WASHINGTON, D.C. — Last year, a noted Mac security researcher showed there were at least two different ways to bypass Gatekeeper, Apple's malware-blocking program for OS X.
At the ShmooCon hacker conference here on Jan. 17, the same researcher said that even though Apple patched those holes, it didn't fix the overall problem, and Gatekeeper still doesn't do a good job of blocking malware.
"Apple wants you to think Macs never get malware, never get infected, and if they could, there's a tool called Gatekeeper," said Patrick Wardle, director of research at Redwood City, California-based security firm Synack. "But the truth is, Gatekeeper only protects you from very lame attacks."
To prove it, Wardle showed how he infected a Mac using a corrupted installer file for a piece of well-known antivirus software. He also revealed a new tool he'd created, called Ostiarius, which he said actually does what Gatekeeper was meant to do.
Gatekeeper separates software downloaded from the Internet into three categories. The first is software directly from Apple's own Mac App Store, which is assumed to be safe. The second category is software that has been digitally "signed" by developers approved by Apple, and is assumed to be almost as safe. The third is everything else, which is deemed unsafe.
By default, Gatekeeper accepts and runs software from the first two categories, while blocking the third. Paranoid users can dial up Gatekeeper's settings to allow only the first category; others can throw caution to the wind and allow all three. Wardle's work for the past year has shown that malware can still be installed even if Gatekeeper is set to block the dangerous third category.
Both of Wardle's two 2015 Gatekeeper exploits snuck in malicious code to run with signed software. One exploit inserted malware into the code libraries, or dylibs, that most large applications share; the other bundled malware into compressed installer packages (.dmg files) for signed software.
Apple's fixes for both flaws were too narrow, Wardle said. The company added verification of dylibs to block the first exploit. In the second case, Apple blocked the software-development tool that Wardle had used to add malware to the installer file. Neither fixed the overall problem that Gatekeeper did not (and still does not, according to Wardle) block all unsigned code downloaded from the Internet.
Wardle guessed that Apple's patch for his second exploit could be bypassed if he simply found another tool to replicate what the blocked tool did. It took about an hour to find one online. He substituted it for the older tool, and his infected-installer exploit worked again.
At ShmooCon, Wardle played a video clip in which he used that reworked exploit, and a corrupted installer file for Kaspersky Internet Security for Mac, to infect a fully patched and updated Mac running the latest version of OS X.
The Kaspersky software itself wasn't malicious or corrupted. But like most major antivirus-software vendors, Wardle said, Kaspersky Lab doesn't transmit its software over the Web using secure connections. That made it easy for Wardle to stage a man-in-the-middle attack on one of his own computers.
Using a second computer, he captured the transmission of the clean download from Kaspersky's servers, added malware to the installation package, and then sent the download on its way to the target Mac. (In a real attack, neither the software maker nor the end user would have been aware of the compromise.)
The installer file was unpacked, and Kaspersky Internet Security was installed and launched, but Gatekeeper detected nothing. A notification box did pop up stating that the application had been downloaded from the Internet, but that feature predates Gatekeeper and does not indicate whether an application is malicious.
Wardle approved Kaspersky Internet Security to run, as would any user who had just downloaded and installed software from a trusted vendor. The software launched smoothly, but a command-line window showed that another application called "JavaW" had also been launched. Wardle's own KnockKnock system-management tool showed that JavaW had set itself to run every time the Mac was booted up.
"Not only was unsigned code able to run, it was able to persist itself," or survive a system reboot, Wardle said. "If we take look at [the online malware-signature repository] VirusTotal, we can see that it's iWorm," a well-known piece of Mac malware from 2014.
Wardle showed his latest exploit to Apple before his ShmooCon presentation, and he said the company responded by once again blocking the specific development tool used to perform the exploit. But that's just playing whack-a-mole — there are many other tools out there that can do the same thing.
The overall problem, Wardle said, was that Gatekeeper still doesn't block every piece of unsigned software downloaded from the Internet. It blocks only the most obvious ones. (Apple did not immediately respond to a request for comment from Tom's Guide.)
"Apple has not fixed the systemic issue," Wardle said. "There's some incompetence from a security point of view."
To that end, Wardle said, he had developed and released a free tool called Ostiarius, or Latin for "doorman" or "gatekeeper," that runs on OS X 10.11 El Capitan and analyzes all executable files as they run.
"My tool blocks execution of unsigned binaries from the Internet," he said. "If that sounds familiar, it's what Gatekeeper has always claimed to do."
To avoid malware and other suspect code, Wardle said, Apple users could set Gatekeeper to accept only software from the Mac App Store. However, he added, that's inconvenient for users who want software the App Store doesn't carry — such as Kaspersky Internet Security or any other full-fledged antivirus program.
Wardle is not a fan of antivirus software, and recommended instead that Apple users try out his own free tools to protect their systems. We here at Tom's Guide do recommend antivirus software for all desktop systems, but in light of the security problems Wardle pointed out, you might want to buy the boxed version and install it from the CD or DVD instead of from the antivirus maker's own website.