New Mac Exploit Easily Bypasses Gatekeeper Security, Could Allow Installation of Malicious Apps

Apple introduced Gatekeeper in 2012, creating it as a method of protection for users against malicious threats by adding various layers of security during installation of Mac apps. The feature is intended to ensure that apps users try to install on their Macs are legitimate and signed by a registered developer, minimizing the threat of malware. But now, a security researcher has discovered a simple method of bypassing Gatekeeper using a binary file already trusted by Apple to attack a user's computer (via Ars Technica).

macbook_pro_15_imac_27
Gatekeeper is meant solely to check the initial digital certificate when an app is downloaded on a Mac, ensuring that the program has been signed by an Apple-approved developer or at least comes from the Mac App Store itself before allowing the installation to proceed.

"If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says 'OK, I'm going to let this run,' and then Gatekeeper essentially exits," Patrick Wardle, director of research of security firm Synack, told Ars. "It doesn't monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory... Gatekeeper does not examine those files."

Even if Gatekeeper is enhanced to its highest level of security settings, the new exploit can take advantage of a computer. Once the trusted file makes its way past the security program, it can then execute a handful of other malicious programs attached with the rest of the installation and gains the ability to install malicious software such as password-stealing programs, apps that can capture audio and video from a Mac's camera, and botnet software.

The researcher who discovered the exploit sent news of it to Apple about 60 days ago and "believes they are working on a way to fix the underlying cause or at least lessen the damage it can do to end users." Since then, an Apple spokesperson has confirmed the company is working on a patch for the issue and has asked that the identities of the specific files used in the exploit not be disclosed. Wardle plans to showcase his research on the Gatekeeper exploit at the Virus Bulletin Conference on Thursday in Prague.

Top Rated Comments

Codyak Avatar
81 months ago
-Gategate
Score: 20 Votes (Like | Disagree)
cariacou Avatar
81 months ago
Your Mac has either a 14nm Samsung CPU or a 16nm TSMC CPU.

To check which one you have, please click on this link...
Score: 13 Votes (Like | Disagree)
DavidTheExpert Avatar
81 months ago
There's a very simple way to avoid malware on any computer: Don't install anything you don't trust.
Score: 6 Votes (Like | Disagree)
garylapointe Avatar
81 months ago
I tend to assume that there are ways around all forms of security protection.
But the app store has always made me feel a little safer...

Gary
Score: 4 Votes (Like | Disagree)
Lord Hamsa Avatar
81 months ago
I'm not particularly concerned about this "exploit". Anyone seeking to make use of it could just as easily put the malware directly in the developer-signed application in the first place. Why go through the extra steps of invoking additional applications when you can do it in the initial one?

The only thing that keeps the self-signed applications on the up-and-up is that the developer ID can be revoked for bad behavior - whether it's in the signed application or a bundled application called by it makes little difference if the developer is doing this intentionally.

The only real attack vector here is if an application is known to invoke "helper" executables, and someone executes a man-in-the-middle attack to create a modified distribution with the legit signed main application but with one or malware-infected helper executables, and then pass that off as a legit bundle. Possible, but limiting downloads to trusted/official sites will prevent that.
Score: 4 Votes (Like | Disagree)
JimmyHook Avatar
81 months ago
This is an old one. The "fix" is to download software from trusted sources only. Which is what you should do anyway. The guy even said it isn't a bug, it's a limitation in gatekeeper.
Score: 3 Votes (Like | Disagree)

Related Stories

iphone holiday

Best Black Friday iPhone Deals Still Available

Friday November 26, 2021 4:58 am PST by
Cellular carriers have always offered big savings on the newest iPhone models during the holidays, and Black Friday 2021 sales have now carried over into Cyber Monday as well. Right now we're tracking notable offers on the iPhone 13 and iPhone 13 Pro devices from AT&T, Verizon, and T-Mobile. For even more savings, keep an eye on older models like iPhone SE. Note: MacRumors is an affiliate...
airpods family holiday

Best Black Friday AirPods Deals Still Available

Friday November 26, 2021 4:04 am PST by
Black Friday 2021 deals are still going strong into Cyber Monday, and in this article we're tracking the best deals across Apple's AirPods lineup. Throughout the week we've been sharing the best sales for Apple devices like iPhone, Mac, and iPad, so be sure to follow us on Twitter for all of the latest Black Friday sales Note: MacRumors is an affiliate partner with some of these vendors. When...
apple mixed reality headset mockup feature purple

Kuo: Apple AR Headset Coming in Late 2022 With Mac-Level Computing Power

Thursday November 25, 2021 8:32 pm PST by
Apple's long-rumored augmented reality (AR) headset project is set to bear its first fruit late next year with the launch of the first device carrying a pair of processors to support its high-end capabilities, according to a new research report from noted analyst Ming-Chi Kuo seen by MacRumors. According to Kuo, the higher-end main processor is said to be similar to the M1 chip Apple...
apple watch cellular holiday

Best Black Friday Apple Watch Deals Still Available

Friday November 26, 2021 4:55 am PST by
The Apple Watch always makes a great gift around the holiday season, and for Black Friday 2021 we're tracking a few solid offers on numerous models of the Apple Watch. In this article, you'll find the best Black Friday sales on the new Apple Watch 7, but the best money-saving discounts will be found on older models like the Apple Watch Series 3 and SE. Note: MacRumors is an affiliate partner...
iPads black friday 20 sale feature

Best Black Friday iPad Deals Still Available

Friday November 26, 2021 4:48 am PST by
Although Black Friday sales began as early as October in 2021, the shopping holiday is now officially underway and we're highlighting the best sales for each of Apple's product lines. In this article, you'll find the best Black Friday sales on iPad Pro and iPad mini. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a...
mac family holiday

Best Black Friday iMac and MacBook Deals Still Available

Friday November 26, 2021 4:29 am PST by
Our Black Friday 2021 coverage continues with the best deals you can find on MacBook Pro, MacBook Air, iMac, and Mac mini today. As with all Black Friday deals, we aren't sure how long any of these will last, and prices are always fluctuating, so if you see something you want, be sure to buy it soon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and...
General black friday 20 sale feature

Huge List of Black Friday Deals on iPhone and Mac Cases, Cables, Accessories and Software

Friday November 26, 2021 5:09 am PST by
Black Friday is in full swing today, and in this article we're highlighting some of the best deals that you can find online among popular third-party accessory makers like Twelve South, Nomad, Satechi, and many more. Visit our Black Friday Roundup for a deeper dive into the best sales going on today. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and...
apple black friday shopping event 2021

Apple's Black Friday Promotion Now Underway in the U.S. and More Countries

Friday November 26, 2021 12:07 am PST by
Apple's annual four-day Black Friday through Cyber Monday shopping event is now underway in the United States and select other countries, with customers able to receive a free Apple gift card with the purchase of select products through November 29. Participating countries include the United States, Canada, Australia, New Zealand, the UK, Ireland, France, Spain, Portugal, Italy, Germany,...