OS X Vulnerability Allows Cybercriminals to Bypass Gatekeeper Checks
Advertisement
A security researcher has reported a very simple workaround that could let anyone bypass Gatekeeper, a security feature in OS X that safeguards the desktop operating system from running malware and other unwanted software by restricting the sources from which users can install applications downloaded from the Internet.
Patrick Wardle, the director of research at firm Synack said that a binary file that is already trusted by Apple needs no other verification to load and run potentially compromised system components or files.
In his testing, Wardle found that a signed Photoshop installer had no issues loading plugins from another directory -- the content of which were replaced with malware files. This happened without the program notifying the user. He also tested this with Apple-distributed programs, but declined to reveal the name to honour Apple's request.
Gatekeeper checks the digital certificate of a downloaded app to ensure that the developer or point of origination of the app is Apple-recognised. And the fact that it doesn't prevent applications that are already trusted by OS X from working in strange, undocumented ways - in this case tapping malicious components - is where lies the security flaw.
Advertisement
"If the application is valid--so it was signed by a developer ID or was (downloaded) from the Mac App Store--Gatekeeper basically says 'OK, I'm going to let this run,' and then Gatekeeper essentially exits," Wardle told Ars Technica. "It doesn't monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory... Gatekeeper does not examine those files."
The vulnerability requires a user to download or copy and relaunch the modified software, he noted. But users should still be very cautious because attackers could target third-party signed applications and riddle them with malware over unencrypted downloads. Wardle said that he informed Apple about the vulnerability more than 60 days ago. The company told the publication that it is working on a patch.
For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.
Advertisement