Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps

Quu said:
Hopefully Apple fixes this behaviour. Quite the obvious flaw from a designers perspective I'm surprised they didn't notice it earlier.
Click to expand...

I can't tell if you're trolling or you just don't know how massively complicated a software project like OS X is. Like 70% of the time security exploits are found by security researchers (it is their job after all) or random third parties. Check out any security update. Here's a good example: https://support.apple.com/en-us/HT205212

As you can see, most of the issues were found by people outside of Apple, so the flaw is anything but "obvious"

Also, this is where El Capitan's System Integrity Protection will come in. Even if a malicious application can bypass Gatekeeper, the amount of damage that it can potentially do is greatly reduced with SPI.
 
I believe the point is that with enough resources there is absolutely NOTHING Apple, Google, or Microsoft can do to stop various attacks. It's just the world we live in.
 
konqerror said:
No, the fix is you need code signing that actually works right. That ensures the code you are running was not changed from the Developer and/or Apple's review. Then it doesn't mater how insecure the intermediate steps are.

This is called the end-to-end principle of the Internet.
Click to expand...
If it's that easy, it would have been done
 
But now, a security researcher has discovered a simple method of bypassing Gatekeeper using a binary file already trusted by Apple to attack a user's computer (via Ars Technica).​

They have done no such thing. Gatekeeper is meant to prevent you from running apps from unidentified sources (and for power users/organizations, control which sources to allow apps to run from). It also provides a simple way to revoke the identifying certificates should someone use this to publish malware.

It does not, however, prevent malware. The Mac App Store requires sandboxing, which will limit the kinds of damage a malicious app can do to the system (basically to files/folders you grant access to the app for).

The researcher has decided that gatekeeper is meant to prevent arbitrary code execution by an app. However, for non-MAS apps, the developer has the ability to sign and distribute arbitrary code anyway - apple does not vet independently distributed apps, nor do they require them to be sandboxed.

The researcher who discovered the exploit sent news of it to Apple about 60 days ago and "believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users." Since then, an Apple spokesperson has confirmed the company is working on a patch for the issue and has asked that the identities of the specific files used in the exploit not be disclosed.​

Apple could give a crap about this in the context of non-MAS apps - I'd argue it isn't even an exploit there, again because the developer has the ability to already ship arbitrary code as part of their signed binary. Apple wants to keep developers from breaking MAS guidelines by downloading/executing arbitrary code outside a reviewed release (for a random example, a calculator app that upon typing 5318008 downloads and becomes a SNES emulator.)
 
Quu said:
Hopefully Apple fixes this behaviour. Quite the obvious flaw from a designers perspective I'm surprised they didn't notice it earlier.
Click to expand...

Why would they notice, that isn't the job of gatekeeper. All gatekeeper allows Apple to do is revoke the certificate of vendors they know are doing something dodgy then XProtect kicks in and does its thing. All gatekeeper does is verify the certificate in the software bundle - that is it.
 
It is interesting that this guy tricked the media into thinking Gatekeeper is supposed to stop malware.
 
Carlanga said:
Gatekeeper is always off for me. So don't care.
Click to expand...
I get a kick from submitting totally shady .zip.app files to VirusTotal just to see what is in them. I have a few applications that are not available on the store. If they are, I make every attempt to get the version that not from the store. The Sparkle framework is the best thing ever.
 
  • Like
Reactions: Carlanga
Carlanga said:
Because I'm a tinkerer and a renegade... lol
Click to expand...

I suppose you know that you can bypass Gatekeeper for unsigned apps by opening them from the context menu? There’s no reason for disabling Gatekeeper unless you want to install apps that Gatekeeper deems compromised.

nt5672 said:
Me too. It just gets in the way and I don't use the App Store, since app store apps are so limited in functionality. Being careful and using signatures from trusted sources has worked for me for a long time.
Click to expand...

How does this get in the way exactly? Gatekeeper has nothing to do with the App Store.
 
nt5672 said:
Me too. It just gets in the way and I don't use the App Store, since app store apps are so limited in functionality. Being careful and using signatures from trusted sources has worked for me for a long time.
Click to expand...

Limited in what way? Logic and Final Cut are from the App Store. Pixelmator too. Apps are only limited by the developer, not the app store.
 
MacRumors said:
The researcher who discovered the exploit sent news of it to Apple about 60 days ago and "believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users." Since then, an Apple spokesperson has confirmed the company is working on a patch for the issue and has asked that the identities of the specific files used in the exploit not be disclosed.
Click to expand...
It'll be interesting to see if they'll also patch Lion which is out of support and Mountain Lion which will go out of support when El Capitan is released but both have Gatekeeper.
 
MrNomNoms said:
Why would they notice, that isn't the job of gatekeeper. All gatekeeper allows Apple to do is revoke the certificate of vendors they know are doing something dodgy then XProtect kicks in and does its thing. All gatekeeper does is verify the certificate in the software bundle - that is it.
Click to expand...

