Tomorrow at the Virus Bulletin conference in Prague, researcher Patrick Wardle is set to highlight a security weakness in Apple’s Mac OS X “Gatekeeper” technology that could allow attackers to run unverified, unsigned code.
Figure 1. Mac OS X Gatekeeper security settings
What is Gatekeeper?
Gatekeeper is a security feature introduced in Mac OS X in 2012. Gatekeeper is designed to restrict which applications are allowed to run depending upon their origin. By default, Gatekeeper is set to only allow applications downloaded from the Mac App Store and identified developers that have been signed with an official Apple Developer ID certificate. This certificate is obtained by enrolling in Apple’s Developer Program. However, users have the option to toggle these settings to be less restrictive and allow apps to run no matter where they were downloaded from.
How Gatekeeper was bypassed
In his proof of concept, Wardle bypassed Gatekeeper by bundling a legitimate Apple-signed app along with a hidden, unsigned malicious file in the same directory. In this scenario, Gatekeeper only performs a check against the parent file, the Apple-signed app. Once this application executed, it would then execute the unsigned, malicious file, which would not be blocked by Gatekeeper.
Figure 2. Gatekeeper bypass detailed by Patrick Wardle
Wardle confirmed this security weakness exists within Gatekeeper on OS X Yosemite (10.10) and the most recent beta version of El Capitan (10.11), but believes that this weakness dates back to the introduction of Gatekeeper in 2012.
Mitigation and future patch
According to Wardle, Apple is working on a short-term mitigation for this weakness until they can release a full patch for it. Until this mitigation or a full patch is available, users should only download applications from trusted sources, such as the Mac App Store.