New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps

Apple introduced Gatekeeper in 2012, creating it as a method of protection for users against malicious threats by adding various layers of security during installation of Mac apps. The feature is intended to ensure that apps users try to install on their Macs are legitimate and signed by a registered developer, minimizing the threat of malware. But now, a security researcher has discovered a simple method of bypassing Gatekeeper using a binary file already trusted by Apple to attack a user's computer (via Ars Technica).

macbook_pro_15_imac_27
Gatekeeper is meant solely to check the initial digital certificate when an app is downloaded on a Mac, ensuring that the program has been signed by an Apple-approved developer or at least comes from the Mac App Store itself before allowing the installation to proceed.

"If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says 'OK, I'm going to let this run,' and then Gatekeeper essentially exits," Patrick Wardle, director of research of security firm Synack, told Ars. "It doesn't monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory... Gatekeeper does not examine those files."

Even if Gatekeeper is enhanced to its highest level of security settings, the new exploit can take advantage of a computer. Once the trusted file makes its way past the security program, it can then execute a handful of other malicious programs attached with the rest of the installation and gains the ability to install malicious software such as password-stealing programs, apps that can capture audio and video from a Mac's camera, and botnet software.

The researcher who discovered the exploit sent news of it to Apple about 60 days ago and "believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users." Since then, an Apple spokesperson has confirmed the company is working on a patch for the issue and has asked that the identities of the specific files used in the exploit not be disclosed. Wardle plans to showcase his research on the Gatekeeper exploit at the Virus Bulletin Conference on Thursday in Prague.

Popular Stories

Beyond iPhone 13 Better Blue Face ID Single Camera Hole

10 Reasons to Wait for Next Year's iPhone 17

Monday July 8, 2024 5:00 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models simultaneously, which is why we sometimes get rumored feature leaks so far ahead of launch. The iPhone 17 series is no different – already we have some idea of what to expect from Apple's 2025 smartphone lineup. If you plan to skip...
iPhone 15 Pro Cameras

iPhone 17 Pro Max Will Be First Model to Feature Three 48MP Cameras

Thursday July 11, 2024 12:20 am PDT by
Next year's iPhone 17 Pro Max will feature an upgraded 48-megapixel Tetraprism camera for enhanced photo quality and zoom functionality, according to Apple analyst Ming-Chi Kuo. In his n-iphone-tetraprism-upgrade-ca62dd37e364">latest investor note published to Medium, Kuo said the key specification change would be a 1/2.6" 48MP CIS sensor, up from the 1/3.1" 12MP sensor expected to be used...
iOS 18 on iPhone Feature

Everything New in iOS 18 Beta 3

Monday July 8, 2024 12:54 pm PDT by
With the third betas of iOS 18 and iPadOS 18 that Apple released today, there are additional tweaks to a number of features like Dark Mode icons, the Photos app, emoji in Messages, and more, with Apple appearing to be preparing for the launch of Apple Intelligence. Apple will continue updating iOS 18‌ over the course of the next couple of months, refining the beta prior to its launch....
iPhone 17 Plus Feature

iPhone 17 'Slim': Everything We Know So Far

Friday July 5, 2024 5:13 am PDT by
In 2025, Apple is expected to discontinue the iPhone "Plus" device in its iPhone 17 lineup to make way for an iPhone "Slim" – although it may not actually be called this when it debuts in the fall of next year. Even though the iPhone 16 series launch is still over two months away, when you consider that we learned about larger displays on the iPhone 16 Pro models way back in May 2023, rumors...
Beyond iPhone 13 Better Blue Face ID

iPhone 16 Models Rumored to Have Face ID-Related Design Changes

Tuesday July 9, 2024 9:15 am PDT by
iPhone 16 models coming later this year could have some Face ID-related "design changes," supply chain publication DigiTimes said this week. The original source of this information is British newspaper The Telegraph, which six weeks ago reported that Face ID component supplier Coherent was considering selling or repurposing a manufacturing facility in Newton Aycliffe, a small town in...
AirPods Pro Beta Firmware

Apple Releases New AirPods Pro 2 Beta Firmware With Support for iOS 18 Features

Tuesday July 9, 2024 11:46 am PDT by
Apple today released a second beta firmware for the AirPods Pro 2, including both the Lightning and USB-C versions. The updated firmware has a build number 7A5244b and it is available to developers at the current time. This is the second firmware update that Apple has released since announcing new AirPods Pro 2 features in June. There are several new features that are coming to the AirPods...
iPhone 16 Pro Front Update Blue

iPhone 16 Pro Rumored to Support 40W Fast Charging and 20W MagSafe

Wednesday July 10, 2024 3:57 am PDT by
Apple's forthcoming iPhone 16 Pro and iPhone 16 Pro Max will support 40W wired fast charging and 20W MagSafe charging, claims a rumor currently swirling around China. Right now, iPhone 15 and iPhone 15 Pro models are capable of up to 27W peak charging speeds with an appropriate USB-C power adapter, while official MagSafe chargers from Apple and authorized third parties can wirelessly charge...

Top Rated Comments

Codyak Avatar
115 months ago
-Gategate
Score: 20 Votes (Like | Disagree)
cariacou Avatar
115 months ago
Your Mac has either a 14nm Samsung CPU or a 16nm TSMC CPU.

To check which one you have, please click on this link...
Score: 13 Votes (Like | Disagree)
DavidTheExpert Avatar
115 months ago
There's a very simple way to avoid malware on any computer: Don't install anything you don't trust.
Score: 6 Votes (Like | Disagree)
garylapointe Avatar
115 months ago
I tend to assume that there are ways around all forms of security protection.
But the app store has always made me feel a little safer...

Gary
Score: 4 Votes (Like | Disagree)
Lord Hamsa Avatar
115 months ago
I'm not particularly concerned about this "exploit". Anyone seeking to make use of it could just as easily put the malware directly in the developer-signed application in the first place. Why go through the extra steps of invoking additional applications when you can do it in the initial one?

The only thing that keeps the self-signed applications on the up-and-up is that the developer ID can be revoked for bad behavior - whether it's in the signed application or a bundled application called by it makes little difference if the developer is doing this intentionally.

The only real attack vector here is if an application is known to invoke "helper" executables, and someone executes a man-in-the-middle attack to create a modified distribution with the legit signed main application but with one or malware-infected helper executables, and then pass that off as a legit bundle. Possible, but limiting downloads to trusted/official sites will prevent that.
Score: 4 Votes (Like | Disagree)
JimmyHook Avatar
115 months ago
This is an old one. The "fix" is to download software from trusted sources only. Which is what you should do anyway. The guy even said it isn't a bug, it's a limitation in gatekeeper.
Score: 3 Votes (Like | Disagree)