Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple's Gatekeeper Still Broken (csoonline.com)

Posted by Soulskill on from the to-remain-safe,-apple-recommends-not-being-attacked dept.

itwbennett writes: This weekend, Apple security expert Patrick Wardle will detail a vulnerability in Apple's Gatekeeper that makes it possible to bypass the anti-malware defense. This is the same vulnerability that was disclosed last April, which Apple said it patched later. Wardle was able to easily bypass Apple's fixes. He says "all Apple did was blacklist the signed apps he was abusing, but didn't fix the underlying issue, which is that, essentially, Gatekeeper functions as a guard that doesn't check" software already on the whitelist.

4 of 80 comments (clear)

  1. Re:Apple is New to Reacting to Security Threats by LichtSpektren · · Score: 4, Informative

    Apple is new to reacting effectively to security. Microsoft gets beat up about security, but they have learned to attempt to react better. May not be perfect.

    I know so many Apple people that think Apple immune security issues. I seriously wonder if we will see a day when Apple is is hit with the same type of security questions that have plagued Microsoft over the years.

    Windows spent almost two decades with admin privileges by default 24/7, no mandatory-access control, installations that could occur silently and without user input, core system updates through the web browser, whilst also being the only real desktop PC operating system (i.e. it was the most lucrative target for malware authors). It's actually sort of miraculous that the security ecosystem wasn't in even worse shape than it was.

    By contrast, OS X's origins in unix give it a fairly safe grounding. The keyring and SIP in El Capitan also seem to be quite robust. And Apple users are more trusting of automatic security updates compared to Windows users (Microsoft poisoned that well when they started pushing shitty drivers and malware through their updates).

  2. Re:Doesn't matter. by Mattintosh · · Score: 2, Informative

    Windows is far superior to Mac OS X. So is Linux.

    Having been a user of all three, and a developer on all three, systems for many years, I actually know what I'm talking about.

    I would readily recommend Windows workstations and, for some tasks, servers. I would readily recommend Linux for servers. I have written software for both. I would not recommend Macs for anything, as the hardware is unimpressive and not different from anything any other PC manufacturer makes, and the software is stifling and foam-padded so as not to be "unfriendly". Personally, I find that exact quality to be rather unfriendly in and of itself.

    So if you need a Fisher-Price computer, and you feel you need to pay double the market rate for it, by all means, buy an Apple. And don't be too sad when your "new" computer is poorly supported, gets cut off from necessary updates, and bogs down under the "burden" of minor software updates over the course of the next two years. Everyone who has ever bought a Mac certainly understands your pain.

    I used to be a fanboi like you, and if you don't believe me, check my username.

  3. Working As Intended by BitZtream · · Score: 5, Informative

    Its working exactly as its supposed to. Its not meant to stop everything, its just a whitelisting system with some authentication built it.

    Blacklisting the offending apps is exactly how this type of system works.

    Anything signed by a valid cert which has been signed by Apple's cert is trusted by default. Thats what having an Apple signature on top of the publisher signature means. This also means the applications are 'tamper proof' in theory, because changing the application invalidates the sig and the code no longer is whitelisted, so no virus will work.

    The system then keeps a CRL, Certificate Revocation List. This list is ... blacklisted fingerprints. That is, certs or specific apps that were not known to be compromised or malicious when Apple originally vetted them, but something became known to be compromised after that process. The CRL list means Apple can effectively change its mind about apps that it previously approved.

    This is all it is intended to do, and that alone mitigates a metric fuckton of exploit cases.

    Doesn't prevent apps that don't get caught in review. But you won't get more than one or two malicious apps past them before you're completely cut off from getting certs ever again. Vendors outside the AppStore will have their certs revoked when exposed in the wild.

    At no point was it intended to prevent every single exploit vector ever. You're pretty ignorant of how this stuff works if you think they ever said it was the cure all to security issues.

    All it does is adds a layer of control to who can run arbitrary code on your system, and by default, allows Apple to give people permission to do so. You can also use your own certs and remove the AppStore cert, effectively making it so only apps signed with your cert will run on the machine ... or in the case of some companies, the company's cert is the only thing that runs on the machine.

    itwbennet == bennet haselton / dumb

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Re: Doesn't matter. by Rosyna · · Score: 1, Informative

    Have you never used a Mac? To change the default application for a camera, set it in Image Capture.app.

    And, of course, idiots that think they know better can disable rootless. For those that know better, they install Perl or Ruby from source in a pace such as /usr/local/, which is designed for such installations and doesn't require disabling rootless.