Three malicious apps – Atomic Stealer, Genieo and XCSSET – against macOS 14.6.1, with full security, SIP disabled, and Gatekeeper disabled.
LaunchServices
If you thought spctl disabled Gatekeeper assessments, and disabling SIP had little effect, then you might like to think again.
Details of security checks including Gatekeeper, XProtect and notarization, performed when launching an app in full security.
All apps now undergo Gatekeeper assessment, but only some have XProtect checks for malware, and the unfortunate few get translocated too.
Details of the chain of information, from the UTI of the file to be opened, through LaunchServices’ database of document types. How to deal with problems.
Using lsregister to clean up the Open With menu only works temporarily, and it’s populated by apps found anywhere local to your Mac. That’s not good for VMs sharing the Applications folder.
Odd problems with Sonoma: every old app now listed in the Open With popup menu in the Finder, and lsregister that reports errors, and gets System Settings into trouble.
After the dataless file, we get the codeless app, in the form of Sonoma’s new Web Apps. These sidestep issues of code-signing with their linked UUIDs and ad hoc signatures.
A fuller account with log extracts to show what happens when a user creates a Web App, and when they run it.
What is a Web App? How to create and use them, and how they run without any executable code. Could crafted Web Apps turn malicious?
The Eclectic Light Company 