New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps

[Glassed Silver]

If we get even more prompts we might as well go back to Windows UAC approaches.

If you trust an application to run, why wouldn't you allow it to run other executable code as well?

To Average Joe it's all the same anyways and advanced users don't run code they don't trust loading other code.

After all, if I want to infect a computer, why would I need to modularize the malicious part?

Glassed Silver:mac

 

[Carlanga]

...
XcodeGhost made its way on to developer computers because people were stupid enough to disable and purposely ignore the basic protection Gatekeeper provides. All Gatekeeper does it tell you whether the signature of a signed application is valid.

There is a good amount of legitimate software that is unsigned. I will take my chances...

 

[maflynn]

I’m really puzzled by this. Why?

Because I run apps outside of the app store and those valid apps just won't run.

 

[Nermal]

Why would you do that?

In my case, because Gatekeeper prevents dragging text files with no extension onto TextEdit (it seems to assume that any file with no extension is executable). I need to do that a lot and don't want to have to manually unblock each individual file.

 

[KALLT]

There is a good amount of legitimate software that is unsigned. I will take my chances...

Which you can still run by right-clicking on the app and select “Open”. Gatekeeper doesn’t prevent you from running unsigned apps and you only need to do this once for every new app.

Because I run apps outside of the app store and those valid apps just won't run.

Which you can still run by right-clicking on the app and select “Open”. Gatekeeper doesn’t prevent you from running unsigned apps and you only need to do this once for every new app.

In my case, because Gatekeeper bizarrely prevents dragging text files with no extension onto TextEdit. I need to do that a lot and don't want to have to manually unblock each individual file.

That does seem bizarre, but it does seem like an unusual case to begin with. ;-) Regardless, that is a valid case for turning it off, because it actually prevents you from doing something actively.

 

[maflynn]

Which you can still run by right-clicking on the app and select “Open”. Gatekeeper doesn’t prevent you from doing this.

But now I don't have to click anything and as noted by this article, you're not really gaining a lot of security since a validated program can just up some malware or key-loggers and compromise your system.

Wouldn't it be better to know its off and practice safe computing then have it on and thing your safe and be blissfully unaware that your system could be compromised

 

[nt5672]

Limited in what way? Logic and Final Cut are from the App Store. Pixelmator too. Apps are only limited by the developer, not the app store.

Yep, if all you use you computer for are Apple approved uses, then you'll find no limitations. I do find numerous limitations, for example:

"The version of BBEdit available in the Mac App Store does not support authenticated saves (the ability to save changes to files that you do not own) and does not include the command-line tools, in order to comply with Apple’s submission guidelines."
​

Since I do real computer work with my computer, not just Twitter, Facebook and email, I need to be able to install tools that are for computer professionals. The Mac OS App Store sandboxing prevents that in a lot of cases. Nothing in the App store can mess with, enhance, configure, or optimize the computer, networking stack, or the OS. There is nothing the developer can do about it because it is Apple policy.

If Apple takes away the switch to turn off sandboxing, then I will abandon Apple devices. I paid for the hardware and I want to be able to do with it what I wish. And if I can't then I have lost some significant freedom.

 

[nt5672]

. . . .
How does this get in the way exactly? Gatekeeper has nothing to do with the App Store.

In order to be in the App Store the app has to not mess with the OS, the network, the menus, etc. The app has to run in a sandboxed environment and use only your files in their approved locations.

Now, maybe is gotten better recently, but I have no intention of supporting sandboxing on a general purpose computer, unless I can fully remove the restrictions. Today I can, but if the iPad Pro becomes the only next generation computer from Apple (replaces MacBooks), we will not based on iOS today, and in that case I will drop all Apple devices. Period. It is a matter of freedom and being able to use the hardware as I see fit, not as Apple sees fit.

 

[KALLT]

But now I don't have to click anything and as noted by this article, you're not really gaining a lot of security since a validated program can just up some malware or key-loggers and compromise your system.

