Apple’s Gatekeeper technology is intended to protect Mac OS X users from malicious software, but according to Patrick Wardle, director of research at Synack, there are some holes that could enable attackers to exploit systems and bypass Gatekeeper.
Gatekeeper is the built-in anti-malware technology that Apple has integrated into OS X since the OS X 10.7.5 “Mountain Lion” release in 2012.
“Gatekeeper conceptually is good technology and protects users from inadvertently running unsigned code,” Wardle told eWEEK. “The fundamental issue that I found is that Gatekeeper does not validate external content.”
The way Gatekeeper works is that the initial application that a user runs has to be signed and verified, according to Wardle. However, if that application executable in turn looks for secondary content in the same installer package, the auxiliary content is not verified by Gatekeeper. The flaw was reported to Apple, and a patch was issued for the vulnerability identified as CVE-2015-7024.
The only problem, according to Wardle, is that the patch is incomplete and an attacker could still bypass Gatekeeper’s protections to load unsigned code.
“The way Apple patched the issue is to just blacklist the signed Apple binaries that I used to trigger the flaw,” he said. “I’d like to see Apple release a patch that is more comprehensive, and they have indicated to me that they are working on a bigger Gatekeeper fix.”
The correct fix would be for a Gatekeeper hook into the Mac OS X kernel where it can monitor all process execution, Wardle said. As any system process is started, the kernel-hooked Gatekeeper could then validate any process that is being run from the Internet to make sure that it has been digitally signed.
The other fix for the CVE-2105-7024 vulnerability is for users to only download software via the Apple Mac store, which is not impacted by the vulnerability.
Wardle is no stranger to Apple Gatekeeper vulnerabilities and first alleged insecurity in the system back in March 2015. The vulnerability that Wardle first identified is a flaw identified as CVE- 2015-3715 that Apple has already patched, though again the claim made by Wardle is that the patch is not entirely complete.
The CVE- 2015-3715 flaw affects dynamic-link libraries (DLL) that are statically linked with an application. Apple now scans executables to identify when DLLs are imported, and if the DLLs are located outside of the application bundle and not in a trusted system directory, Gatekeeper blocks the application.
“But if the application dynamically loads libraries from a local location, a malicious installer package could bypass Gatekeeper,” Wardle said. “The problem is that Gatekeeper doesn’t do any runtime analysis or analysis on secondary components.”
While Apple works on further hardening Gatekeeper against the risks of unsigned binaries running on a system, Wardle is releasing a free tool called Ostiarius that can help Mac OS X users by blocking unsigned binaries from running.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
