Researcher Discloses Methods For Bypassing All OS X Security Protections

Trailrunner7 writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn't much of a challenge at all. Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial. "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference here Thursday. "It only verifies the app bundle. If Macs were totally secure, I wouldn't be here talking," Wardle said. "It's trivial for any attacker to bypass the security tools on Macs."

Good enough to criticize the mechanisms

But can we have a demo since it is so trivial?

Worse than the summary

[Sowelu]

The summary made it sound like "wow, if a program runs arbitrary code, then arbitrary code might run" which is kind of...tautological. But the article has other goodies, like "the security check to keep dangerous code out of the kernel...runs with user permissions", and "code signing only rejects an app if it has an untrusted signature, but lets it through if it has no signature".

Re:root = same process

[SuperBanana]

Gatekeeper also isn't "all MacOS X security". There's separate malware detection, and in order to do much of anything the user has to enter their computer account password.

It's a minor part of OS X security, mostly designed to keep casual users from installing stuff outside the apple store.

Seems to not understand how it works

[BitZtream]

This guy seems to think the fact that his computer is usable is an exploit. He doesn't mention anything that isn't just documented and known as the 'way it works'.

Pretty much everything he talks about makes it clear he doesn't actually understand the features and how they actually work. Every comment he makes ... makes almost no practical sense. Its not technically incorrect, its just pointless and doesn't actually mean anything from a security perspective. Its like saying These makes are insecure; the sky is blue; and magically the second is supposed to backup the first.

Re:Clickbait

[CauseBy]

Yeah it really is stupid. Is he saying "If you let me run malicious code on your computer, then I can run malicious code on your computer"? That's what it sounds like to me.

As far as I've ever heard, it is theoretically impossible to stop that kind of attack. If a user runs your code, then yeah, duh, your code can do whatever. I don't think that counts as a security vulterability.

Re:Clickbait

[peragrin]

Not quite it is more if you have a good approved app and If that app has a security flaw, you can use that flaw to hijack the OS.

Still it seems stupid. It is like saying you have permission to run scripts you can run a malicious script.