Researcher Bypasses Apple's Updated Malware Protection in '5 Minutes'

Apple's Mac computers have long been considered safer than their Windows-powered counterparts—so much so that the common belief for a long time was that they couldn't get viruses or malware. Even Apple adopted that cliche for marketing purposes.

The reality, however, is slightly different. Trojans have targeted Mac computers for years, and things don't seem to be improving. In fact, cybercriminals created more malware targeting Macs in 2015 than in the past five years combined, according to one study. Since 2012, Apple has tried to protect users with Gatekeeper, a feature designed to block common threats such as fake antivirus products, infected torrent files, and fake Flash installers—all malicious software that Mac users might download while regularly browsing the internet.

But it looks like Gatekeeper's walls aren't as strong as they should be. Patrick Wardle, a security researcher who works for the security firm Synack, has been poking holes in Gatekeeper for months. In fact, Wardle is still finding ways to bypass Gatekeeper, even after Apple issued patches for two of the vulnerabilities he found last year.

As it is designed now, Gatekeeper checks apps downloaded from the internet to see if they are digitally signed by either Apple or a developer recognized by Apple. If so, Gatekeeper lets the app run on the machine. If not, Gatekeeper prevents the user from installing and executing the app.

In September, Wardle showed how it was possible to piggyback on a legitimate app signed by Apple to trick a Mac to run another malicious application or binary—with no valid signature—wrapped inside the legitimate one, effectively bypassing Gatekeeper. Wardle also argued that this technique could be used by a hacker with control over the network (for example, a coffee shop's insecure wireless router) to insert malicious code into an app that's downloaded over an unencrypted connection.

In essence, Wardle realized that Gatekeeper only checks the initial app that gets executed, but not all the code inside the app that might get executed later. Apple released a patch for this vulnerability, but now, Wardle says he has found an easy way to get around the fix as well.

"[The] patch they released was incredibly weak," Wardle told Motherboard. "It literally took me five minutes to completely bypass."

Wardle says that all Apple did was blacklist the signed apps he was abusing, but didn't fix the underlying issue, which is that, essentially, Gatekeeper functions as a guard that doesn't check "those who have already had their hands stamped," as one Mac security expert put it.

"They mitigated my specific attack, but it's trivial, trivial to bypass," Wardle, who will present his findings at the Shmoocon security conference in Washington D.C. on Sunday, said in a phone interview. "Releasing a patch that doesn't really address the issue is not a good idea."

Apple, which has been in touch with Wardle and is working on ways to improve Gatekeeper, is going to release another fix for his newest research. An Apple spokesperson declined to comment.

Jonathan Zdziarski, a forensic expert and iOS researcher, said that Wardle's research is "solid" and that Apple should improve Gatekeeper. "If Gatekeeper is going to be a gatekeeper, it ought to be checking any binaries invoked by the application," he told Motherboard in an email.

Pedro Vilaça, a researcher who's studied the Mac operating system and works at the security firm SentinelOne, said that Gatekeeper is "not a silver bullet to kill all the problems with downloads from the internet," but it "can be effective, when Apple fixes those bypasses."

In the meantime, Wardle suggests Mac users only download applications from the Mac store where possible, and otherwise be careful what they download from the internet. If you have to download an app from outside the Mac store, he said, make sure it's served over an encrypted connection (meaning the file is served over the HTTPS, a standard that's becoming increasingly important). At the very least, it will prevent an attacker from inserting malicious code inside a legitimate app on its way to your computer.

Wardle also released a complementary tool for Gatekeeper on Friday, a free tool called Ostiarius that will scan not just the initial binary, but all the processes that an app invokes. The tool will then block any process that's not signed, even if it's inside a signed application.

"This is what Gatekeeper was designed to do," Wardle said.

This article has been corrected. An earlier version said Pedro Vilaça was an independent researcher, but he is now working for SentinelOne. The article has also been updated with a link to Wardle's tool Ostiarius.