Gatekeeper’s Failure Once Again
Introduced in July of 2012, Gatekeeper is Apple’s anti-malware feature designed to block untrusted, dodgy apps from running, keeping Mac OS X systems safe from malware.
However, the reality is slightly different, according to Wardle. Hackers can install malicious software on Mac computers, even when Gatekeeper is set to its most restrictive setting.
“Even on a fully-patched OS X 10.11.2 system, Gatekeeper is trivial to bypass,” Wardle wrote in a blog post. “So hackers can (re)start their trojan distributions while nation states can get back to MitM’ing HTTP downloads from the internet.”
In September, Wardle realized that before allowing any apps to execute on an OS X machine, Gatekeeper performs a number of checks, such as:
- Checking the initial digital certificate of a downloaded app
- Ensuring the app has been signed with an Apple-recognized developer certificate
- Ensuring the app has been originated from the official App Store
But, what Gatekeeper fails to check is – whether the app already trusted by OS X runs or loads other files from the same folder.
However, in the name of a security patch, all Apple did was simply blacklist the signed apps Wardle was abusing to bypass Gatekeeper, rather than fixing the underlying problem.
How to Bypass Gatekeeper in OS X?
This was not effective in preventing attacks. Wardle found a new Apple-signed file that allow him to do the same. Notably, the file was offered by the popular anti-virus firm Kaspersky Labs.
All Wardle has done is:
- Identified an already-signed binary file (Binary A) that runs a separate app (Binary B) located in the same folder
- Renamed Binary A
- Swapped out the legitimate Binary B with a malicious one
- Then bundled malicious file in the same folder under the same file name, Binary B
Now, Binary B needs no digital certificate or Apple developer certificate to run, so it can be used to install anything the attacker wants, completely bypassing Gatekeeper.
Wardle notified Apple about his latest finding, and the company rolled out an update blocking the new files Wardle privately reported it, which is not a right approach. Apple should come up with a more comprehensive fix to address the issue.
How to Protect Yourself?
In the meantime, Wardle suggested Mac users to only download software from the Mac App Store and be more careful while downloading apps from the internet.
Wardle will be presenting his findings at the Shmoocon conference in Washington D.C this weekend. He also released a complementary tool for Gatekeeper on Friday, a free tool dubbedOstiarius, that checks all file executions and blocks untrusted, unsigned code originating from the Web.
Alternatively, otherwise, it might be time to fire Gatekeeper, and hire a new one.