from the a-hack-a-day-keeps-the-apple-away dept.
New security features such as Gatekeeper and XProtect are simple to bypass and gaining persistence on a Mac isn't much of a challenge:
Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial.
"Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference [in San Francisco] Thursday. "It only verifies the app bundle."
Backing up Gatekeeper is XProtect, Apple's anti-malware system for OS X. Malware isn't a massive problem for OSX, but there definitely are some well-known families out there, with more being created all the time, Wardle said. Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence.
More coverage, including pretty graphics, on ZDNet.
(Score: -1, Flamebait) by Anonymous Coward on Saturday April 25 2015, @01:06PM
At least OS X boots up to a usable state. That's more than I can say for the various systemd-infected Linux distros I've used recently.
(Score: -1, Troll) by Anonymous Coward on Saturday April 25 2015, @01:23PM
you suck. that is all
(Score: 1, Flamebait) by Anonymous Coward on Saturday April 25 2015, @01:33PM
As noted open source theologian Eric S. Raymond stated, "given enough eyeballs, all bugs are shallow".
The eyeballs are all saying that systemd is a bug. That is, not only does it suffer from bugs, but its very existence is a bug.
Yet now that the bug has been identified, why is it not being fixed? Why is this bug not "shallow"?
The eyeballs have seen. The eyeballs have spoken. But the eyeballs are then ignored.
And this is why Linux is dying. Its reputation has been tainted by systemd, and it has become synonymous with a lack of quality.
OS X may have bugs. It may have security flaws. But the eyeballs don't see them as severe bugs, when Linux presents bugs that make all problems with OS X look completely minor by comparison.
(Score: 1, Insightful) by Anonymous Coward on Saturday April 25 2015, @02:53PM
As noted open source theologian Eric S. Raymond stated, "given enough eyeballs, all bugs are shallow".
As noted by many open source contributors, "given enough power, all devs are corrupted".
(Score: -1, Offtopic) by Anonymous Coward on Saturday April 25 2015, @01:39PM
Yeah, I put the men's size 12 shoe on my cock. And the shoe was too small. Now my cock hurts, and you're damn right I'm going to bitch and moan about it!
(Score: 0, Offtopic) by Anonymous Coward on Saturday April 25 2015, @02:00PM
One of the mods goofed up. That comment may not be direct, but it's on-topic. Somebody should fix that bad modding.
It's referring to a common saying within Silicon Valley these days. Putting a "size 12 shoe on a big cock" refers to doing something that doesn't make sense. In this case, it's the expectation that a system made for extreme usability should also be insanely secure.
Trade offs have to be made when designing any system. Security and usability often go head to head. If you want security, you're going to have to give up usability. If you want usability, you're going to have to give up some security. It's almost impossible, if not impossible, to get both at once.
That's where the "size 12 shoe on a big cock" saying comes in. Either the shoe is going to be too big and it will fall off of the penis, or the shoe will be too small and the penis will hurt. There is no middle ground. There are just trade offs.
Somebody should mod that comment up. It's very relevant, even if some people here aren't intelligent enough to understand it.
(Score: 0) by Anonymous Coward on Saturday April 25 2015, @03:06PM
Funny that this is modded offtopic too. Troll perhaps would be appropriate however because of this:
Just because someone is not so immersed in Silicon Valley brogrammer culture (yeah I said it, wadda you gonna do about it?) to know a specific crass slang does not denote unintelligence. If it were, everyone that isn't a brogrammer from the valley does not qualify as being intelligent; which is something very unintelligent to say.
(Score: 1, Insightful) by Anonymous Coward on Saturday April 25 2015, @03:20PM
OS X is a product of Silicon Valley culture. One can't understand OS X without understanding Silicon Valley culture, and the people that make up this culture. It's impossible to discuss OS X without having a proper understanding of Silicon Valley culture. Anyone who doesn't understand Silicon Valley culture probably should not be engaging in this discussion about OS X.
(Score: 0) by Anonymous Coward on Saturday April 25 2015, @08:30PM
Cars are a product of Detroit. One can't understand cars without understanding Detroit culture and the people that make up this culture. It is impossible to discuss cars without having a proper understanding of Silicon Valley culture. Anyone who doesn't understand Detroit culture probably should not be engaged in discussions about cars.
Windows is a product of Redmond. One can't understand Windows without understanding Redmond culture...
English is a product of England. One can't understand English without understanding English culture...
Apples are a product of central Asia. One can't understand apples without...
Humans are a product of sub-Saharan Africa. One can't understand humans without...
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @02:03AM
You're right, it's impossible to talk about American automobiles without having an understanding of Detroit, its culture, and how it defined Americana for several decades. The American automobile was a cultural reflection of Detroit; a city of immense industrial capability. Ford's vehicles, for example, were a reflection of the culture of the city. Unless you know the city, its history, its people and its culture, you miss out on a full understanding of just what American automobiles really are.
(Score: 0) by Anonymous Coward on Sunday April 26 2015, @04:50PM
That clueless and uneducated in logic eh?
