Apple has had two cracks at patching a vulnerability that allows malicious apps to bypass its OS X Gatekeeper security feature, and twice has taken a shortcut approach to the fix, said the researcher who reported the flaw.
The latest measure to address this was released on Thursday and it appears Apple again took steps to mitigate the immediate problem disclosed privately by Synack director of research Patrick Wardle as a stopgap measure until a more comprehensive solution can be engineered.
This saga began last June when Wardle reported a problem in Gatekeeper, a feature added in the Mountain Lion version of OS X that protects Macs from executing malicious or untrusted apps downloaded from the Internet. Gatekeeper ensures that only apps that are signed with an Apple App Developer Certificate or downloaded from the Apple App Store are executed.
Wardle, just prior to Virus Bulletin in September and again in December, privately disclosed the vulnerability (CVE-2015-7024) to Apple. He reported that Gatekeeper checks only the initial executable that a user double-clicks on at app install. Wardle said that if the initial file then executes another file in the same directory that Gatekeeper would not verify the second one.
“So that means I could build an installer package or a zip file and when the user clicks on it, that would actually be the Apple signed binary [that is verified by Gatekeeper],” Wardle said. “That one would then, behind the scenes, look for a second [malicious] binary which would be in the same installer package and would execute that.”
Apple patched the issue in October, but did so only by blacklisting the binaries that Wardle provided with his proof of concept code. Wardle told Threatpost it took him about 30 seconds to bypass the original patch with different binaries, and the same holds true for yesterday’s patch as Apple took the same approach, except to implement it via XProtect, the antimalware feature built into OS X.
“I believe there are many applications that can be abused to exploit this flaw, so blacklisting is, in my opinion, a really bad idea,” Wardle said. “Especially if it’s how something is ‘patched.’ That gives users a false sense of security. Also if I’m an (evil) OS X hacker, I’m going to start reversing Apple’s patches to figure out the original bugs, and if they mess up the patches or provide a weak ones (as they did in this case), ‘free’ 0days. I think it’d be better for Apple to hold off and release a more comprehensive patch that fully addresses the issue.”
Wardle is scheduled to speak Sunday at ShmooCon in Washington, D.C., about his Gatekeeper research. He’s also expected to release to open source a kernel extension called Ostiarius that blocks unsigned binaries downloaded from the Internet from executing.
“It gives you a global overview of all process that are being executed. It can check if it’s from the Internet, and if so does it conform to Gatekeeper’s standards, meaning is it signed and authorized,” Wardle said. “The cool thing about it being in the kernel, the code doesn’t care how that code was executed, whether it was double clicked by the user or by a secondary executable. It’s a generic point where we can see all processes that are being started. The tool can see new process started and see whether it’s from the Internet and unsigned, and block it.”
In the meantime, he said Mac users remain exposed, especially if an attacker already has man-in-the-middle position on a network, or if they’re downloading apps from an untrusted site; many organizations have Apple developer certificates to build enterprise apps for OS X and iOS, and distribute them outside the App Store. Wardle said that apps that are downloaded over insecure HTTP connections are particularly vulnerable to injection attacks if a hacker is already on the network.
“Gatekeeper previously would detect and block that,” Wardle said. “Now using this technique, [attackers] can bypass Gatekeeper and the user is unaware there is malware on their system, are completely infected and it’s pretty much game over.”
Wardle said that Apple told him that its fix was a “very targeted patch” and that it was working on a comprehensive solution.
“They have some legacy concerns, they don’t want to break existing stuff,” Wardle said. “My reasoning for talking about is that it literally took me five minutes to reverse the patch and find a new binary.
“I wouldn’t be surprised if hackers and adversaries would do a similar thing,” Wardle said. “It’s a nice way to infect Mac users. Before Gatekeeper came around, there were a lot of Mac Trojans infecting Mac users, which is why A created Gatekeeper.”