Apple's Gatekeeper Still Broken

itwbennett writes: This weekend, Apple security expert Patrick Wardle will detail a vulnerability in Apple's Gatekeeper that makes it possible to bypass the anti-malware defense. This is the same vulnerability that was disclosed last April, which Apple said it patched later. Wardle was able to easily bypass Apple's fixes. He says "all Apple did was blacklist the signed apps he was abusing, but didn't fix the underlying issue, which is that, essentially, Gatekeeper functions as a guard that doesn't check" software already on the whitelist.

Re:Doesn't matter.

[cant_get_a_good_nick]

I really never understood the anger of someone mad that someone else bought, well any item.

"you're such a _____ fanboi and you buy _____ and you suck (____'s CEO)'s dick!"

Who the hell cares. You buy what you want to buy, If you don't have a mac this doesn't affect you in the least. At least the Linux fanboi's could bitch at MS worms taking enough bandwidth to hurt Internet speeds. Apple Mac market share is small enough (through growing) to not hurt anyone not owning a Mac. This really isn't a true new worm. Anyone getting you to install a new app that partially passes gatekeeper can probably get you to install it and override gatekeeper. It's not that big of a leap.

I honestly feel bad at anyone angry at Apple selling too many computers. Do you need a cookie? Want to talk about it? Did your parents love you enough as a child?

Re:Doesn't matter.

[The-Ixian]

Yeah no kidding.

I don't personally like Apple the company. I just think they are too much about marketing hype. I was also not a fan of Steve Jobs personally.

But I still will recommend a Mac to someone when appropriate.

Computers and operating systems are tools not ideologies. Use the best tool for the job.

I won't be buying Apple products any time soon, but that is because there are tools out there that work better for me.

Working As Intended

[BitZtream]

Its working exactly as its supposed to. Its not meant to stop everything, its just a whitelisting system with some authentication built it.

Blacklisting the offending apps is exactly how this type of system works.

Anything signed by a valid cert which has been signed by Apple's cert is trusted by default. Thats what having an Apple signature on top of the publisher signature means. This also means the applications are 'tamper proof' in theory, because changing the application invalidates the sig and the code no longer is whitelisted, so no virus will work.

The system then keeps a CRL, Certificate Revocation List. This list is ... blacklisted fingerprints. That is, certs or specific apps that were not known to be compromised or malicious when Apple originally vetted them, but something became known to be compromised after that process. The CRL list means Apple can effectively change its mind about apps that it previously approved.

This is all it is intended to do, and that alone mitigates a metric fuckton of exploit cases.

Doesn't prevent apps that don't get caught in review. But you won't get more than one or two malicious apps past them before you're completely cut off from getting certs ever again. Vendors outside the AppStore will have their certs revoked when exposed in the wild.

At no point was it intended to prevent every single exploit vector ever. You're pretty ignorant of how this stuff works if you think they ever said it was the cure all to security issues.

All it does is adds a layer of control to who can run arbitrary code on your system, and by default, allows Apple to give people permission to do so. You can also use your own certs and remove the AppStore cert, effectively making it so only apps signed with your cert will run on the machine ... or in the case of some companies, the company's cert is the only thing that runs on the machine.

itwbennet == bennet haselton / dumb