(Score: 1, Redundant) by BK on Saturday April 25 2015, @02:23PM
Nt
...but you HAVE heard of me.
(Score: 0) by Anonymous Coward on Saturday April 25 2015, @03:22PM
Yes, Windows NT did just work. What's your point?
(Score: -1, Offtopic) by Anonymous Coward on Saturday April 25 2015, @03:16PM
As I write this, there are 7 comments posted to this story.
Five of them (that's over 70%!) have been modded down with ratings like:
As I read the comments, it became obvious that they were not as described by the rating. They were not trolling, and they were not off topic.
The "Disagree" mod makes little sense. It's not even a rating of the comment itself. It just expresses the opinion of one person: the mod. Even if thousands of people agree with a comment, but just one person (a mod) disagrees, then the comment is mislabeled.
The moderation here isn't helping highlight good comments. It's just suppressing good discussion. That's why I consider downmodding to be more harmful than it is good.
I think that downmodding needs to go. It clearly isn't helping, and just stifles discussion. If there's one thing a young site like this doesn't need, it's stifled discussion to retard its growth.
(Score: 2, Insightful) by t-3 on Saturday April 25 2015, @04:27PM
All of these comments are troll threads with nothing new and little worth reading. The mods match the quality.
(Score: 5, Insightful) by Tork on Saturday April 25 2015, @04:56PM
🏳️🌈 Proud Ally 🏳️🌈
(Score: 1, Informative) by Anonymous Coward on Saturday April 25 2015, @09:04PM
Systemd seems relevant in this case. The topic is OS security. Comparing Mac OS X to Linux is relevant.
(Score: 3, Informative) by Tork on Saturday April 25 2015, @09:11PM
🏳️🌈 Proud Ally 🏳️🌈
(Score: 3, Informative) by Aichon on Saturday April 25 2015, @06:48PM
The Gatekeeper "attack" isn't a new vector for getting around Gatekeeper. It was done that way by design so that trusted apps could load new resources more easily. What he seems to be suggesting is that you can create a trusted app that acts in an untrustworthy manner by pulling down malware, but in a case like that, Apple will simply revoke your trusted status, resulting in the app going dead on all Internet-connected Macs with default Gatekeeper settings. Gatekeeper would be functioning as designed. What would have been a noteworthy attack would be if he had provided a method for loading external content into arbitrary trusted apps that were not his own, but as it is right now, he'd have to do this on a case-by-case basis with attacks on specific apps, and even then, once the attack was discovered, either the developer would patch the hole or Apple would revoke the developer's trusted status until this was all sorted out.
[For those not familiar with Gatekeeper, it's a security feature that controls which apps can be run, and has three settings:
1) "Allow apps downloaded from Mac App Store" (i.e. completely locked down)
2) "Allow apps downloaded from Mac App Store and identified developers" (i.e. signed apps from registered Apple developers)
3) "Allow apps downloaded from anywhere" (i.e. the way it used to be and the way it still is with most other OSes)
I believe that #2 is the default (which is good, since there are entire classes of apps disallowed in the Mac App Store due to its restrictions on certain functions), and it works surprisingly well in practice. Despite grabbing a lot of indie software, I think I've only run into an unsigned Mac app once since Gatekeeper launched.]
Likewise, the XProtect "attack" isn't new information. Yes, it's trivial to change a hash to circumvent XProtect. What's less trivial is to get distribution of your updated malware. You can't just post a link after all. You usually have to package it in with a torrent for pirated software, but it can take weeks or months for a torrent of Mac software to have any sort of meaningful number of downloads, whereas Apple silently pushes out XProtect updates to every single user overnight. XProtect was never designed to provide 100% protection—particularly for those engaging in risky behavior—by recognizing new variations on-the-fly. Rather, Apple is going for the lower-hanging fruit of protecting everyday users from the vast majority of attacks. Towards that end, XProtect continues to work just fine, since as soon as the malware with updated hashes starts to get out there, Apple notices and pushes out a new signature. There was a malware developer a few years back who pushed out updated hashes every few days for several weeks, and he eventually gave up since Apple was catching all of the new hashes in less than 24 hours, meaning that it never had a chance to spread beyond users engaging in the riskiest sorts of behaviors.
(Score: 1) by Farkus888 on Saturday April 25 2015, @08:20PM
I didn't take this to be that overblown. Just an informative layout of how apple is currently trying to protect macs and the shortcomings of those systems. Since I'm not an apple user but I am interested in security this was an interesting read for me.
Out of curiosity android has a similar system to gatekeeper. If I set it to allow anything and install some untrusted software, then return it to allowing only trusted software my new app will stay. Does gatekeeper work the same or will it attempt to remove the untrusted software when I return it to a stricter setting?
(Score: 2) by Aichon on Saturday April 25 2015, @08:26PM
I believe it works the same way, but don't quote me on that.
(Score: 3, Funny) by wantkitteh on Sunday April 26 2015, @08:35AM
"Mac OS X has crap security because individual programs can be exploited."
No shit, Sherlock!