Researcher Circumvents Patched OS X Gatekeeper Malware Prevention Software In Minutes

In an effort to thwart malicious software from wreaking havoc on Mac computers, Apple introduced Gatekeeper in OS X 10.8 Mountain Lion and was also integrated into its predecessor, OS X 10.7.5 Lion. Apple maintains that the most secure way to download apps for your Mac is to go through the App Store, but for apps downloaded outside of Apple’s walled garden, Gatekeeper is supposed to be the big, brawny bouncer tossing malicious apps into the street. This is how Apple describes Gatekeeper’s duties in a support document:

Developers can get a unique Developer ID from Apple and use it to digitally sign their apps. The Developer ID allows Gatekeeper to block apps created by malware developers and verify that apps haven't been tampered with since they were signed. If an app was developed by an unknown developer—one with no Developer ID—or tampered with, Gatekeeper can block the app from being installed.

In late September 2015, Synack researcher Patrick Wardle disclosed a rather debilitating vulnerability in Gatekeeper. Wardle was able to modify signed software packages (placing malicious payloads inside “trusted” software) so that it could surreptitiously bypass Gatekeeper, allowing unsigned code to execute on user’s computer. As Wardle indicated at the time, “architectural limitations of Gatekeeper can be abused to execute malicious unsigned binaries.”

gatekeeper
Gatekeeper within OS X

For its part, Apple did address Wardle’s concerns and released a security update to patch Gatekeeper. In a perfect world, this would have been the end of the story, and OS X users could take solace in the fact that Apple reacted quickly to a known vulnerability. However, this isn’t a perfect world, and Apple’s patch was by all accounts imperfect.

As it turns out, Apple didn’t actually fix the underlying problem that was causing unsigned code to pass through Gatekeeper. What the company did, however, was blacklist the binaries used by Wardle to prove the worthiness of the attack vector.

Not content with Apple’s seemingly “shortcut” method of addressing the matter, Wardle reached out to Apple again to express his concerns and show that he was still able to pass unsigned code with additional apps. Apple issued a new security update, and like the time before, it simply backlisted the apps that Wardle had used as a proof of concept.

“[The] patch they released was incredibly weak,” said Wardle in an interview with Motherboard. “It literally took me five minutes to completely bypass. They mitigated my specific attack, but it’s trivial, trivial to bypass.”

Apple contends that it is constantly making changes to Gatekeeper in order to mitigate attacks like the one that Wardle has demonstrated, but it’s obviously a work in progress. So in the mean time, Wardle suggests that OS X users simply avoid download apps outside of the App Store. And if you do have to leave the confines of the App Store to download software, only so from trust vendors using HTTPS.