Skip to main content

Apple OS X Mavericks May Have Serious Security Flaw

Apple may have accidentally introduced a serious security flaw into OS X 10.9 Mavericks, a security researcher claims.

In a blog post yesterday (Oct. 23), Lawrence Lin of Trend Micro explains that Apple added a security setting to Gatekeeper, OS X's software-screening application, that lets users easily "whitelist" untrusted software packages. 

The new setting gives untrusted software packages a Gatekeeper "pass" by modifying a certain metadata attribute on the package.

Unfortunately, Lin explained, that modified attribute stays active even if the software package is copied from one Mac to another.

That means an attacker could distribute malicious applications to other Macs via non-Internet methods such as shared folders or USB sticks, and Gatekeeper would be none the wiser. 

The users of the infected Macs would get no warning that they were about to run untrusted software, unless they had some of the best Mac antivirus software installed.

"It's a small hole, since nobody shares programs via USB drives these days," said Robert Graham, chief executive officer of Atlanta-based Errata Security, in an open Twitter conversation yesterday. "But I wonder if there aren't other ways to exploit it not described in the Trend advisory."

An archived blog post suggests that similar Gatekeeper workarounds may exist in earlier versions of OS X, and that they may work on non-standard Internet file transfers.

You shall not pass

Gatekeeper, introduced with OS X 10.8 Mountain Lion in July 2012 and subsequently back-ported to OS X 10.7 Lion, limits the kinds of software that can be installed on a Mac.

It has three settings: one that permits only software from the official Mac app store, a default setting that permits only software that has been digitally signed with an Apple developer ID, and a setting that essentially turns off Gatekeeper by permitting software installations from any source.

Gatekeeper classifies each software package downloaded from the Internet by adding a "quarantine" tag. Lin found that packages that come from outside the Mac app store and aren't signed with Apple developer IDs receive a quarantine value of "0002."

If the user tries to open such an application with either of the two tougher Gatekeeper settings enabled, a dialogue box will pop up stating that the software "can't be opened because it is from an unidentified developer."

However, Lin also found that Mavericks, which Apple released to the general public Tuesday (Oct. 22), has added a button to the Security & Privacy settings tab. The tab lists the name of the latest blocked application and the button states, "Open Anyway."

MORE: How to Upgrade to OS X Mavericks for Free

If it's clicked, the application's metadata quarantine attribute changes from "0002" to "0062" and Gatekeeper gives it a lifetime pass — on both the Mac that made the attribute change, and on any other Mac running Mavericks as well.

"If the file is transferred to another Mac (if copied using a compatible file system)," Lin wrote, "this setting will also be honored by this other device."

Lin demonstrated the flaw with screen grabs of console windows showing the metadata of a test app he created without an Apple developer signature.

On one Mac, he authorizes the machine to allow the app to run anyway; on another Mac to which he transferred the app, he shows that the quarantine metadata attribute has been changed and that the app pops up a dialogue box displaying "Gatekeeper ignores me."

'No checks are done'

That's serious enough, but a blog post from March on the Apple part of the online discussion forum StackExchange indicates the flaw may have existed before Mavericks, and can work with files transferred across the Internet using certain protocols.

"GateKeeper allows me to install anything, no checks are done," wrote a user called Ron M.

"I can download applications from custom websites, and run them, even when my gatekeeper settings are at 'AppStore Only.' This is my application — it's not even signed," Ron M. wrote. "What could be the reason for that? I can reproduce this behavior on all my 3 Macs."

It turns out that even before Mavericks, Gatekeeper permitted whitelisting of unsigned applications if a user with administrative privileges right-clicked the software package.

Ron M. wasn't sure if he had done that with his custom applications, but he did state that he had copied the files to from remote Internet servers using the Server Message Block (SMB) protocol, normally used for file-sharing and printing.

"On other machines, this triggers the safety mechanisms correctly," Ron M. wrote. "On my machines, even though I have 'App Store Only,' taking the same file, the same way is allowable, no restrictions for installing and running."

It's possible that there was something unique about Ron M.'s user settings on all three of his Macs, especially since he said he couldn't reproduce the issue on other people's Macs.

But if it's true that a Gatekeeper quarantine bypass can be preserved in an Internet file transfer, malicious files could also be distributed that way.

Requests for comment from Apple and from Lawrence Lin were not immediately answered.

For security on other platforms, check out our pages on the best antivirus software and the best Android antivirus apps.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

  • ssdpro
    Wait, what? Something doesn't sound right because Macs are perfectly designed and perfectly secure. Once you buy a Apple product you can keep it forever because it is perfect. Other companies are forced to release new models/versions every 6-9 months to work out massive bugs and make basic functionality adjustments. And sometimes those companies make "improvements" that don't work at all then just tell their customers "Whoops, well, don't worry a new one that works a little better will be out in 6-9 months."
  • macpeteo
    Don't be an A-Hole ssdpro!
  • jimmysmitty
    A security flaw in OSX? No..... That's not possible!!!!!

    In all reality, OSX is one of the most vulnerable OSes out there. Its just that since their market share is so low they don't get attacked as often as Windows does.

    That's why its one of the first OSes to go at PWN2OWN.
  • truerock
    Samsung Fined $340K for Fake Online Comments Targeting HTC

    By Chloe Albanesius

    October 24, 2013 02:15pm EST

    Taiwanese officials this week handed down a $340,000 fine against Samsung for waging what they considered to be an unfair online campaign against HTC devices.

    As noted by the BBC, Samsung allegedly hired an advertising firm that paid students and bloggers to write posts and comments online that praised Samsung's products but were critical of
    gadgets from rival HTC.
  • ethanolson
    I'm a bit bothered by the speed in which huge software is managed these days. Microsoft and Apple are having some problems with their stuff. I can see that Apple is acting most like Microsoft, which tells me that they don't have Google in their sights as much as previously thought. So now the question becomes "who's leading whom?"
  • apone
    @ macpeteo

    So you can dish it out but you can't take it? Don't get mad at ssdpro for showing you the same smug arrogance you mactards have when y'all bash Windows.
  • apone
    @ macpeteo

    So you can dish it out but you can't take it? Don't get mad at ssdpro for showing you the same smug arrogance you mactards have when y'all bash Windows.