“Even on a fully-patched OS X 10.11.2 system, Gatekeeper is trivial to bypass,” wrote Parick Wardle, who first revealed the flaw, in a blog post demonstrating that it is very much still there. A video shows a man-in-the-middle attack, injecting malware into an unencrypted download of Kaspersky Internet Security for Mac. The malware installed alongside the security software.
Gatekeeper is an OS X security feature that, by default, blocks all applications but those downloaded from the Mac App Store, or (optionally) apps from “identified developers.” The idea here is to block malware on Macs: only software developers Apple has approved can get software running on the platform.
But Wardle found a workaround last year. To simplify, an authorized program — such as Kasperskey — is modified to launch a bit of malware when opened. If that malware happens to be in the same folder as the authorized app, it will launch.
Apple seemingly patched the problem in December, but when Wardle reverse-engineered the patch he found it wasn’t comprehensive. Apple had blacklisted the tools Wardle used to bypass Gatekeeper, but hadn’t solved the underlying issue — meaning would-be malware makers needed only to find new tools.
Wardle has been in touch with Apple’s security team, Engadget reports, and says a comprehensive fix is on the way.
And Wardle is working on a fix of his own. “I’ll be releasing a personal tool that can generically thwart such attacks, protecting OS X users,” he wrote in his blog post.
Until one or both of these fixes come online, users can stay safe by sticking only to downloading apps from the Mac App Store or trusted sites that are using HTTPS encryption. That’s probably a good idea even after this problem is patched.
