Just when you thought it was safe to use Apple’s Gatekeeper again, a security researcher has discovered a new way for hackers to attack. Patrick Wardle, director of research at crowd security intelligence firm Synack, revealed a workaround to Apple’s fall 2015 patch this week.
Gatekeeper is software for OS X that aims to help protect Macs from apps that could harm the system. The software builds on Apple’s existing malware checks to identify and protect against what Apple calls “malware and misbehaving apps.”
Wardle first disclosed a bug in Gatekeeper in September. Apple moved quickly to issue a security patch for OS X to prevent attackers from uploading arbitrary files to the operating system. But Wardle said even after the fix he can still easily break through Gatekeeper’s security controls. Apple could not immediately be reached for comment.
Man-in-the-Middle Possibilities
Wardle, who studies the Apple desktop operating system, is presenting a full teardown of Gatekeeper in a presentation dubbed “Exposing Gatekeeper,” at the security convention ShmooCon, which starts today in Washington, D.C.
“This anti-malware feature is baked directly into OS X and attempts to block the execution of untrusted code from the Internet,” Wardle said in a blog post. “Apple boldly claims that because of Gatekeeper, both Trojans and tampered downloads are generically blocked. So hooray! Mac users are all secure . . . right? Well, no.”
Wardle said that even on a fully-patched OS X 10.11.2 system, Gatekeeper is “trivial” to bypass. Specifically, hackers can restart their Trojan distributions while nation-states can execute man-in-the-middle attacks via files users download from the Internet, he said.
A hacker could launch a man-in-the-middle attack — an attack where the attacker secretly relays and sometimes alters communications between two people or parties who believe they are genuinely talking directly to one another — on Kaspersky antivirus software that is distributed over HTTP. The attacker could inject known OS X malware into the download of a user who never suspects such an attack.
Wardle said he would release a personal tool that can stop these types of attacks and protect OS X users during his presentation at ShmooCon.
Apple’s Band-Aid
We caught up with Craig Young, security researcher for advanced threat detection firm Tripwire, to get his insights on Gatekeeper’s woes. He told us Apple had very good intentions with the OS X Gatekeeper security feature.
“With the iOS platform, strict code signing requirements have proved to be an effective technique for locking down the system and the Gatekeeper feature attempts to bring a little bit of this security over to OS X systems,” Young said. “Unfortunately, good intentions were not enough in this case.”
In its most restrictive mode Apple’s Gatekeeper is designed to prevent execution of any programs obtained outside of trusted OS X applications and the Mac AppStore, Young explained. But within 18 months of its release, attackers were already taking advantage of implementation flaws to install malware. Over the past year, several researchers have explained failings in the way signatures are verified that allow malware to bypass its protections, he said.
“The current high-profile flaw is actually the same as the last high-profile flaw in Gatekeeper in that certain trusted files can be repackaged to contain malware without raising alarms,” Young said. “In response to the initial report, Apple didn’t address the core issue within the Gatekeeper design, they simply put a Band-Aid on the problem by adding restrictions around some of the trusted files. This approach doesn’t address the fundamental issue that other trusted files could also be abused in the same way.”