Researcher says that Apple’s latest security patch in Gatekeeper can still be bypassed
Apple had introduced Gatekeeper in OS X 10.8 Mountain Lion and it was also integrated into its predecessor, OS X 10.7.5 Lion to thwart malicious software from creating havoc on Mac computers. However, in late September of last year, reports revealed that a researcher has discovered a bypass for Gatekeeper that is very easy to carry out.
Patrick Wardle, director of research with the company Synack, said in an interview he reverse-engineered a patch Apple released in October and found it wasn’t quite the fix in Gatekeeper, its security technology that blocks harmful applications from being installed.
Even with Gatekeeper at its strictest settings, Wardle shared that it can be bypassed through the use of app bundles. While Gatekeeper carries out several checks on apps before they are launched on a Mac, it does not prevent apps from running or loading other apps or dynamic libraries from an alternate directory. This is because Gatekeeper only verifies the first application that the user launches.
The security program primary goal is to check the digital signature of the application. If the application had Apple’s digital signature, then Gatekeeper would allow the user to install the application. Same thing happened with the digital signature of third-party applications.
But it seems that the Gatekeeper wasn’t dependable. In fact, very often, apparently legit applications available on the web contained malware code.
After many trials and errors, Apple managed to release a new patch, one that will be able to repair any breach in the security net. Discovering Apple’s newest addition to the Gatekeeper, Wardle took it upon himself to test the strength of the program.
It was he who declared that the new patch was so inefficient in terms of security, which he managed to find around it in just 5 minutes.
Since 2012, the built-in anti-malware Gatekeeper system has been a feature in Apple’s OS X. “The problem is that Gatekeeper doesn’t do any runtime analysis or analysis on secondary components”. The idea here is to block malware on Macs: only software developers Apple has approved can get software running on the platform.
According to an Apple representative, the new files Wardle privately reported have been blocked using XProtect, an antimalware feature that’s a complement to Gatekeeper.
Below is a proof-of-concept video provided by Patrick Wardle. “However the core issue is not fixed so if anyone finds another app that can be abused we are back to square one”.
In its most restrictive mode, Apple’s Gatekeeper is designed to stop execution of any programs obtained outside of trusted OS X applications and the Mac AppStore.
Wardle criticized Apple’s approach blacklisting only a small number of apps that can be used to exploit the vulnerability rather than correcting the underlying cause of the failure. “It doesn’t care if the executable was run by the user or if an attacker was abusing some signed code to kick that off”.
At the security convention ShmooCon, Wardle will release a tool called Ostiarius, the Latin word for Gatekeeper, that he says accomplishes what Apple should have done the first time around to fix Gatekeeper.
It monitors all the new processes created in OS X’s kernel. If a process isn’t digitally signed and comes from an executable that was downloaded from the Internet, it is stopped.
“It’s kind of a global approach,” Wardle said. “It doesn’t care if the executable was run by the user or if an attacker was abusing some signed code to kick that off.”
Apple is working with Wardle and should release another patch soon. Wardle recommends users to download applications directly from Apple’s online store until another version of the app blocker is launched. Also, the users must download these applications via a secure/encrypted internet connection.
