OS X Gatekeeper rendered useless by new malware exploit
On the day that Apple releases El Capitan details of an exploit that makes it possible to bypass the Gatekeeper feature of OS X have emerged. Designed to combat various forms of malware, the security feature can be bypassed using a simple trick involving the use of a signed binary.
Even when Gatekeeper is configured to use its highest level of protection, the ease with which the fortifications can be slipped through is staggering. Using a file that has already been deemed trustworthy by Apple, it is possible to trick OS X into executing a malicious file stored in the same folder as the signed one. No patch is yet available, and it is believed the problem affects all versions of OS X.
The vulnerability was discovered by security researcher Patrick Wardle from Synack. Talking to Threatpost, he explains that he has already shared his findings with Apple but the company is yet to produce a patch. Wardle found that Gatekeeper, while checking for authentication of files from Apple, failed to determine whether apps make calls on other apps or code that have not been signed.
Once an app has been given the go-ahead by Gatekeeper, it is free to execute whatever code it wants on the computer, and this is precisely how the exploit works. Users could be easily tricked into executing a signed, infected file that could wreak untold damage. Wardle says:
It's not super complicated, but it effectively completely bypasses Gatekeeper. This provides hackers the ability to go back to their old tricks of infecting users via Trojans, rogue AV scams or infect applications on Pirate Bay. More worrisome to me is this would allow more sophisticated adversaries to have network access. Nation states with higher level access, they see insecure downloads, they can swap in this legitimate Apple binary and this malicious binary as well and man-in-the-middle the attack and Gatekeeper won’t protect users from it anymore.
The issue is not being described as a bug, but as a limitation of Gatekeeper. A fix could take some time to appear as Wardle warns that it would require "significant code changes" to OS X.