Apple Gatekeeper flaw remains open to abuse

Despite attempts to mitigate the flaw, security researchers have shown Apple Gatekeeper can still be bypassed.

Patrick Wardle

Apple Gatekeeper remains open to exploit, as revealed by a researcher who has demonstrated yet another way to crack the security program.

Last year, Synack researcher Patrick Wardle revealed the OS X Gatekeeper system could be bypassed should an unsigned program lurk in the same directory. While Apple patched some of the avenues in which Gatekeeper could be exploited with the OS X El Capitan 10.11.1 update, the flaw, assigned as CVE-2015-7024, is still prevalent on Mac machines.

As reported by Engadget, speaking at the Shmoocon security conference in Washington, D.C., Wardle revealed the anti-malware feature can still be bypassed even with a fully patched OS X 10.11.2 system.

First launched in 2012 with the Mountain Lion OS X update, Apple's Gatekeeper system is meant to give users control over whether to allow apps to download based on where they came from. Users can choose from the Mac Store, Mac Store and accepted developers or anywhere to download their apps, lessening the chance of downloading malware.

However, Wardle calls Gatekeeper "trivial" to bypass, which could be a major issue for Mac users who could end up downloading seemingly legitimate apps which actually contain malware, leading to data theft, spying and PC hijacking.

The bypass works through an attacker identifying a signed and trusted application which loads and executes at runtime. A malicious .dmg file then is created and injected onto a user's machine through a man-in-the-middle (MITM) attack when an insecure download -- such as via HTTP rather than HTTPS -- is initiated or via third-party app download source instead of the Mac Store.

The latest security patch Apple issued does not patch the flaw, but rather blocks some of the avenues of exploit.

In order to mitigate the issue, the iPad and iPhone maker blocked the signed applications used by the researcher to demonstrate the flaw -- as well as additional ones used during the latest Schmoocon talk, according to the publication -- but this does not fix the underlying problems which makes Gatekeeper vulnerable.

While the current known and vulnerable signed apps have been blocked, there are likely more vulnerable apps out there which can be exploited -- and so the issue is yet to be resolved, but Wardle says he is working with the Apple team on a permanent fix.

In the meantime, Mac users should stick to trusted app sites and only download from the Mac Store, which remains the safest option.

In January, Apple released the latest version of the firm's mobile operating system, iOS 9.3. Within the update is a feature dubbed Wi-Fi Assist, designed to help users achieve reception in areas with poor connections. However, the feature can ramp up roaming costs as it is switched on by default -- which has prompted class-action lawsuits.

ZDNet has reached out to Apple and will update if we hear back.

Read on: Top picks


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All