HN discussion about the 0-day [0].

[0] https://news.ycombinator.com/item?id=20008313

> it seems reasonable to speculate that all four files may have been uploaded by the same person, who forgot to mask his or her IP address until after uploading the first sample.

Or turned it off after the first sample. Or switches proxies randomly. It's good they brought up that the IP can be masked, but they could go one step further...

so...

sudo vi /etc/auto_master

#/net -hosts -nobrowse,hidefromfinder,nosuid

What does that do?

From the article:

For home users, unfortunately there isn't a simple solution for preventing this type of attack, until or unless Apple releases a macOS security update to mitigate the vulnerability. Cavallarin describes a possible temporary mitigation (opening /etc/auto_master in a text editor and adding # to the beginning of the line that starts with /net).

what are the implications of making this change to auto_master, beyond risk mitigation (i.e. to everyday use)?

Cavallarin explains it in a bit more detail on his blog[1]:

The first legit feature is automount (aka autofs) that allows a user to automatically mount a network share just by accessing a "special" path, in this case, any path beginning with "/net/". [..]

[1] https://www.fcvl.net/vulnerabilities/macosx-gatekeeper-bypas...

Assumably commenting out the line quoted by gp disables automount for network shares which start with "/net" in their path.

I am wondering this too. I see that `man auto_master` describes the purpose and format of the file, but I'm still trying to grok it.

> However, because the .app inside the disk images is dynamically linked, it could change on the server side at any time—without the disk image needing to be modified at all.

Wait, what? This makes no sense: dynamic linking means that it would pull in different libraries on the user’s machine…

The article author means filesystem links, not libraries. Earlier in the article:

> [...] creating a symbolic link (or "symlink"—similar to an alias) to an app hosted on an attacker-controlled Network File System (NFS) server, and then creating a .zip archive containing that symlink [...]

It's dynamic in the context of a symlink, not meaning dynamic libraries.

Oh, that makes more sense. That sentence would be much improved by switching those words around, because I’m too conditioned to apps being dynamically linked in the library/framework :)

> The disk images are disguised as Adobe Flash Player installers, which is one of the most common ways malware creators trick Mac users into installing malware.

Most Mac users know that Flash is a piece of malware itself and would never be fooled into installing it.

That's intentional. The most successful fishing emails, sketchy ads, etc are obviously bad to anyone savvy. They design it so that only computer illiterate people end up falling for it, as they have no chance of fixing the problem themselves.

It made me laugh... if that was the purpose... the guy made it. LOL

It was a tongue in cheek statement about the fact that Mac users have long ago sworn off using Flash on their systems. It's a bloated CPU-intensive piece of crapware.