Bypassing OS X Security Tools is Trivial, Researcher Says

apple id phishing

SAN FRANCISCO–For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn’t much of a challenge at all.

Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial.

“Gatekeeper doesn’t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,” Wardle said in a talk at the RSA Conference here Thursday. “It only verifies the app bundle.”

Backing up Gatekeeper is XProtect, Apple’s anti-malware system for OS X. Malware isn’t a massive problem for OSX, but there definitely are some well-known families out there, with more being created all the time, Wardle said. Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence.

“It’s trivial to bypass XProtect,” he said.

OS X also now includes a sandbox, which Wardle said is well-designed, but there are a number of known kernel-level OS X vulnerabilities that can bypass the sandbox, as well. Google’s Project Zero has discovered and published several such bugs, and Wardle said using any one of them gets him the ability to bypass the sandbox.

“While the core sandbox technology is strong, there are plenty of bugs that can bypass it,” he said.

One of the other key security technologies in OS X is the use of code signing. However, it’s not much of a task to get around that requirement, Wardle said.

“The code signing just checks for a signature and if it’s not there, it doesn’t do anything and lets the app run,” he said. “I can unsign a signed app and the loader has no way to stop it from running.”

Starting with OSX Mavericks, all of the code that runs in the kernel has to be signed. But the mechanism that checks for the signature is flawed, too, Wardle said.

“The check for this runs in user mode, which is a huge security fail because the attacker would be in user mode.” he said. “He could just modify a kernel extension or load unsigned ones.”

On the whole, the security tools in OS X don’t present much of a challenge for attackers right now, Wardle said.

“If Macs were totally secure, I wouldn’t be here talking,” Wardle said. “It’s trivial for any attacker to bypass the security tools on Macs.”

Suggested articles