OS X Gatekeeper Vulnerability Remains Unfixed Despite Two Security Patches
OS X Gatekeeper vulnerability, discovered last year, was believed to have been fixed by Apple. The researcher responsible for the discovery is now reporting that the exploit remains even after two security patches have been released by the company.
Apple only blacklisted apps using the Gatekeeper exploit:
Gatekeeper vulnerability was first reported by the security researcher Patrick Wardle of Synack. Apple introduced Gatekeeper to OS X in 2012 as an added layer of security to its desktop operating system. Gatekeeper checks the digital certificate of an application that is being installed on a Mac to make sure that it has been signed by an approved developer, or the download comes from the Apple App Store. The Gatekeeper software has been protecting OS X from malicious installers since OS X Lion v10.7.5. Wardle had reported this serious flaw in OS X lets hackers easily bypass Gatekeeper, allowing any malicious app to run regardless of Gatekeeper settings.
After Apple released the security fix, everyone believed that the problem was done with. Wardle, however, continued his research. Engadget is now reporting that Apple had only “blacklisted the binaries Wardle was using to demonstrate the issue. When he talked to Apple about it, the company issued a new security update that just blacklisted the latest apps he was working with.”
Wardle says that Apple’s method of blacklisting the apps instead of fixing the issue only provides limited protection. However, Apple’s team has reportedly assured Wardle that they are working on a more comprehensive fix. In the meanwhile, the only way you can keep yourself secure from the Gatekeeper vulnerability is to download apps from trusted developers using HTTPS.
The vulnerability is especially concerning, because it opens up Macs to altered apps that are the result of man-in-the-middle attacks when something is downloaded via regular HTTP instead of secure HTTPS.
While Apple is working on a fix, Wardle suggests only downloading apps from the Mac App Store or from trusted vendors that use HTTPS.
We will update you when Apple sends a better and complete fix to the OS X Gatekeeper vulnerability.