Oversight in GateKeeper allows for an easy bypass

GateKeeperIconXApple’s GateKeeper is a background technology in OS X that helps thwart malware. It does so by assessing three levels of identification for an app (Unsigned, Signed, and Signed with App Store distribution), and then imposing options to block execution of apps that are either unsigned, or not distributed through the App Store. However, a simple workaround exists that can allow malware to overcome Gatekeeper’s blocks and run. 

In essence, once a program passes GateKeeper and is allowed to run, its activity will no longer be monitored by GateKeeper. This means that such a program may launch a second program successfully, even if the second program is not otherwise able to pass GateKeeper. If this second program is malicious, then it will run and affect the computer.

This behavior is somewhat proof-of-concept in nature; however, as reported by ArsTechnica, there are current programs that use this approach (some of which are developed by Apple), which can technically be tricked into having unsigned programs run even when GateKeeper is on. In its demonstration, ArsTechnica was able to use an unnamed Apple-supplied program to run a compromised secondary program, and similarly use legitimate third-party software like Photoshop to run compromised bundled plugins.

Overall, at the present moment Apple is aware of the vulnerability and a fix is apparently in the works, but there is no information on when it will be available. In the mean time, this exploit is primarily in the proof-of-concept phase, and does require specific modification of installer files in order to work. This means that even though this overcomes Apple’s security, it will still require you obtain compromised software from unofficial third-party software distribution sites, an act that essentially breaks a primary rule of any computer security. Provided you only get your software from the App Store or directly from developer Web sites, then you should be safe from this problem.

2 thoughts on “Oversight in GateKeeper allows for an easy bypass

  1. GS

    I imagine most users who get programs from 3rd party software sites either have Gatekeeper turned off or just right-click and open anyway. Drive-by downloads might be a bigger threat vector?

  2. B. Jefferson Le Blanc

    This is bad news for those who like to use torrents to get pirated versions of commercial products. They are most at risk for this exploit. Of course, we already know such people like to live dangerously, so maybe this will only increase the rush they get from downloading vulnerable software. It’s hard to feel sorry for them, though, when their systems are compromised thereby.

    This is similar to the risk people take when they jailbreak their iPhones. For this, too, sympathy is in short supply at my house.

    The exploits that target regular users are of more concern.

Comments are closed.