Wouldn't it be better to know its off and practice safe computing then have it on and thing your safe and be blissfully unaware that your system could be compromised

Saving you what, 2 seconds? For that you are disabling a useful security net for no good reason. Gatekeeper does not guarantee that your system isn’t compromised, but it can help you with spotting hijacked applications and make you aware that what you are downloading is not conforming to Apple’s security best practices. That should already make you even more alert. Safe computing also means that you should take even little security checks seriously and don’t take unnecessary risks. Gatekeeper doesn’t interfere with anyone’s work and is a minor annoyance at best.

In order to be in the App Store the app has to not mess with the OS, the network, the menus, etc. The app has to run in a sandboxed environment and use only your files in their approved locations.

Now, maybe is gotten better recently, but I have no intention of supporting sandboxing on a general purpose computer, unless I can fully remove the restrictions. Today I can, but if the iPad Pro becomes the only next generation computer from Apple (replaces MacBooks), we will not based on iOS today, and in that case I will drop all Apple devices. Period. It is a matter of freedom and being able to use the hardware as I see fit, not as Apple sees fit.

This has nothing to do with what I said.

 

[maflynn]

Saving you what, 2 seconds? For that you are disabling a useful security net for no good reason

I disagree, and while you think its useful, I don't.

 

[manu chao]

Saving you what, 2 seconds? For that you are disabling a useful security net for no good reason.

Is that 2 seconds every time you launch the application or only once? Gatekeeper on or off, we already get a warning when launching an application that is downloaded from the internet for the first time.

Gatekeeper does not guarantee that your system isn’t compromised, but it can help you with spotting hijacked applications and make you aware that what you are downloading is not conforming to Apple’s security best practices. That should already make you even more alert. Safe computing also means that you should take even little security checks seriously and don’t take unnecessary risks. Gatekeeper doesn’t interfere with anyone’s work and is a minor annoyance at best.

If a developer's server is compromised, being signed by the developer's certificate might not mean much either. I see developer signing mainly as a protection against man-in-the-middle attacks which again can be stopped if the download is handled via https. I for once make it a habit to only download applications from the developers site (ie, not using sites like MacUpdate).

 

[sw1tcher]

The researcher who discovered the exploit sent news of it to Apple about 60 days ago and "believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users." Since then, an Apple spokesperson has confirmed the company is working on a patch for the issue and has asked that the identities of the specific files used in the exploit not be disclosed.

Gatekeeper?

Angela Bennett is working on it.

 

[Terminated]

Like others, I believe Gatekeeper's limitations are by design. Gatekeeper's only purpose is to identify developers. If an identified developer chooses to write insecure code, like loading unsigned executables, neglecting to quarantine downloaded files or sending your saved emails to your mother-in-law, that's something Gatekeeper doesn't currently consider its business.

About the suggestion that signed executables should be prevented to execute unsigned ones until the user consents, that has more implications than it might seem at first sight:

1) If we only apply this restriction to quarantined files (i.e. files downloaded but not yet approved by Gatekeeper), we still have the problem that this feature relies on the downloader application marking the files as quarantined. A third party downloader can still download unsigned files that won't be checked before execution.

2) I see no way to force downloaders to be compliant unless a lot of limitations are imposed on the system that would break a lot of existing software.

3) Even with a compliant downloader, the problem would not be solved if the application executes the unsigned file using its own program loader implementation instead of regular APIs.

4) Applying Gatekeeper restrictions to non quarantined files would cause a lot of alerts, which would make a lot of users to simply disable Gatekeeper (more than it already happens).

To summarise, completely guaranteeing that an identified developer is unable to download and run unsigned code is not impossible, but it would require to remove a lot of functionality from the system so that checks cannot be bypassed. I don't see it happening in the short term.

 

[Tech198]

Not really an issue...,.. We knew this...


Gatekeeper only blocks the app in question your trying to install only, not any other things the app installs..

Thus, u allow gatekeeper to install an app, u also allow the responsibility of all that app provides including possibly infection...

