Apple didn’t fix the Gatekeeper vulnerability, just blacklisted some apps using it


On September 30 last year, a Gatekeeper vulnerability for Macs was first reported, and while a fix was believed to have been released, it turns out that wasn’t the case.

The Synack security researcher Patrick Wardle initially discovered the vulnerability within the app-stopping Gatekeeper software in OS X back in July, but the first reports of the vulnerability didn’t surface until September of last year. Gatekeeper works well enough to stop nefarious apps that might be installed from sites on the Internet, but it could miss some signed apps that made it onto an owner’s machine, which, upon launch, could run unsigned programs to wreak havoc on the system therein.

After Apple released a security fix for the issue, it was considered to be over and done with. However, Wardle continued to research, and found that Apple’s initial fix didn’t actually fix the problem at all. Instead of addressing the underlying issue specifically, Apple simply blacklisted the binaries that Wardle used to demonstrate the issue. When he brought that up to Apple, the company then just blacklisted the apps he was working with.

This essentially means that instead of going after the disease proper, Apple just met the symptoms with fixes, letting the disease fester in the background.

Apple, for its part, is apparently still hard at work on a fix, according to Wardle. He’s been in contact with Apple’s security teams as he’s conducted his own research, and seems confident that a proper fix is coming at some point in the future. However, he still has hesitations about OS X users that might feel safe with the fix that’s been released, which doesn’t actually fix the issue at all.

“I can reverse engineer this [security patch] in five minutes,” he told Engadget, “so it’s something others can do as well.”

While Apple works on the fix, and hopefully a proper one this time around, Wardle warns to simply download apps from the Mac App Store, or from sites that utilize HTTPS.

[via Engadget]