The built-in anti-malware Gatekeeper system has been a feature in Apple’s OS X since 2012. It has been instrumental in protecting Macs all over the world from cyberattacks, but in late September of last year, reports revealed that a researcher has discovered a bypass for Gatekeeper that is very easy to carry out.
Even with Gatekeeper at its strictest settings, security firm Synack director Patrick Wardle shared that it can be bypassed through the use of app bundles. While Gatekeeper carries out several checks on apps before they are launched on a Mac, it does not prevent apps from running or loading other apps or dynamic libraries from an alternate directory. This is because Gatekeeper only verifies the first application that the user launches.
The security flaw allowed Wardle to carry out a malicious download that contained both a legitimate app signed by Apple, but bundled with a hidden and unsigned malicious file. When the download was launched on a Mac, the legitimate app was also able to run the malware without Gatekeeper preventing it from doing so.
“Gatekeeper has one job: to block unauthenticated code coming from the Internet,” said Wardle. “We’ve completely bypassed this. To me, Gatekeeper is no obstacle at all.”
Wardle previously said that Apple has been notified of the exploit, with the company already working on fixing the security issue. However, the Gatekeeper security hole was not patched up with the rollout of OS X El Capitan in October 2015, and to this day, almost four months since it was exposed, the vulnerability has still not been addressed.
In a blog post on Synack’s website, Wardle said that he will have a presentation at the hacker convention ShmooCon titled “Exposing Gatekeeper,” which will be a full teardown of the vulnerability.
In the post, Wardle challenges the claim made by Apple that Gatekeeper is able to block the launch of untrusted code, protecting Macs from tampered downloads and trojans. He said that even on a fully-patched OS X 10.11.2, Gatekeeper remains easy to bypass. Wardle even posted a video on how he injected OS X malware into the download of an unsuspecting user.
In an interview with news website Macworld, Wardle explained that the patches Apple released last year to address his first disclosure of the Gatekeeper issue were very thin. Instead of the patches completely fixing the exploit utilizing downloaded executables, Apple only blocked one vector that is related to dynamic libraries and blocked certain apps which could be subverted. Wardle told Apple about this, and said that Apple will be releasing another patch, but all that the company would do is to blacklist the new binary that he found.
Wardle maintains that Gatekeeper should be making more broad inspections on software before they are first launched, not just on the subset that the software presently examines.
Apple told Wardle that it is currently developing a more comprehensive solution, with Apple confirming that more improvements are being applied to Gatekeeper. However, Wardle remains frustrated with the partial solutions that Apple is applying, as attackers can simply check out the security release notes of Apple and reverse engineer whatever the company has fixed to check if the solution was not comprehensive.
“Apple isn’t as proactive or aggressive about security as they should be,” Wardle said.
In the meantime, Wardle has released a personal tool named Ostiarius that would do a better job than Gatekeeper in the prevention of such attacks for the protection of OS X users, as it could block the execution of all unsigned Internet binaries.
Ostiarius is a kernel extension that will automatically block all unsigned binary or applications from the Internet, regardless of the Mac’s system settings. Whenever the tool does its job, a message will be entered into the Mac’s system log which specifies what Ostiarius blocked.
As Ostiarius runs on the kernel level, it is able to provide global protection that affects all the Mac’s users.