Simple new Mac exploit easily gets past OS X’s Gatekeeper; could allow for malware installation

“Since its introduction in 2012, an OS X feature known as Gatekeeper has gone a long way to protecting the Macs of security novices and experts alike,” Dan Goodin reports for Ars Technica. “Not only does it help neutralize social engineering attacks that trick less experienced users into installing trojans, code-signing requirements ensure even seasoned users that an installer app hasn’t been maliciously modified as it was downloaded over an unencrypted connection.”

“Now, a security researcher has found a drop-dead simple technique that completely bypasses Gatekeeper, even when the protection is set to its strictest setting,” Goodin reports. “The hack uses a binary file already trusted by Apple to pass through Gatekeeper. Once the Apple-trusted file is on the other side, it executes one or more malicious files that are included in the same folder. The bundled files can install a variety of nefarious programs, including password loggers, apps that capture audio and video, and botnet software.”

“Patrick Wardle, director of research of security firm Synack, said the bypass stems from a key shortcoming in the design of Gatekeeper rather than a defect in the way it operates,” Goodin reports. “Gatekeeper’s sole function is to check the digital certificate of a downloaded app before it’s installed to see if it’s signed by an Apple-recognized developer or originated from the official Apple App Store. It was never set up to prevent apps already trusted by OS X from running in unintended or malicious ways, as the proof-of-concept exploit he developed does.”

“The researcher said he privately alerted Apple officials to his discovery more than 60 days ago and believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users,” Goodin reports. “An Apple spokesman confirmed that company developers are working on a patch.”

More details in the full article here.

MacDailyNews Take: Good to see this was presented to Apple and the fix is being worked on. This is the way all security researchers should work. Gatekeeper and OS X will be even stronger thanks to Patrick Wardle and Synack.

SEE ALSO:
Changes coming soon to Apple’s Gatekeeper – August 6, 2014
Security experts: Apple did OS X Mountain Lion’s Gatekeeper right – February 16, 2012
OS X Mountain Lion’s Gatekeeper slams the door on Mac trojans – February 16, 2012

22 Comments

  1. So if a hacker took a copy of MacKeeper’s binary file and managed to replace that with good software, but from all outside appearances and certificate the binary appears to be MacKeeper, it then can get thru?

  2. Wow. You guys accuse Microsoft of incompetence. Where’s the same treatment of Apple with this issue?

    If there was a similar Windows issue reported here, I’m sure I wouldn’t be only the second comment.

    1. Are you really that ignorant, or are you just being a jerk?

      A tiny handful of problems EVER is incredibly different from – what is it now – a million different viruses and trojans? Two million?

      1. You’re trying to change the subject. I’m not referring to quantity. I’m referring to hypocrisy.

        Regardless of quantity, this reveals a very incompetent approach to security. Any company caught with an exploit such as this should not be treated so lightly.

        What I’m pointing out is that instead of getting on Apple’s case for this, it seems like this site and it’s readers are giving Apple a pass on this. When, if it was Microsoft that did something like this, there would be a tremendous number of comments on how incompetent and terrible Microsoft/Windows is for such a boneheaded mistake.

        If this is, or has been, implemented in a malicious way, I doubt that someone affected by the malware would care if they Apple is rarely exploited compared to Microsoft (or whoever else). They may have lost data or suffered identity theft. I guess they can take comfort because Apple is rarely exploited? Is this the point you’re making?

        Why can’t you be fair and call Apple out on this? Instead, you have to make personal attacks and then attempt to deflect the discussion?

        1. Because there is a giant difference between ‘security researcher has demonstrated an attack vector and alerted Apple’ and ‘new threat spotted in the wild, millions of users’ data compromised’

          Does Apple need to correct this? Yes, and quickly. But your claim of incompetence feels overwrought. Gatekeeper is already easily bypassed by design. It is not intended to be some overarching security panacea. Simply copying an executable to your system from a flash drive or local network instead of downloading it will let you run anything. Gatekeeper mostly just helps protect your run-of-the-mill home user from easily running into trojans when online. I’m not sure why you think this is such a glaring case of incompetence. Maybe I’m missing something…

          1. If you had a guard let one or more unauthorized people through a checkpoint simply because the unauthorized people just walked in behind the authorized one, most people would say that guard is incompetent.

