New OS X Exploit Bypasses Mac’s Malware Gatekeeper, Installs Malicious Apps

Rafia Shaikh
Posted Sep 30, 2015
Share Tweet Submit

A security researcher has discovered a “drop-dead simple technique” to bypass Gatekeeper, used to protect OS X from malicious installers.

Gatekeeper exploit discovered:

Apple introduced Gatekeeper to OS X in 2012 as an added layer of security to its desktop operating system. Gatekeeper checks the digital certificate of an application that is being installed on a Mac to make sure that it has been signed by an approved developer, or the download comes from the Apple App Store. This Gatekeeper software has been protecting OS X from malicious installers since OS X Lion v10.7.5, or so we thought.

Patrick Wardle, director of research at a security firm Synack, has found a simple workaround to Apple’s Gatekeeper software. This hack uses a file already signed by Apple to pass through Gatekeeper and once in, it executes malicious files. These nefarious files are included in the same folder, which can then do anything they want to completely bypassing Gatekeeper.

“If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says ‘OK, I’m going to let this run,’ and then Gatekeeper essentially exits,” Wardle explained to ArsTechnica. “It doesn’t monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory… Gatekeeper does not examine those files.”

These bundled files can install varied types of malware, including password loggers, apps that can capture audio and video, and botnet software. A vulnerability in Gatekeeper, being one of the most important security features in OS X, could potentially risk users’ security as Mac users, both novices and experts, heavily rely on Apple’s own security to check anything for themselves.

Malwarebytes Discovered A 'Fruitfly' Malware That Runs Using Antiquated Code On Mac

“If I can find it, you have to assume groups of hackers or more sophisticated nation states have found similar weaknesses,” Wardle said. A company that has long considered security of its operating systems, both mobile and desktop, being the most premium, is facing a lot of heat lately. This is just another security flaw that has been discovered in Apple’s OS X recently, as we keep seeing new flaws and exploits in both the OS X and iOS.

The security team informed Apple of their findings 60 days ago and have shared their findings today. They have left the critical details out until Apple sends a patch – which might be coming in today’s El Capitan release.

Share Tweet Submit