Gatekeeper vs. .terminal and .fileloc Files

Vladimir Metnew (2020, tweet):

Popular macOS apps with a file-sharing functionality didn’t delegate file quarantine to OS leading to File Quarantine bypass (Windows MOTW analogue) for downloaded files.

[…]

Many popular products like Keybase, Slack, Skype, Signal, Telegram decided to fix the issue, but the vulnerability remains unfixed in file-syncing apps: Dropbox, OneDrive, Google Drive, etc.

[…]

Apple knows that it’s possible to execute files on the device with .fileloc. Apple also knows that all default apps have quarantine enabled.

Launching a quarantined file with .fileloc doesn’t have security risks, because the user will be asked to confirm file launching.

That means, .fileloc is not a vulnerability by itself unless there are files without a quarantine attribute.

[…]

OneDrive removes quarantine meta-attribute because Apple granted it com.apple.security.files.user-selected.executable entitlement. […] Apple’s head of macOS security made an exception for OneDrive 😯.

And file sync apps outside the Mac App Store don’t apply it, either.

Jeff Johnson:

Remember my sandbox escape that Apple said doesn’t have any actual security implications?

Well it has actual security implications.

Thomas Reed:

Apple has done EXACTLY what I was hoping they would do to cope with the plague of adware installing malicious configuration profiles! In Big Sur, it will no longer be possible to install these profiles via the command line, or in any way without explicit user consent! 🤩

Previously:

• Mac Sandbox Escape via TextEdit

Dropbox Entitlements Gatekeeper Google Drive iCloud Drive Launch Services Mac macOS 10.15 Catalina macOS 11.0 Big Sur Microsoft OneDrive Security Syncing

1 Comment RSS · Twitter · Mastodon

---

Leave a Comment

Name

E-mail (will not be published)

Web site

Δ