SAN FRANCISCO–For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn’t much of a challenge at all.

Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial.

“Gatekeeper doesn’t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,” Wardle said in a talk at the RSA Conference here Thursday. “It only verifies the app bundle.”

Backing up Gatekeeper is XProtect, Apple’s anti-malware system for OS X. Malware isn’t a massive problem for OSX, but there definitely are some well-known families out there, with more being created all the time, Wardle said. Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence.

“It’s trivial to bypass XProtect,” he said.

OS X also now includes a sandbox, which Wardle said is well-designed, but there are a number of known kernel-level OS X vulnerabilities that can bypass the sandbox, as well. Google’s Project Zero has discovered and published several such bugs, and Wardle said using any one of them gets him the ability to bypass the sandbox.

“While the core sandbox technology is strong, there are plenty of bugs that can bypass it,” he said.

One of the other key security technologies in OS X is the use of code signing. However, it’s not much of a task to get around that requirement, Wardle said.

“The code signing just checks for a signature and if it’s not there, it doesn’t do anything and lets the app run,” he said. “I can unsign a signed app and the loader has no way to stop it from running.”

Starting with OSX Mavericks, all of the code that runs in the kernel has to be signed. But the mechanism that checks for the signature is flawed, too, Wardle said.

“The check for this runs in user mode, which is a huge security fail because the attacker would be in user mode.” he said. “He could just modify a kernel extension or load unsigned ones.”

On the whole, the security tools in OS X don’t present much of a challenge for attackers right now, Wardle said.

“If Macs were totally secure, I wouldn’t be here talking,” Wardle said. “It’s trivial for any attacker to bypass the security tools on Macs.”

Categories: Malware, Vulnerabilities, Web Security

Comments (13)

  1. dan
    1

    Patrick Wardle is talking out if his ass. He’s basically saying if a program runs arbitrary code, then arbitrary code might run. Wow so insightful.

    • stan
      2

      No he is not. He is saying that if the security features allow the execution of arbitrary code then that code is not secure.

    • Anonymous
      3

      No, what he’s saying is that security is poorly implemented. Gatekeeper doesn’t verify anything but a core application bundle, but you can poison an application without modifying the bundle. OSX Sandboxes are easy to escape, making them ineffective. Kernel code signatures can be bypassed by not existing, or even tampered with by the current user. Malware scans only for explicit hashes, which are easy to change. These are all gaping holes in their flaghsip security features.

    • patrick
      4

      Dan, I was simply trying to point out that OS X’s built-in security/malware mitigations clearly fail at what they were designed to to. For example, Gatekeeper was designed to prevent/block all unsigned downloaded code (e.g. in a .dmg) from being executed. I described how to create a downloadable (or injectable) .dmg that would contain unsigned code that would bypass Gatekeeper and be allowed to execute. Another example, guest/non-admin users on a fully-patched OS X system should not be able to get root privs. I showed how any local user could elevate their privileges to root (video/demo of this: https://vimeo.com/125345793). As an OS X user, I find these issues quite insightful 😉

  2. RandomGuy
    6

    Flawed research.

    Filevault2/non-admin main account + built in OS X Firewall stops 99.99% of the issues presented in this article.

  3. John
    7

    Even with all this being true, how does this affect the Mac user who is concerned about their security? If you have 2 brain cells to rub together then you know the back end of OS X is BSD. Learn to lock down a BSD box and you don’t have to worry if the OS X specific security features work.

  4. Apple
    8

    @dan
    Ánd you are of course a security expert? Maybe you shouldn’t stick your head in the sand, and actually face the truth about Mac poor securtiy instead.

  5. Paul McCann
    10

    Hi I wish to say that having been a Microsoft user with all its problems and now going over to Apple products it’s like night or day , Microsoft does need antivirus product’s, Apple does not, Apple just works right out-of-the-box, have you ever heard this ” plug and pray ” that doesn’t apply to Apple also and I could get a war and I could go on but I think you get what I am saying . So here is a question for you what would you use Microsoft or Apple ?

  6. FLOSSuser
    12

    @Paul McCann –
    Linux.

    The kernel is in the middle of a MASSIVE security overhaul, which will leave even an android phone locked up like fort knox compared to your iMac.

    There is no “plug and pray”. Driver support for what’s out there for hardware is better than what you get from a mac. If I have problems, I can fix them myself.

  7. TED
    13

    I love how fanboys bash the malware researchers and corporate pentesters ( grayhats) saying they are clueless on a statement or a way to hack OS X. When really there are probably 30 other ways to do the exact same thing from another vul or another process if you spend the time. BSD smee-SD, it is it’s base , but that means nothing when everything on top of it is Swiss Cheese. We are talking OS X has its BSD frame, but OS X is a ford truck made out of Swiss Cheese in a 3 day rain storm. The frame is going to get rusty!

Comments are closed.