Gatekeeper checks the digital certificate of an application that is being installed on a Mac to make sure that it has been signed by an approved developer, or the download comes directly from the Apple App Store. This was never really the case, and is certainly quite false today – as evidenced by a new exploit discovered by researchers that could render the operating system’s Gatekeeper security package. This information has already been submitted to Apple, and it’s under the company’s request that the specific binary goes unnamed.
Advertisement
Patrick Wardle, director of research at Synack, will demonstrate a Gatekeeper bypass he’s been working on.
According to Ars Technica, hackers can exploit a vulnerability in Gatekeeper by using a binary file already trusted by Apple. Due to security concerns, the names of files have not been disclosed.
In other words, all someone needs to do is identify the same app Wardle found (or others with the same capability), rename it and then bundle it with a renamed malicious app. A similar method also works with plugins: find an app that loads plugins, substitute your malware for one of those plugins and again Gatekeeper pays no attention.
Malware programs that can be harbored by the binary file include password-stealing apps, third-party audio and video recorders as well as a collection of botnet software.
The newly discovered exploit takes advantage of a flaw in OS X’s “Gatekeeper” feature with verifies that software being installed on an Apple Mac is safe to do so. Wardle stated that he was successfully able to test his exploit on the beta version of El Captain.
An Apple spokesman has confirmed to Ars Technica that the company has been made aware of the issue and is working on a patch.
Advertisement
Noting that the risks are more than the occasional stray user, Wardle added that “more worrisome to me is this would allow more sophisticated adversaries to have network access…Nation states with higher level access, they see insecure downloads, they can swap in this legitimate Apple binary and this malicious binary as well and man-in-the-middle the attack and Gatekeeper won’t protect users from it anymore”. It’s not clear when this will arrive, so you’ll want to stay on your toes until then – grab apps only from those sources you can trust.
