New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps

Apple introduced Gatekeeper in 2012, creating it as a method of protection for users against malicious threats by adding various layers of security during installation of Mac apps. The feature is intended to ensure that apps users try to install on their Macs are legitimate and signed by a registered developer, minimizing the threat of malware. But now, a security researcher has discovered a simple method of bypassing Gatekeeper using a binary file already trusted by Apple to attack a user's computer (via Ars Technica).

macbook_pro_15_imac_27
Gatekeeper is meant solely to check the initial digital certificate when an app is downloaded on a Mac, ensuring that the program has been signed by an Apple-approved developer or at least comes from the Mac App Store itself before allowing the installation to proceed.

"If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says 'OK, I'm going to let this run,' and then Gatekeeper essentially exits," Patrick Wardle, director of research of security firm Synack, told Ars. "It doesn't monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory... Gatekeeper does not examine those files."

Even if Gatekeeper is enhanced to its highest level of security settings, the new exploit can take advantage of a computer. Once the trusted file makes its way past the security program, it can then execute a handful of other malicious programs attached with the rest of the installation and gains the ability to install malicious software such as password-stealing programs, apps that can capture audio and video from a Mac's camera, and botnet software.

The researcher who discovered the exploit sent news of it to Apple about 60 days ago and "believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users." Since then, an Apple spokesperson has confirmed the company is working on a patch for the issue and has asked that the identities of the specific files used in the exploit not be disclosed. Wardle plans to showcase his research on the Gatekeeper exploit at the Virus Bulletin Conference on Thursday in Prague.

Top Rated Comments

Codyak Avatar
87 months ago
-Gategate
Score: 20 Votes (Like | Disagree)
cariacou Avatar
87 months ago
Your Mac has either a 14nm Samsung CPU or a 16nm TSMC CPU.

To check which one you have, please click on this link...
Score: 13 Votes (Like | Disagree)
DavidTheExpert Avatar
87 months ago
There's a very simple way to avoid malware on any computer: Don't install anything you don't trust.
Score: 6 Votes (Like | Disagree)
garylapointe Avatar
87 months ago
I tend to assume that there are ways around all forms of security protection.
But the app store has always made me feel a little safer...

Gary
Score: 4 Votes (Like | Disagree)
Lord Hamsa Avatar
87 months ago
I'm not particularly concerned about this "exploit". Anyone seeking to make use of it could just as easily put the malware directly in the developer-signed application in the first place. Why go through the extra steps of invoking additional applications when you can do it in the initial one?

The only thing that keeps the self-signed applications on the up-and-up is that the developer ID can be revoked for bad behavior - whether it's in the signed application or a bundled application called by it makes little difference if the developer is doing this intentionally.

The only real attack vector here is if an application is known to invoke "helper" executables, and someone executes a man-in-the-middle attack to create a modified distribution with the legit signed main application but with one or malware-infected helper executables, and then pass that off as a legit bundle. Possible, but limiting downloads to trusted/official sites will prevent that.
Score: 4 Votes (Like | Disagree)
JimmyHook Avatar
87 months ago
This is an old one. The "fix" is to download software from trusted sources only. Which is what you should do anyway. The guy even said it isn't a bug, it's a limitation in gatekeeper.
Score: 3 Votes (Like | Disagree)

Popular Stories

apple ar headset concept 1

Apple's Headset Said to Feature 14 Cameras Enabling Lifelike Avatars, Jony Ive Has Remained Involved With Design

Friday May 20, 2022 6:50 am PDT by
Earlier this week, The Information's Wayne Ma outlined struggles that Apple has faced during the development of its long-rumored AR/VR headset. Now, in a follow-up report, he has shared several additional details about the wearable device. Apple headset render created by Ian Zelbo based on The Information reporting For starters, one of the headset's marquee features is said to be lifelike...
iPhone 14 Purple Lineup Feature

Will the iPhone 14 Be a Disappointment?

Saturday May 21, 2022 9:00 am PDT by
With around four months to go before Apple is expected to unveil the iPhone 14 lineup, the overwhelming majority of rumors related to the new devices so far have focused on the iPhone 14 Pro, rather than the standard iPhone 14 – leading to questions about how different the iPhone 14 will actually be from its predecessor, the iPhone 13. The iPhone 14 Pro and iPhone 14 Pro Max are expected...
sony headphones 1

Sony's New WH-1000XM5 Headphones vs. Apple's AirPods Max

Friday May 20, 2022 12:18 pm PDT by
Sony this week came out with an updated version of its popular over-ear noise canceling headphones, so we picked up a pair to compare them to the AirPods Max to see which headphones are better and whether it's worth buying the $400 WH-1000XM5 from Sony over Apple's $549 AirPods Max. Subscribe to the MacRumors YouTube channel for more videos. First of all, the AirPods Max win out when it comes ...
studio display 3

Apple's Rumored 27-Inch Mini-LED Display Now Said to Launch in October

Friday May 20, 2022 8:07 am PDT by
Apple now plans to release a new 27-inch display with mini-LED backlighting in October due to the Shanghai lockdown, which has resulted in production of the display being delayed, according to display industry consultant Ross Young. In a tweet, Young said Apple is in the process of moving production of the display from Quanta Computer to a different supplier and/or location, resulting in a...
HomePodandMini feature green

Kuo: Apple to Release New HomePod in Late 2022 or Early 2023

Friday May 20, 2022 8:55 am PDT by
Apple is working on an updated version of the HomePod that could come in the fourth quarter of 2022 or the first quarter of 2023, according to Apple analyst Ming-Chi Kuo. Kuo says that there "may not be much innovation in hardware design" for the new HomePod, and there is no word on what size the device will be and if it will be a HomePod mini successor or a larger speaker. Apple would ...
airtag purple

Best Apple Deals of the Week: Save on AirTag, AirPods 3, and iPads

Friday May 20, 2022 8:01 am PDT by
Solid markdowns on the AirTag, AirPods 3, and a few iPad models were introduced this week, and below you'll find all of the best deals of the past few days that are still available to purchase. AirTag Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. What's the...