Is that truly legit? It’s very similar to having web servers accept URL paths containing full paths or “../“, both of which have been the cause of many security vulnerabilities.
That should be disabled by Apple, if not removed completely.
If this is the case, a potential solution is to track external mounts and to prompt a user when accessing a new drive for the first time, especially in the case that the OS has read or written a new symbolic link pointing to an external file system.
I agree with other commenters who say that the NFS auto-mounter should likely default to off on fresh installs. If there is a concern about this breaking enterprise configurations, set NFS to default into a prompt before mounting mode.
As far as the issue of symbolic links in zip files, I'm not sure there's much to be done (except perhaps issuing a warning that would be difficult for most users to parse). I mentioned elsewhere that this functionality is not unique to macOS or to zip.
The final issue that I see is that Finder hides so much metadata (which could be useful for a reasonably sophisticated user). I'd like to see a prominent indication of a cross-filesystem symbolic link. Likewise, it'd be worthwhile to have a clear visual indication when browsing a remote file system.
Gatekeeper (in a wider sense) actually is two things:
Firstly, it is a user setting choosing what software to trust: only software downloaded from the Mac App Store, everything that’s signed, or ‘everything’.
The first two settings require applications to be signed. That doesn’t say anything about whether they are safe to run, but it does allow Apple to find out who developed malware, if it is discovered.
Secondly, applications that download executables can opt in on signaling to Gatekeeper “the first time the user runs this executable, ask for user confirmation”. They do that by setting an extended file attribute on the executable. Gatekeeper removes it if the user indicates the executable can be run.
Neither feature cares from where the executable is launched. External drives are very common (think USB drives), so they ‘had’ to be included. I would guess NFS shares slipped through the net, but possibly, there are companies that use NFS shares.
Of course, that “opt-in” is a weak point. They couldn’t do a lot better because, when Gatekeeper was introduced, users already had lots of executables, and they didn’t want users to pick the ‘everything’ option after being bombarded with Gatekeeper dialogs.
I say "in both directions" because, even more crazily, unless the NFS server is just for anonymous guest access, it's trusting the client connecting to it to assert which users the client is operating on behalf of. Anyone who can connect to an NFS server as a non-"nobody" user, can create or modify files as if they were root or whichever other UID they like. (Basically, the only authorization ACLs the NFS server tracks are for the client device. Users don't log into NFS servers; devices do.)
NFS really only works securely, in use-cases where both sides of the NFS connection are managed devices that don't let anyone except the domain administrator (including people with physical access to the hardware!) become root on them. (Or, I guess, when you're just standing up a read-only disk server to serve a rootfs to a bunch of thin clients. "PXE boot to NFS" is a pretty cool setup, though one that's been mostly superceded by streaming big initramfs images to client memory on boot.)
The reason for the NFS automounter in macOS, is that macOS actually used to use NFS to implement Portable Home Directories (Apple's answer to Windows' Roaming User Profiles.) This feature would only even kick in if the user profile with the NFS path as its homedir, came from your network OpenDirectory domain. (I believe the NFS server and the OpenDirectory server had to both share the same Kerberos auth realm, too.) So, in other words, your device would have to be a fully "managed" one—one of the very devices mentioned above, that doesn't even let its physical possessor become root on it—before the OS would ever deign to provide the NFS automounter anything to chew on.
The automounter itself was never really secured, though; all the security was in the glue determining what the automounter could "see." (You can't really secure the automounter itself without breaking the semantics of "transparent access to NFS shares of your domain." And if you're not locked into legacy 1970s-timesharing-BSD-cluster network semantics, then you may as well just drop NFS and use a better technology like SMB.)
# Automounter master map
+auto_master # Use directory service
/net -hosts -nobrowse,hidefromfinder,nosuid
/home auto_home -nobrowse,hidefromfinder
OTOH I might have left it in there to make it easier to mount NFS volumes.
Tangentially, had anyone noticed a weird zooming bug on mobile safari that appears to cancel a zoom gesture and jump back to the unzoomed view? Quitting the app from the app switcher appears to fix it.
yes, it happens on my ipad pro running ios 12.2 (16E227). have been meaning to upgrade thinking that would fix it, but maybe that’s not the case?
What browser/mobile OS are you using?
Great, so now, potentially, there are lots of people who will lose all of their baby photos, lose money or even their contact with people who are important to them just because of some arbitrary number of days you made up and because you feel slighted by apple.
This could have real consequences and you can’t expect a big company to move faster just because you want them to. I have now knowledge of the internals of the development of MacOS, but maybe this isn’t trivial to fix.
I never said they shouldn't do anything, I said that releasing this information before there is a patch for the vulnerability strikes me as wrong.
I believe Apple could easily have asked for an extension, if solving it was complex.. Apple chose not to.
(from the information available to us..)
What does that mean? Is there proof? How long do you wait before you call not getting a response 'dropping'?
The potential consequences require more than this.
As is, this is a phishing type variant that it’s not at all clear gatekeeper was even designed to stop. However, the default behavior described (especially making symlinks to NFS shares without any sort of warning or special graphic when following them in Finder) seems sufficient for forceful language when complaining about it to Apple / giving a disclosure deadline then publishing.
> Great, so now, potentially, there are lots of people who will lose all of their baby photos, lose money or even their contact with people who are important to them just because of some arbitrary number of days you made up and because you feel slighted by apple.
For all we know this has already been happening since the gatekeeper was implemented in 2012.
A. Leave the hole open for all crackers who already figured it out, thereby leaving a security hole open for possibly all time. Apple apparently weren’t fixing it; they first said they were going to, but then didn’t do it, and then ceased all communication.
B. Tell the world, thereby forcing Apple to fix the issue. This leaves all Apple users vulnerable to more people than choice A, but only, one would assume, for a limited time.
The ideal situation would of course have been C: Apple promptly (or at least within 90 days) fixes the issue upon being informed of it, before the world at large was made aware of it. But Apple chose not to pick this option. Only option A and B remained.
As a separate datapoint, Google's Project Zero has a default 90 day public disclosure period too.
Generally, it's highly likely that the (really) bad guys already know about the exploit. Leaving the exploit known only to them and the vendor doesn't help the most vulnerable (ie, those targeted by the (really) bad guys)
~3 months is also a reasonable amount of time for coding, review, testing, QA, etc. I don't know if the author was up front about the 90 day deadline with Apple, and if not, that's not particularly friendly, but it's not out of line with other major players in the space.
As an Apple user, the only part about this situation that is disappointing is Apple.
Depressingly, there still isn't an overall competitor that can deliver products that meet my requirements as well as Apple can, so I remain stuck.