Malware Check: Apple's malware-blocking program for OS X Vulnerable

The flaw was detected in January 17, at a hackers' conference in Washington D.C., while Apple's effort to patch the reported holes proved abortive. Patrick Wardle, a noted Mac security researcher showed everyone that there were at least two different ways to bypass Gatekeeper, Apple's malware-blocking program for OS X.

Gatekeeper is an anti-malware feature introduced by Apple to keep untrusted and malicious applications from gaining access on OS X systems.

The security feature, by default, accepts all software directly from Apple's own Mac App Store, as well as apps "signed" by developers approved by Apple, which it assume to be safe.

Gatekeeper first exploit sneaks in malicious code to run as "signed" software, by inserting malware into the code libraries, or dylibs, that most large applications share; while the second, bundle malware into compressed installer packages (.dmg files) for signed software.

The failure to check whether the app already trusted by OS X runs or loads other files from the same folder is the bane.

Albeit, the company's attempt to patch the vulnerability by including verification of dylibs to block the first exploit, was too narrow to contain the flaw. And the second patch could be bypassed by replicating the blocked tool.

The onus of the flaw remains that Gatekeeper still doesn't block every piece of unsigned software, only the most obvious ones get blocked.
Next Post »