The report notes that in recent years, attackers and security researchers have attempted to bypass gatekeeper mechanisms without the isolation attribute, making macOS more vulnerable to malware.
Malware and adware families such as CoinTicker, Bundlore, and Shlayer use the built-in utility Curl to download their payloads and bypass gatekeepers. The report added that this is because curl does not set the isolation attribute.
Meanwhile, Apple expects third-party application developers to adhere to security guidelines to ensure this scanning mechanism works as intended. However, it has been reported that several archiving tools and applications are non-standard-compliant, which could result in vulnerabilities in the gatekeeper mechanism.
When Unit 42 researchers contacted Apple regarding this security issue, they received the following response: “This issue is best resolved by submitting a report to the third-party app developer. It is up to the developer to implement isolation. This is not an app that we can directly support.
The report suggests that third-party developers must enforce quarantine attributes on all files their applications process to comply with Gatekeeper’s security requirements. Doing so reduces the chance of a malicious gatekeeper being bypassed.
