Mac users may be downloading the OS X 10.11 El Capitan update in droves this week, but the anti-malware software that Apple bakes into OS X has a vulnerability problem. Apple's Gatekeeper was made to cut off Trojan horse-style malware at the pass, but it only analyzes applications during installation, not at any times thereafter.
This means an approved application could be used by a nefarious player, letting even the worst, most dangerous malicious code hop the gate, so to speak. So says Patrick Wardle, director of research at Redwood City, California-based security firm Synack. We reported on Wardle's concerns about Gatekeeper when he presented them at the CanSecWest conference in Vancouver this past March, and he's now elaborating further tomorrow (Oct. 1) at the annual Virus Bulletin conference in Prague.
Wardle's "Exposing Gatekeeper" presentation will analyze the anti-malware software's limits, and reveal the vulnerabilities he says Apple has yet to patch. Many of the flaws are based on dynamic-link-library (DLL) hijacks, a type of attack that Microsoft blocked in Windows in 2010.
Someone looking to take advantage of Gatekeeper's vulnerabilities needs to only spike frequently used shared software libraries with malicious code. Apple calls those libraries dylibs instead of DLLs, but concept is the same, and the attack could undermine any number of programs, including Apple's own iCloud programs and the OS X versions of Microsoft's Office suite programs like Word and Powerpoint.,
At CanSecWest, Wardle said taking advantage of Gatekeeper flaws "is trivial to accomplish," and that the vulnerabilities are "difficult to be patched out [of existence]." On the Mac, this is due to how OS X processes dylibs. (An Apple spokesman told Ars Technica today (Sept. 30) that Apple was working on a patch.)
On a Mac, if a dylib isn't found in the file directory where it's supposed to be, the application looking for the file will then activate a library placed in a different location by the hypothetical hackers.
OS X uses an application called the dylib loader to find dylibs if a program does not know where to search for those files. Unfortunately, the dylib loader can be tricked, and pointed towards the malware Gatekeeper is supposed to protect Macs from.