Apple may have accidentally introduced a serious security flaw into OS X 10.9 Mavericks, a security researcher claims.
In a blog post yesterday (Oct. 23), Lawrence Lin of Trend Micro explains that Apple added a security setting to Gatekeeper, OS X's software-screening application, that lets users easily "whitelist" untrusted software packages.
The new setting gives untrusted software packages a Gatekeeper "pass" by modifying a certain metadata attribute on the package.
Unfortunately, Lin explained, that modified attribute stays active even if the software package is copied from one Mac to another.
That means an attacker could distribute malicious applications to other Macs via non-Internet methods such as shared folders or USB sticks, and Gatekeeper would be none the wiser.
The users of the infected Macs would get no warning that they were about to run untrusted software, unless they had some of the best Mac antivirus software installed.
"It's a small hole, since nobody shares programs via USB drives these days," said Robert Graham, chief executive officer of Atlanta-based Errata Security, in an open Twitter conversation yesterday. "But I wonder if there aren't other ways to exploit it not described in the Trend advisory."
An archived blog post suggests that similar Gatekeeper workarounds may exist in earlier versions of OS X, and that they may work on non-standard Internet file transfers.
You shall not pass
Gatekeeper, introduced with OS X 10.8 Mountain Lion in July 2012 and subsequently back-ported to OS X 10.7 Lion, limits the kinds of software that can be installed on a Mac.
It has three settings: one that permits only software from the official Mac app store, a default setting that permits only software that has been digitally signed with an Apple developer ID, and a setting that essentially turns off Gatekeeper by permitting software installations from any source.
Gatekeeper classifies each software package downloaded from the Internet by adding a "quarantine" tag. Lin found that packages that come from outside the Mac app store and aren't signed with Apple developer IDs receive a quarantine value of "0002."
If the user tries to open such an application with either of the two tougher Gatekeeper settings enabled, a dialogue box will pop up stating that the software "can't be opened because it is from an unidentified developer."
However, Lin also found that Mavericks, which Apple released to the general public Tuesday (Oct. 22), has added a button to the Security & Privacy settings tab. The tab lists the name of the latest blocked application and the button states, "Open Anyway."
If it's clicked, the application's metadata quarantine attribute changes from "0002" to "0062" and Gatekeeper gives it a lifetime pass — on both the Mac that made the attribute change, and on any other Mac running Mavericks as well.
"If the file is transferred to another Mac (if copied using a compatible file system)," Lin wrote, "this setting will also be honored by this other device."
Lin demonstrated the flaw with screen grabs of console windows showing the metadata of a test app he created without an Apple developer signature.
On one Mac, he authorizes the machine to allow the app to run anyway; on another Mac to which he transferred the app, he shows that the quarantine metadata attribute has been changed and that the app pops up a dialogue box displaying "Gatekeeper ignores me."
'No checks are done'
That's serious enough, but a blog post from March on the Apple part of the online discussion forum StackExchange indicates the flaw may have existed before Mavericks, and can work with files transferred across the Internet using certain protocols.
"GateKeeper allows me to install anything, no checks are done," wrote a user called Ron M.
"I can download applications from custom websites, and run them, even when my gatekeeper settings are at 'AppStore Only.' This is my application — it's not even signed," Ron M. wrote. "What could be the reason for that? I can reproduce this behavior on all my 3 Macs."
It turns out that even before Mavericks, Gatekeeper permitted whitelisting of unsigned applications if a user with administrative privileges right-clicked the software package.
Ron M. wasn't sure if he had done that with his custom applications, but he did state that he had copied the files to from remote Internet servers using the Server Message Block (SMB) protocol, normally used for file-sharing and printing.
"On other machines, this triggers the safety mechanisms correctly," Ron M. wrote. "On my machines, even though I have 'App Store Only,' taking the same file, the same way is allowable, no restrictions for installing and running."
It's possible that there was something unique about Ron M.'s user settings on all three of his Macs, especially since he said he couldn't reproduce the issue on other people's Macs.
But if it's true that a Gatekeeper quarantine bypass can be preserved in an Internet file transfer, malicious files could also be distributed that way.
Requests for comment from Apple and from Lawrence Lin were not immediately answered.