How is this new ? or didn't we know ? Apple should not worry about this because the user allows the apps...

Just also says "don't install apps u don't trust" but we knew this right ?

You can't stop people from typing in passwords to authenticate installs or pass gate-keeper if users first just accept it in the first place... Same with UAC on windows... Its strengths security, but noting will prevent the user who just wants to install this regardless. That's probably about 85% of users.

see, on the Mac world its not all good neither... and u thought we were "safe"

 

[KALLT]

Is that 2 seconds every time you launch the application or only once? Gatekeeper on or off, we already get a warning when launching an application that is downloaded from the internet for the first time.

No, just the first time. Yes, that warning you will get anyway, even with Gatekeeper off (although I think you can disable that with a Terminal command).

If a developer's server is compromised, being signed by the developer's certificate might not mean much either. I see developer signing mainly as a protection against man-in-the-middle attacks which again can be stopped if the download is handled via https. I for once make it a habit to only download applications from the developers site (ie, not using sites like MacUpdate).

That is indeed what you should do, if possible. All Gatekeeper does is let developers sign their applications at compile time with a valid, registered Apple ID before they distribute it, regardless where it ends up. It’s an additional layer of protection and a demonstration of adherence to some of Apple’s security best practices. Whenever I encounter an application that isn’t signed, I check again first and think twice. Of course Gatekeeper doesn’t absolve you from other security checks, but this feature doesn’t do any harm and will not interfere with your work. You can still run everything you want. Turning it off just means that you won’t prevent any hijacked applications from running on your system, even though Gatekeeper might have alerted you in some cases.

 

[manu chao]

No, just the first time. Yes, that warning you will get anyway, even with Gatekeeper off.

I might up the Gatekeeper setting if that is the only inconvenience.

That is indeed what you should do, if possible. All Gatekeeper does is let developers sign their applications at compile time with a valid, registered Apple ID before they distribute it, regardless where it ends up. It’s an additional layer of protection and a demonstration of adherence to some of Apple’s security best practices. Whenever I encounter an application that isn’t signed, I check again first and think twice. Of course Gatekeeper doesn’t absolve you from other security checks, but this feature doesn’t do any harm and will not interfere with your work. You can still run everything you want. Turning it off just means that you won’t prevent any hijacked applications from running on your system, even though Gatekeeper might have alerted you in some cases.

I am wondering what I would do if I got a Gatekeeper warning? Assume that for some reason the developer didn't sign it or assume somebody monkeyed with my download? If somebody did tamper with my downloads, this could also happen during a software update of an application. Would Gatekeeper alert me to that as well? (The 'You have downloaded this application from the Internet' warning does not show up after merely updating an application.)

 

[KALLT]

I might up the Gatekeeper setting if that is the only inconvenience.

I am wondering what I would do if I got a Gatekeeper warning? Assume that for some reason the developer didn't sign it or assume somebody monkeyed with my download? If somebody did tamper with my downloads, this could also happen during a software update of an application. Would Gatekeeper alert me to that as well? (The 'You have downloaded this application from the Internet' warning does not show up after merely updating an application.)

You can find more information here: https://support.apple.com/en-gb/HT202491. Also, you can write your own scripts or use Terminal commands with the spctl command-line utility which gives you additional options (like customised rules).

 

[sudo1996]

Exactly. That’s why I can’t understand why anyone would disable it. Gatekeeper will only become a problem when something is actually wrong with an application. To me that’s almost the equivalent of disabling the SSL certificate validation in your browser when you’re accessing a website over HTTPS protocol. It would undermine the whole point of this type of security, because you’re relying on the validity of a certificate and integrity of the recipient or software. When developers specifically sign their applications to let you verify that they’re legit when you download them, why would you not make use of that?

They probably disabled it for the same reason I did. They saw that they couldn't run their programs, Googled how to disable it since they never had to deal with it in Snow Leopard, and disabled it without looking further because they were too busy with whatever they were doing to bother researching how OS X Gatekeeper works.