Why wouldn't the Apple engineers notice an obvious flaw in their implementation of Gatekeeper that allows privilege escalation? it's an obvious flaw using a signed program to run an unsigned one.

modemthug said:
I can't tell if you're trolling or you just don't know how massively complicated a software project like OS X is. Like 70% of the time security exploits are found by security researchers (it is their job after all) or random third parties. Check out any security update. Here's a good example: https://support.apple.com/en-us/HT205212

As you can see, most of the issues were found by people outside of Apple, so the flaw is anything but "obvious"

Also, this is where El Capitan's System Integrity Protection will come in. Even if a malicious application can bypass Gatekeeper, the amount of damage that it can potentially do is greatly reduced with SPI.
Click to expand...

I'm not trolling and you don't need to tell me how massively complicated a software project OS X is. I'm a software developer myself and have written very complex software with lots of security implications.

It is not difficult to sit back in your chair and think logically as a software writer, "hey wait if I allow this program to launch another one and gatekeeper ignores it, that would be a privilege escalation disaster." Literally all they would need to do is enact Gatekeeper any time a process is launched for the first time instead of only when an application is launched after being downloaded.

This is a seriously obvious flaw that I would have noticed straight away had I wrote Gatekeeper and I have written plenty of software that has to deal with complex permissions and privileges.

Practically everything I do is server side software that has to interact securely with client software and that creates a lot of exposure where by nefarious clients can exploit bugs and security lapses. Number one rule there is never trust the client, server side verification of every action, layers upon layers of permissions for each action.

Honestly this Gatekeeper thing is so obvious I'm surprised they didn't catch it during the design phase.
 
Last edited:
Quu said:
privilege escalation
Click to expand...

What? When did Gatekeeper prevent privilege escalation? Even a Hello World program unsigned by me would have an issue with Gatekeeper. It does not do anything else other than check if the app is from a trusted location.
 
Lord Hamsa said:
I'm not particularly concerned about this "exploit". Anyone seeking to make use of it could just as easily put the malware directly in the developer-signed application in the first place. Why go through the extra steps of invoking additional applications when you can do it in the initial one?

The only thing that keeps the self-signed applications on the up-and-up is that the developer ID can be revoked for bad behavior - whether it's in the signed application or a bundled application called by it makes little difference if the developer is doing this intentionally.

The only real attack vector here is if an application is known to invoke "helper" executables, and someone executes a man-in-the-middle attack to create a modified distribution with the legit signed main application but with one or malware-infected helper executables, and then pass that off as a legit bundle. Possible, but limiting downloads to trusted/official sites will prevent that.
Click to expand...

The problem is that the malicious developer doesn't need to get a developer ID from Apple at all. By bundling their unsigned application with two particular Apple-signed applications in a .dmg, they can have their software run without any Gatekeeper prompting, even when Gatekeeper is on the highest setting ("Only allow applications from Mac App Store").
 
It's too bad that Apple has had some security issues lately. While it's true that this one won't affect many users, the fact remains that we're seeing it more in the news. Personally I don't use Gatekeeper, but I also don't download and install apps from sources that are not trusted.
 
Apple has traditionally been so slow in terms of security updates, that we are not seeing a ton of malware only because Mac OS has such small marketshare, particularly in the backwoods of Russia, Ukraine and China....
 
Is it just me, or is this a non- story?
If you present Gatekeeper a trusted file, bad things could happen.
Isn't this like saying - If I have your front door key… look what I can do…

File this with the low cost iPhone in spring story. Should never have seen the light of day, macrumors!
 
macUser2007 said:
Apple has traditionally been so slow in terms of security updates, that we are not seeing a ton of malware only because Mac OS has such small marketshare, particularly in the backwoods of Russia, Ukraine and China....
Click to expand...

That's because security attacks were so minimal. Now the user base has grown it's becoming a regular thing. Apple needs to improve and grow their security division.
 
dwaite said:
The researcher has decided that gatekeeper is meant to prevent arbitrary code execution by an app. However, for non-MAS apps, the developer has the ability to sign and distribute arbitrary code anyway - apple does not vet independently distributed apps, nor do they require them to be sandboxed.
Click to expand...

Your interpretation is not correct either. Gatekeeper/OS X/XNU is smart enough to keep track of what code has been signed when loaded into memory. That is, the system can detect code that was downloaded intentionally, due to a bug, compiled by the program itself (e.g. JIT) or added on after signing. This is apparently what is broken.

On iOS, only code that has been signed by Apple is allowed to execute. No downloaded or JIT code is allowed. On OS X, this is an optional feature that is not enabled by default. However, the system does still keep track of whether unsigned code is set up to be executed, which you can query to detect integrity issues. (You see messages about code signing bits cleared) See http://newosxbook.com/articles/CodeSigning.pdf
 
xWhiplash said:
What? When did Gatekeeper prevent privilege escalation? Even a Hello World program unsigned by me would have an issue with Gatekeeper. It does not do anything else other than check if the app is from a trusted location.
Click to expand...

You're not reading what I said correctly.

I'm saying, using a signed application that Gatekeeper does allow to run you can run programs that do not have the ability to run with Gatekeeper activated. This is giving unsigned programs privileges that only signed ones have. That is how it's a privilege escalation issue.

Gatekeeper should be giving a dialog box to the user each time a new application is run full stop, even ones launched by other processes that are already running and that are signed.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back