A new Mac exploit can easily bypass Gatekeeper security to allow installation of malicious apps

Mac Gatekeeper exploit graph

Back in 2012, Apple introduced Gatekeeper to Macs, in a way to add another layer of security to the desktop platform.

Gatekeeper checks the digital certificate on an application that is installed on the machine, making sure that it has been either signed by an Apple-approved developer, or that the application being downloaded comes from the Mac App Store. It’s meant to help both novice and experienced desktop users by simplifying the process, but that process has now been worked around.

Security researcher Patrick Wardle, the Director of Research for the security firm Synack, has discovered what’s being called a “drop-dead simple” method to bypass Gatekeeper, even when it’s set to its strictest filtering. With the bypass, a malicious app can simply be installed on the desktop, where it can then execute a series of other malicious applications brought with the initial download, which can include password-stealing apps, or even apps that can capture audio and video by using the built-in hardware.

Here’s how it works:

“Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one. At the request of Apple officials, he and Ars have agreed to withhold the names of the two files, and instead will refer to them only as Binary A and Binary B. His exploit works by renaming Binary A but otherwise making no other changes to it. He then packages it inside an Apple disk image. Because the renamed Binary A is a known file signed by Apple, it will immediately be approved by Gatekeeper and be executed by OS X.”

While this exploit is just recently coming into the light of the public, Wardle says that he told Apple of the issue more than 60 days ago, and that he believes the company is indeed working on a fix. Whether that fix is meant to patch up the bypass possibility altogether, or simply limit the damage it can do, is unknown at this point. However, as noted in the original report from Ars Technica, an Apple spokesperson did say that the company is working on a fix, which should be coming soon.

[via Ars Technica]