Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Discloses Methods For Bypassing All OS X Security Protections

Posted by samzenpus on from the protect-ya-neck dept.

Trailrunner7 writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn't much of a challenge at all. Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial. "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference here Thursday. "It only verifies the app bundle. If Macs were totally secure, I wouldn't be here talking," Wardle said. "It's trivial for any attacker to bypass the security tools on Macs."

2 of 130 comments (clear)

  1. Re:Good enough to criticize the mechanisms by MachineShedFred · · Score: 3, Interesting

    Yeah, my thoughts exactly. And, by the way, how is it a problem with the OS if a signed app has a vulnerability you are exploiting? That sounds like a problem with the app to me.

    "Oh, I can own OS X - I just need to convince Microsoft Outlook to run arbitrary code with privilege elevation!"

    *Yawn*

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  2. Re: Clickbait by arglebargle_xiv · · Score: 3, Interesting

    Allowing unsigned code into the app bundle changes the app bundle and makes the signature invalid. That's how signatures work. The idea here is that a legitimately signed and installed app can then execute code outside the app bundle which will run without additional controls in place.

    It depends. If you can add metadata to the bundle without it being detected (a problem that has cropped up with Linux repositories several times) then this is a genuine vuln. If OTOH it's something like "If you install a Python interpreter then you can use that to run arbitrary code that isn't validated by Gatekeeper" then it's a "Code execution results in code execution" issue. In the great tradition of journalists everywhere, the ThreatPost article never provided any links to any original material, so all we have is the writer's interpretation of what's actually going on,

    Assuming the previous reply was by the guy who gave the talk, is it online anywhere?