Previous Story
Gatekeeper Bypassed, Be Careful What You Download
Called the OS X El Capitan, Apple’s newest is packed with features that everyone will love.
However, a researcher reveals that the Gatekeeper for Mac OS X has a bypass and that the exploit is really easy to carry out. Once it’s looked things over and given an app the green light, that’s it. Wardle’s exploit works by sneaking an external binary in with a signed application.
Announcing the general availability of OS X El Capitan as free download with effect from Wednesday, Apple said that the new version of its desktop operating system is compatible with a number of Mac systems, including a few models which were launched eight years back.
Wardle added that Gatekeeper merely checks the digital certificate of the downloaded app. It doesn’t monitor what the particular content is doing. This exploit uses a trusted binary file to avoid the program’s security measures, which allows for malicious code housed in the same folder to run successfully following the check.
In other words, when a legit signed application is run, and it pulls in an outside library file, if an attacker can replace that file with something malicious, OS X will load that file into the app and allow it to execute, no questions asked – even if the external library is unsigned and completely untrusted. Although other browsers have implemented it before, Apple should greatly benefit from making the addition.
Wardle is the CTO of Synack, who are in the business of exploit discovery and management.
What the Gatekeeper hack exploit does is simple, it renames Binary 1 and then packages it inside an Apple disk image. The bundled files can install a variety of nefarious programs, including password loggers, apps that capture audio and video, and botnet software. The bad news is Wardle might not be the only one to have noticed the simple exploit. This means that the attacker could trick the user into downloading a signed and infected app from a third-party source to gain a foothold onto the machine.
“If I can find it, you have to assume groups of hackers or more sophisticated nation states have found similar weaknesses”, said Wardle. But after upgrading to El Capitan this week, many users report that they can not get Split View to work at all.
As Apple describes it, “if an app was developed by an unknown developer-one with no Developer ID-or tampered with, Gatekeeper can block the app from being installed”.
An Apple spokesman has confirmed to Ars Technica that the company has been made aware of the issue and is working on a patch.
Wardle is quick to say that this is not a vulnerability in Gatekeeper.
