Apple Gatekeeper Bug Suggests Sleepy Approach To OS Security

A security hole in Apples Gatekeeper security software could allow malicious programs to be run on OS X, including the latest release, El Capitan.
A security hole in Apples Gatekeeper security software could allow malicious programs to be run on OS X, including the latest release, El Capitan.

In-brief: A security hole in Apple’s Gatekeeper security software could allow malicious programs to be run on OS X, including the latest release, El Capitan. The researcher who discovered it says that Apple has fallen well behind rival Microsoft in providing security for its operating system.

A security hole in Apple’s OS X operating system could make it easy for malicious software to slip past the front line of defense Mac systems. The vulnerability opens Mac systems to infection by viruses, Trojan horse programs or other malicious software, according to research published this week.

Researcher Patrick Wardle of the firm Synack, of Redwood City, California, said the vulnerability that he discovered in Apple’s Gatekeeper security feature can be bypassed using a technique he described as “exceptionally simple” and that essentially involves malicious software piggybacking onto OS X systems with legitimate, signed OS X applications. The attack will work on Mac OS X systems running the latest version of the operating system, dubbed “El Capitan,” Wardle said.

To carry out an attack, a malicious actor would have to trick an OS X user into downloading an archive file like ZIP or DMG package containing a legitimate, signed OS X application from an insecure location such as a file sharing web site or torrent site. That package would need to contain both the signed OS X application and a malicious component, such as a library, which could be hidden in a folder elsewhere in the archive and disguised as a legitimate binary used by the downloaded application. For example: a malicious library could be disguised as a legitimate plug-in for an application like Photoshop.

Because Gatekeeper is only designed to authenticate the OS X application and block unsigned or altered applications from running, it fails to interrogate the entire contents of the downloaded archive, Wardle said. That creates the opportunity for an unsigned and malicious component to be ferried onto OS X systems and then executed when the application is opened and run.

Wardle said he discovered the hole some months ago and shared it with Apple’s security team, who he said were responsive and assured him that they would be introducing changes to address the vulnerability. Still, he said he had hoped it would make it into the latest OS X release, El Capitan, and was surprised when it didn’t.

Apple did not respond to an e-mail request for comment.

The vulnerability and the ease with which Gatekeeper can be bypassed also suggests that Cupertino-based Apple has fallen well short of its longtime rival Microsoft in terms of providing security protections for the systems that run its signature operating system.

“Apple gets security conceptually, but its (security) implementations tend to be easy to side step,” he said. “A lot of the stuff I found is pretty straight-forward.” Recent versions of Windows come with enhanced security features and aftermarket endpoint protection products feature sophisticated heuristic detection and behavioral analysis features designed to spot malware. Not so on Macs, where Gatekeeper is the first line of defense and after market security products are rarely used.

“Mac malware is kind of where Windows malware was 10 years ago.”

While there is no evidence that the bypass he discovered in Gatekeeper was known to others, Wardle said it couldn’t be ruled out. “It’s a fairly trivial bug to discover, so there’s no question that an APT or nation-state could find it was well. If you want to compromise OS X systems, Gatekeeper just isn’t that much of an obstacle.”

He said the fix for Apple is simple enough. The company can modify OS X so that it hooks and monitors applications when they run to make sure that add-on components run by the application are signed and legitimate and that they are loaded from trusted locations within the local environment, as well.

Comments are closed.