            If a group of people come up to the checkpoint, shouldn’t the guard check that everyone in the group is authorized to enter? Or is allowing everyone in a group to enter just because the first person is authorized? If allowing anyone to tag along with an authorized person, why even have the guard in the first place? I guess someone could tunnel under the checkpoint, or fly over the checkpoint. And since there are ways to defeat the guards ability to verify authorization, does that make it acceptable that the guard will occasionally allow unauthorized people even though the guard can easily check everyone walking up to the checkpoint? Or is the guard just for show so that they can point to the guard and say “see, we have security measures in place”?

            I’m am not implying that the entirety of Apple is incompetent. What I’m saying is, whoever (be it an individual or a group of people within Apple) designed the system that allows this type of exploit clearly shouldn’t be making decisions about Gatekeeper security.

            1. PLeX is like so many other people, well intentioned, but ignorant to facts.

              Airlines tout their safety and security as better than driving your own car, and they are correct! Way fewer people are hurt or killed traveling on Airliners each day than are hurt or killed driving cars each day. – Is this hypocrisy? No. It is fact.

              Does this mean that airlines are always safe, no, but they are way, way safer than cars. Are there more cars than planes? Absolutely, but the airplane is still safer.

              Apple touts their safety and security as better than using windows and android, and they are correct! Way fewer Macs and iOS devices are hacked or compromised than Windows people and Android people. – Is this hypocrisy? No. It is fact.

              Does this mean that Macs and iOS devices are always safe, no, but they are way, way safer than Windows and Android. Are there more Windows computers and Android devices than there are Macs and iOS devices? Absolutely, but the Mac and iOS device are still safer.

              No Hypocrisy here. I
              n fact it might be hypocrisy to put different standards on Apple than you would any other business.

            2. Again, another attempt to avoid the discussion by changing the topic. I am not ignorant of this technique. You’ve already decided that I’m a fanboy and are responding to the typical responses my by them. But here’s your problem: I haven’t said any of those things.

              I never implied anything regarding quantity or numbers of anything. Everyone else keeps injecting this. I have never said, or even implied, the security of the entire, or any individual, Apple product or service, is greater, or lesser, than any other product or service from any other manufacturer. You’re somehow inferring this.

              When have I ever called into doubt that Macs and iOS are more or less secure than anything else?

              Here is a fact, the Gatekeeper exploit is a very serious issue. Serious enough that if Microsoft, or any other company, were to have a similar issue, they should be rightfully called out on it.

              I am merely pointing out, as everyone that is responding to me so far has demonstrated, is not being upset that a serious security issue hasn’t been addressed in over 60 days and that they even had the opportunity to resolve the issue while El Capitan was in beta (or even delay release until it could be resolved, it could even be said that Apple knowingly released a new product with a known exploit). And they best Apple can say is “we’re working on it”. And apparently most everyone here is fine with that.

              I have read countless comments here about how awful Microsoft is at not only creating software and operating systems, but dealing with security issues as well. And here’s where the hypocrisy lies: the same people who seem to be “fine with it” when it’s Apple would not be (and rightfully so) if it was Microsoft (or Google).

              You can continue to reply to things I haven’t said, but it’s not going to change the fact that there is a glaring GateKeeper exploit.

              Even if no one uses GateKeeper, even if it was off by default, even if Apple decides to take it out of OSX, even if Microsoft and Google are worse, even if…it’s still a fact that a substantial error was made with GateKeeper.

              Call me a jerk, or well-intentioned but ignorant…I’m “fine with that”. Because it won’t fix the GateKeeper issue or the hypocrisy of those who are “fine with that”. And it keeps adding proof of the hypocrisy with name calling and avoiding the issue.

    2. “PLeX™”: Read the article or simply piss off. This isn’t an issue with Apple that anyone would expect to occur. It is an issue of an Apple approved developer going rogue and placing their Apple security certificate onto malware. WHY any developer would do this IRL (in real life) is hard to imagine, specifically because perpetrating the malware would come right back and bite off their ass. They’d be sued into bankruptcy in quick time. Well, in the civilized world that is. If they were a Chinese developer, etc., possibly not…

      1. I have read that article. Nowhere does it say that it requires an approved Apple developer to use their own signed app. Yes, it would be difficult to think a developer would “out” themselves if you had to use your own signed app or cert.

        Also, even if it did, no developer could possibly have their signed app or cert stolen?

        Or, have you even considered a disgruntled employee at a some company couldn’t steal it and use this exploit to harm, not only his employer/former employer, as well as infect machines and monetize the exploit?

