Researcher Creates Fix for Gatekeeper Problems
Can you count on Gatekeeper, Apple’s proprietary malware blocking tool, to keep your computer safe? The jury is still out on that question, but one researcher has at least done his part to make Gatekeeper a bit more efficient.
Last year, Patrick Wardle of the cybersecurity firm Synack discovered not one but two major security holes in the Gatekeeper tool. He showed how both of those holes could allow a piece of malware to bypass Gatekeeper altogether and infect a Mac computer.
How Gatekeeper Works
To understand how Wardle has been able to exploit and hoodwink Gatekeeper, it’s important first to comprehend how Gatekeeper works. Apple’s malware blocker mainly works on a permissions system. The system scans software downloaded from the web and separates it into a trio of different categories. The first category is software which is downloaded directly from the Mac App Store. Since Apple is pretty good about reviewing programs before they are posted in the Mac App Store, software in this category can be downloaded with zero risk.
The second category of software is software that you download from another spot on the internet (e.g. not from the Mac App Store), 3rd party code signed with a Developer ID Certificate (issued by Apple as part of the $99/yr developer membership program) isn’t checked or reviewed by Apple at all. Instead, Apple has the ability to revoke the Developer ID certificate at any time in the future should the developer be caught doing something naughty (or if they had their Developer ID certificate stolen or otherwise compromised), which blocks any apps signed with that certificate from running on OS X. That way, Apple maintains some semblance of control after the fact, as evidenced by the recent KeRanger ransomware – Apple revoked the certificate after the malicious app was reported to them by a 3rd party security company, which effectively blocked the app from being able to run on any further machines than it already had up to that point.
Gatekeeper’s third category of software encompasses programs that meet neither of the first two criteria. Programs in this category are not available for download on the Mac App Store and also have no Apple development certificates. As such, Gatekeeper will, by default, mark these programs as “unsafe.” (You can alter Gatekeeper’s settings to allow software from all three categories.)
How Gatekeeper Can Be Exploited
What Wardle did last year was to hoodwink Gatekeeper into letting malware through even if the security preferences insisted on blocking software without an Apple development certificate. One exploit inserted malware into code libraries; the other bundled it with installer packages for software that did have certificates. In both cases, he was able to install the malware without tripping Gatekeeper’s “unsafe” sensor.
At the time, Wardle reported the vulnerabilities to Apple and the company patched the holes. But Wardle, at a recent hacker conference in Washington D.C., said that Apple’s fixes were too narrow and easily circumvented. Just by using a different set of tools, he was able to bundle another piece of malware with another program installer—this time, for a popular piece of antivirus software—and avoid Gatekeeper without issue.
Bottom line, if you ask Wardle or any of his hacking conference comrades, Gatekeeper is not an apt tool for protecting your Mac. The silver lining, though, is that the Synack founder has developed a tool called Ostiarius that, ostensibly, does exactly what Gatekeeper was supposed to do: block unsigned software from executing code. You can find the software right here.