Pixel Envy

Written by Nick Heer.

The New Way of Bypassing Gatekeeper: The Same as the Old Way

Hey, remember that crazy simple Gatekeeper exploit from September?

The hack uses a binary file already trusted by Apple to pass through Gatekeeper. Once the Apple-trusted file is on the other side, it executes one or more malicious files that are included in the same folder. The bundled files can install a variety of nefarious programs, including password loggers, apps that capture audio and video, and botnet software. […]

“If the application is valid — so it was signed by a developer ID or was (downloaded) from the Mac App Store — Gatekeeper basically says ‘OK, I’m going to let this run,’ and then Gatekeeper essentially exits,” Wardle told Ars. “It doesn’t monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory… Gatekeeper does not examine those files.”

Apple said that they patched the problem after it was discovered, but they did a lousy job. Dan Goodin, Ars Technica:

Patrick Wardle said the security fix consisted of blacklisting a small number of known files he privately reported to Apple that could be repackaged to install malicious software on Macs, even when Gatekeeper is set to its most restrictive setting. Wardle was able to revive his attack with little effort by finding a new Apple trusted file that hadn’t been blocked by the Apple update. In other words, it was precisely the same attack as before, except it used a new, previously unblocked Apple-trusted file.

“Your vault is really insecure with all of those wide open windows. Let me show you by pointing to this one right here.”

“Okay, we’ve closed that one. Job done.”