        Or, if known to a nation state cyber security warfare group, could be used to cause blame on another country? Use as leverage in some political negotiations?

        You stated, “This isn’t an issue with Apple that anyone would expect to occur”. So why can’t any other company say the same thing and be held to the same standard? “We didn’t expect this type of issue with our product and therefore you shouldn’t expect this type of exploit to occur?” Then they could say, “we’re working on a fix” and then everyone rejoices. That’s disingenuous at best.

        1. You still didn’t read, at least with comprehension, what was written in the article.

          NO, no one can steal a signed application and turn it into malware. The app cannot be altered without triggering a hash comparison failure. Look up hashing if you don’t understand.

          Could a certificate be stolen? No, not normally. The only ones we ‘know’ can be stolen are those used in enterprise applications. This situation has been named ‘Wirelurker’ and works ONLY with iOS apps. Apple has refused to correct this situation but has increased vigilance of stolen enterprise certificates, whatever that’s worth. I’m NOT pleased with this specific situation at all.

          I don’t know what you’re talking about with “So why can’t any other company say the same thing and be held to the same standard?” Google doesn’t give a rat’s ass if developers shove Android malware into their Google Play store. There is NO vetting of apps uploaded there UNTIL such time as they are reported as malware. We’ve watched some malware being downloaded and subsequently run MILLIONS of times. FAIL!

          I’ll point out that Microsoft started on the security certificate trail BEFORE Apple. I have divorced myself from the Windows world enough that I have no idea if dirty rotten scoundrel developers have pulled that trick in Windows world. But if they did, why would Microsoft be to blame for this bizarro developer behavior? I also have no idea whether Microsoft has attempted to mitigate this potential problem. You tell me if they have, please.

          1. Two times with personal attacks.

            I will end my discussion with this: I get the impression you may not be very familiar with Stuxnet. I highly recommend some research into what exactly happened with Stuxnet/Duqu/Flame. If you can consider what happened, not through “M$ sux” lenses, but the bigger picture of interconnected system security, you’ll gain insight into not only what is possible with exploits, but also what has already been done. I suspect you may be extremely surprised with what actually took place with Stuxnet and put in perspective how an exploit such as this recent Gatekeeper exploit is far more serious than you may realize.

            I’m glad this exploit has come to light, and hopeful that Apple will quickly have a remedy to this issue.

            1. I hope Apple sort it out as well, but then again, what’s to stop future Apple approved developers going rogue? And no, this isn’t a Gatekeeper exploit, as is plainly described. Your determination to FUD Apple is not appreciated. I don’t care if you consider disrespect for your FUD a personal attack or not.

  3. So the point of the announcement is to make sure Apple follows through with their “We are working on it,” statement?

    Did they inform Apple, you have 60 days before we go public?

    I mean I would hope the patch is available, before the exploit is publicly known. Now it would seem, there could be a “gold rush” to trojan/exploit the OS, before the update is deployed.

      1. The ingenuity of hackers, simply hearing the subject line would be enough to point them into the right direction.

        It’s possible black hats knew about it already. Now I know too and it’s unsettling, until a fix is out.

  4. Certainly hope Apple is on this. Gatakeeper is good but there will always be holes.
    What I think would be good is to have a way to verify the checksum or other characteristics of the file so that the certificate states what the parameters of the file should be. That way if a file is modified it no longer matches the specs. A digital fingerprint in a way.

  5. the issue is not the checksum, it is that a piece of code on a trusted app (unmodified by outsiders) from a trusted vendor. Might have hidden code that is bad behaving.

    Well that is a security problem difficult to kill. Apple would need to test all code an all different conditions of execution.

    If MEMORY is randomised, Hard drive access is under sandbox, and many calls to OS are under privilege based access.
    Looks to me they found a vector to run code, but again there is NO comments on what can be achieved once they run

  6. This issue is a matter of ethics on the part of developers. Apple is expecting developers to live up to their ethical obligations and ethical use of their Apple approved security certificate. As I pointed out above when ranting at “PLeX™”, it’s hard to imagine any developer actually pulling this trick because they’d have their ass sued off instantaneously after the trickery was discovered. Then again, as I also pointed out above, I could easily image some scam developer in China or some other criminal nation daring to pull this off with the expectation of no recrimination. Apple would never offer them a security certificate ever again, but some people are just plain loony for crime.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.