Page 36 - index
P. 36
Apple OS X Gatekeeper - When a Good App Goes Rogue
Apple’s OS X Gatekeeper provides attackers with an easy way to deploy
malicious software
by Kowsik Guruswamy, CTO, Menlo Security
Apple is known for delivering safe platforms that are protected from sophisticated attacks, but
recently, an exploit was discovered in its OS X operating system that gives attackers an opportunity
to install malicious code.
The exploit takes advantage of this flaw in OS X’s “Gatekeeper” feature, which authenticates that
the software being installed on an Apple Mac is secure enough to do so.
Ironically, Gatekeeper was designed to stop Trojan horse-style malware, but it only analyzes
applications during installation, not any time after.
In order to exploit Gatekeeper, hackers simply needed to use a “trusted” Apple file and trick the OS
X into deploying a malicious file that’s stored in the same file folder as the trusted Apple file.
This is a classic case of bait-and-switch, where the app starts by offering something good to the
user and then turns bad due to flaw exploitation.
We've seen this behavior in a number of other places including several productivity apps from the
Chrome store, Google Play games that quickly gained popularity and began serving malware, and
we’ve also seen Chrome extensions that blocked ads that were eventually purchased by a larger
company to allow ads of their own.
According to Ars Technica, the crux of the problem is this: "The Gatekeeper's sole function is to
check the digital certificate of a downloaded app before it's installed, to see if it's signed by an
Apple-recognized developer or originated from the official Apple App Store.
It was never set up to prevent apps already trusted by OS X from running in unintended or
malicious ways, as the proof-of-concept exploit the researcher developed does."
Once Web code or content of any kind reaches the endpoint, it's game over.
Further, the Gatekeeper bypass is significantly more severe than the recent Xcode Ghost because
unlike Xcode Ghost where hackers trojanized the Xcode development toolchain and placed it on a
server in China for "faster downloads," this Gatekeeper bypass vulnerability is an Apple-signed
package downloaded from the Apple Store.
And users tend to trust this somewhat blindly, which is mistake all in itself.
Apple is still working on a patch to protect users from the vulnerability that was discovered by
security researcher Patrick Wardle from Synack.
The broader implications of the vulnerability highlight the importance of not solely relying on static
analysis, which is a moment-in-time snapshot check of good versus bad.
36 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
