Apple’s Gatekeeper Allows Signed Apps to Install Malicious Binaries That Aren

“Gatekeeper does not examine those files”.

The exploit was discovered by Patrick Wardle, director of research at security firm Synack.

Even when Gatekeeper is configured to use its highest level of protection, the ease with which the fortifications can be slipped through is staggering.

“If the application is valid-so it was signed by a developer ID or was (downloaded) from the Mac App Store-Gatekeeper basically says ‘OK, I’m going to let this run, ‘ and then Gatekeeper essentially exits”, Wardle explained to ArsTechnica.

Apple’s reputation of providing platforms that are impervious, or close thereto, to malicious attacks has taken another slight battering with an exploit found in its OS X operating system that allows for the installation of malicious code. As the Gatekeeper checks only the original file an end user clicks on, Wardle’s exploit swaps out the legitimate Binary 2 with a malicious one and bundles it in the same disk image under the same file name. “I’m sure there are other Apple-signed apps out there that can also be abused to bypass Gatekeeper”. Because the renamed Binary A is a known file signed by Apple, it will immediately be approved by Gatekeeper and be executed by OS X. But it does not check whether an app runs or loads other apps or dynamic libraries from the same or relative directory. “It doesn’t monitor what that application is doing”.

“With Gatekeeper being simply bypassed, it is time for organizations to consider layering extra defenses on top – such as privilege management and application control – in order to mitigate attacks and prevent unwanted content from executing”.

As Wardle also reports, he notified Apple about the problem two months ago, and they’ve affirmed that their developers are working on a solution for this issue.

Wardle said his method affects all versions, including El Capitan. During a presentation at the Virus Bulletin conference in Prague on Thursday, Wardle detailed unpatched vulnerabilities he has found in Gatekeeper that allow attackers to spread unsigned binaries containing malware, circumventing Gatekeeper in the process.

A representative of Apple has confirmed that a patch in in development by the company, although at present there’s no timeline on when it will be made available to users.