Apple’s Gatekeeper is supposed to protect the Mac OS X users from malicious software, but a researcher, Patrik Wardle, director of research at Synack, suggests that there are certain loopholes that can be exploited by attackers, subsequently enabling them to bypass the Gatekeeper.
The Gatekeeper is an anti-malware technology that was first introduced by Apple into the OS X ecosystem with the OS X 10.7.5 “Mountain Lion” launch in 2012.
When contacted for his statement, Wardle said, “Gatekeeper conceptually is good technology and protects users from inadvertently running unsigned code. The fundamental issue that I found is that Gatekeeper does not validate external content.”
Th main issue was in the installation process of the applications. The Gatekeeper allowed the installation of signed and verified applications, but, if the script was nested inside the package, there was no way that the anti-malware could detect and prevent its execution. After being reported of this flaw, Apple rolled out a patch, identified as CVE-2015-7024.
However, Wardle still believes that the patch is yet to be freed of all the loopholes and an attacker could still bypass the Gatekeeper thus loading a code that is unsigned.
“The way Apple patched the issue is to just blacklist the signed Apple binaries that I used to trigger the flaw,” he said. “I’d like to see Apple release a patch that is more comprehensive, and they have indicated to me that they are working on a bigger Gatekeeper fix.”
The flaw in the patch will directly affect dynamic-link libraries that have been linked statically to the application. Apple will now scan the DLL’s and then, if they are not found in a directory that is trusted, the Gatekeeper will then block the application.
However, Wardle again pointed out an issue in this scheme of protection and said,”But if the application dynamically loads libraries from a local location, a malicious installer package could bypass Gatekeeper, the problem is that Gatekeeper doesn’t do any runtime analysis or analysis on secondary components.“.
To make sure that such security issues don’t prevail, Wardle is launching a free tool called Ostiarius that is primarily responsible for the protection of Mac OS X users, by blocking unsigned binaries from running.