It was only last year when a noted Mac security researcher showed everyone that there were at least two different ways to bypass Gatekeeper, Apple's malware-blocking program for OS X.
At the ShmooCon hacker conference in Washington D.C. last 17 January, the same researcher said that even though Apple patched those holes, it didn't fix the overall problem, and Gatekeeper still doesn't do a good job of blocking malware.
"Apple wants you to think Macs never get malware, never get infected, and if they could, there's a tool called Gatekeeper," said Patrick Wardle, director of research at Redwood City, California-based security firm Synack. "But the truth is, Gatekeeper only protects you from very lame attacks."
To prove it, Wardle showed how he infected a Mac using a corrupted installer file for a piece of well-known antivirus software. He also revealed a new tool he'd created, called Ostiarius, which he said actually does what Gatekeeper was meant to do.
Gatekeeper separates software downloaded from the Internet into three categories. The first is software directly from Apple's own Mac App Store, which is assumed to be safe. The second category is software that has been digitally "signed" by developers approved by Apple, and is assumed to be almost as safe. The third is everything else, which is deemed unsafe.
By default, Gatekeeper accepts and runs software from the first two categories, while blocking the third. Paranoid users can dial up Gatekeeper's settings to allow only the first category; others can throw caution to the wind and allow all three. Wardle's work for the past year has shown that malware can still be installed even if Gatekeeper is set to block the dangerous third category.
Both of Wardle's two 2015 Gatekeeper exploits snuck in malicious code to run with signed software. One exploit inserted malware into the code libraries, or dylibs, that most large applications share; the other bundled malware into compressed installer packages (.dmg files) for signed software.
Apple's fixes for both flaws were too narrow, Wardle said. The company added verification of dylibs to block the first exploit. In the second case, Apple blocked the software-development tool that Wardle had used to add malware to the installer file. Neither fixed the overall problem that Gatekeeper did not (and still does not, according to Wardle) block all unsigned code downloaded from the Internet.
Wardle guessed that Apple's patch for his second exploit could be bypassed if he simply found another tool to replicate what the blocked tool did. It took about an hour to find one online. He substituted it for the older tool, and his infected-installer exploit worked again.
At ShmooCon, Wardle played a video clip in which he used that reworked exploit, and a corrupted installer file for Kaspersky Internet Security for Mac, to infect a fully patched and updated Mac running the latest version of OS X.
The Kaspersky software itself wasn't malicious or corrupted. But like most major antivirus-software vendors, Wardle said, Kaspersky Lab doesn't transmit its software over the Web using secure connections. That made it easy for Wardle to stage a man-in-the-middle attack on one of his own computers.
Using a second computer, he captured the transmission of the clean download from Kaspersky's servers, added malware to the installation package, and then sent the download on its way to the target Mac. (In a real attack, neither the software maker nor the end user would have been aware of the compromise.)
The overall problem, Wardle said, was that Gatekeeper still doesn't block every piece of unsigned software downloaded from the Internet. It blocks only the most obvious ones.
"Apple has not fixed the systemic issue," Wardle said. "There's some incompetence from a security point of view."
At the ShmooCon hacker conference in Washington D.C. last 17 January, the same researcher said that even though Apple patched those holes, it didn't fix the overall problem, and Gatekeeper still doesn't do a good job of blocking malware.
"Apple wants you to think Macs never get malware, never get infected, and if they could, there's a tool called Gatekeeper," said Patrick Wardle, director of research at Redwood City, California-based security firm Synack. "But the truth is, Gatekeeper only protects you from very lame attacks."
To prove it, Wardle showed how he infected a Mac using a corrupted installer file for a piece of well-known antivirus software. He also revealed a new tool he'd created, called Ostiarius, which he said actually does what Gatekeeper was meant to do.
Gatekeeper separates software downloaded from the Internet into three categories. The first is software directly from Apple's own Mac App Store, which is assumed to be safe. The second category is software that has been digitally "signed" by developers approved by Apple, and is assumed to be almost as safe. The third is everything else, which is deemed unsafe.
By default, Gatekeeper accepts and runs software from the first two categories, while blocking the third. Paranoid users can dial up Gatekeeper's settings to allow only the first category; others can throw caution to the wind and allow all three. Wardle's work for the past year has shown that malware can still be installed even if Gatekeeper is set to block the dangerous third category.
Both of Wardle's two 2015 Gatekeeper exploits snuck in malicious code to run with signed software. One exploit inserted malware into the code libraries, or dylibs, that most large applications share; the other bundled malware into compressed installer packages (.dmg files) for signed software.
Apple's fixes for both flaws were too narrow, Wardle said. The company added verification of dylibs to block the first exploit. In the second case, Apple blocked the software-development tool that Wardle had used to add malware to the installer file. Neither fixed the overall problem that Gatekeeper did not (and still does not, according to Wardle) block all unsigned code downloaded from the Internet.
Wardle guessed that Apple's patch for his second exploit could be bypassed if he simply found another tool to replicate what the blocked tool did. It took about an hour to find one online. He substituted it for the older tool, and his infected-installer exploit worked again.
At ShmooCon, Wardle played a video clip in which he used that reworked exploit, and a corrupted installer file for Kaspersky Internet Security for Mac, to infect a fully patched and updated Mac running the latest version of OS X.
The Kaspersky software itself wasn't malicious or corrupted. But like most major antivirus-software vendors, Wardle said, Kaspersky Lab doesn't transmit its software over the Web using secure connections. That made it easy for Wardle to stage a man-in-the-middle attack on one of his own computers.
Using a second computer, he captured the transmission of the clean download from Kaspersky's servers, added malware to the installation package, and then sent the download on its way to the target Mac. (In a real attack, neither the software maker nor the end user would have been aware of the compromise.)
The overall problem, Wardle said, was that Gatekeeper still doesn't block every piece of unsigned software downloaded from the Internet. It blocks only the most obvious ones.
"Apple has not fixed the systemic issue," Wardle said. "There's some incompetence from a security point of view."
Comments
Post a Comment