 10.14.4
Impact: A malicious application may bypass Gatekeeper checks
Description: This issue was addressed with improved checks.
CVE-2019-8589: Andreas Clementi, Stefan Haselwanter, and Peter Stelzhammer of AV-Comparatives
After finding the OS vulnerability, researchers repeated the test with different, well-known antivirus products for macOS installed. In all cases, the AV products blocked the threats that Gatekeeper had allowed to run. This demonstrates that it does make sense to use antivirus programs with macOS, as an AV program would have protected the system against the threats that had bypassed Gatekeeper.
What does this mean for end users?
- Always update your operating system and all 3rd party tools and software
- Use IT-security software
- Check the quality of IT-security products by reading the latest reports of independent testing labs
- More tips can be found here: https://www.av-comparatives.org/it-security-tips/
What does this mean for anti-virus software vendors?
- AV products might protect you when the OS fails to do so
- Go for 3rd party evaluation and quality assurance, and external independent certifications
What does this mean for OS vendors?
- Co-operation with security researchers, AV- testing labs and others should be stepped up.
- Bug bounty programs might help to find more bugs
What does this mean for independent anti-virus security testing labs?
- Labs need to evaluate the security features built into the OS, amongst other things, when designing test methodologies
- The value of AV-Comparatives’ approach – which includes assessing security measures built in to the tested OS – has been demonstrated.
- Third-party security testing is more important than ever, for AV-software vendors as well as for OS vendors.