On the heels of the Xcode Ghost comes another Apple vulnerability. This time it's in the Apple OSX Gatekeeper, which was designed to combat various forms of malware. Security researcher Patrick Wardle from Synack found that the security feature can be bypassed using a simple trick involving the use of a signed binary. Apple seems to be working on a patch, but right now, systems are still vulnerable. Here's my POV.
This is a classic case of bait-and-switch where the app starts off offering something good to the user and then goes bad. We've seen this behavior in a number of other places:
- Productivity apps from the Chrome store started off good, but then turned bad
- Google Play had games that got popular and then started serving malware
- Chrome extensions that blocked ads were eventually purchased by a larger company in order to allow their own ads and/or to inject malware
Dan Goodin of Ars Technica writes, “The hack uses a binary file already trusted by Apple to pass through Gatekeeper. Once the Apple-trusted file is on the other side, it executes one or more malicious files that are included in the same folder. The bundled files can install a variety of nefarious programs, including password loggers, apps that capture audio and video, and botnet software.”
The crux of the problem is this: "The Gatekeeper's sole function is to check the digital certificate of a downloaded app before it's installed, to see if it's signed by an Apple-recognized developer or originated from the official Apple App Store. It was never set up to prevent apps already trusted by OS X from running in unintended or malicious ways, as the proof-of-concept exploit the researcher developed does."
Once code or content of any kind from the Web reaches the endpoint, it's game over. Further, the Gatekeeper bypass is significantly more severe than the recent Xcode Ghost because of this: unlike Xcode Ghost where hackers trojanized the Xcode development toolchain and placed it on a server in China for "faster downloads," this bypass vulnerability is an Apple-signed package downloaded from the Apple Store. And users tend to trust this somewhat blindly.
The broader implications highlight the importance of not solely relying on static analysis, which is a moment-in-time snapshot check of good vs. bad. Even in the Web we see sites like Forbes and Huffington Post be categorized as good until one day they turn around and malware to unsuspecting users. As much as it's against the grain, users would be better off limiting the number of apps they are running on their devices, especially from ones that are not trusted.
This originally appeared on the October 2015 edition of Cyber Defense Magazine.