Anyway, you shouldn't even need Gatekeeper to be active to have this protection. If you open a signed application that fails the checksum, it should at least warn you regardless. But it doesn't.

 

[JamesPDX]

as long as you download apps only from the app store this should not be a problem, correct?

Ahh! I see what you did there! Well played.

 

[inkswamp]

So, this is conceptually something a Trojan horse app could exploit, right, or am I missing something? I think it's pretty widely acknowledged that there's no real way to protect a computer against users running malicious applications. Not sure I see the news here.

 

[yaedaien]

You're not reading what I said correctly.

I'm saying, using a signed application that Gatekeeper does allow to run you can run programs that do not have the ability to run with Gatekeeper activated. This is giving unsigned programs privileges that only signed ones have. That is how it's a privilege escalation issue.

Gatekeeper should be giving a dialog box to the user each time a new application is run full stop, even ones launched by other processes that are already running and that are signed.

It's not privilege escalation. No privileges were escalated. You granted the app the ability to execute. The app can do anything it wants now, gatekeeper doesn't enforce a sandbox or anything else.

If the app developer launches another process using launch services, gatekeeper will get invoked. Otherwise, the developer has no good reason to launch other processes to be malicious, the app can be as malicious as it wants to, given the context it was executed under—no privilege will be escalated.

I think the only actual flaw was described by the other commenter, where some unsigned additional helper portion is tampered with in transit, or on a mirror site, and the legitimate application executes it unaware. If that can happen, it is a flaw to be addressed. Otherwise, it's just silliness since the app doesn't have to execute sneaky helpers to do evil, it just has to do the evil.

 

[Quu]

It's not privilege escalation. No privileges were escalated. You granted the app the ability to execute. The app can do anything it wants now, gatekeeper doesn't enforce a sandbox or anything else.

If the app developer launches another process using launch services, gatekeeper will get invoked. Otherwise, the developer has no good reason to launch other processes to be malicious, the app can be as malicious as it wants to, given the context it was executed under—no privilege will be escalated.

I think the only actual flaw was described by the other commenter, where some unsigned additional helper portion is tampered with in transit, or on a mirror site, and the legitimate application executes it unaware. If that can happen, it is a flaw to be addressed. Otherwise, it's just silliness since the app doesn't have to execute sneaky helpers to do evil, it just has to do the evil.

I disagree with your summation.

 

[DaveP]

Thats a bold statement. But as always macusers tend to tell an opinion and state it as a fact.

Looking at the facts, they do tell a different story:
http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

Number of vulnerabilities and end user safety are only marginally related. You are also cherry picking data by not including the vulnerabilities in applications that is listed right below the chart you included.

 

[manu chao]

You can find more information here: https://support.apple.com/en-gb/HT202491. Also, you can write your own scripts or use Terminal commands with the spctl command-line utility which gives you additional options (like customised rules).

Thanks, it however doesn't tell me whether I have to re-exempt an app after it has been updated to a newer version. Apps whose 'updater' just downloads the new version and asks the user to replace the older version with the newer version very likely need a re-exemption. What happens with apps that use the open-source Sparkle framework to update themselves is an open question. Regardless, re-exempting apps after an update is a tolerable chore.

Something else struck reading this Apple technote:
>> "Damaged" app. – The app has been altered by something other than the developer. This message will appear no matter the Gatekeeper option chosen.

This implies that the middle Gatekeeper setting does not add protection against tampering by third-parties (that exists at any Gatekeeper level). It adds protection against malicious developers themselves and against people spoofing to be the developer.

But I am not so sure what the difference actually is. If somebody can tamper with an application in transit, they surely can change the developer signature as well? Or can that signature only be generated at compile time?

 

[manu chao]

It's not privilege escalation. No privileges were escalated.

Right, that would be a Gatekeeper status escalation. Unless Gatekeeper status is set by adding the app to (user) group which has higher privileges.