SoylentNews is people
SoylentNews
from the a-hack-a-day-keeps-the-apple-away dept.
New security features such as Gatekeeper and XProtect are simple to bypass and gaining persistence on a Mac isn't much of a challenge:
Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial.
"Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference [in San Francisco] Thursday. "It only verifies the app bundle."
Backing up Gatekeeper is XProtect, Apple's anti-malware system for OS X. Malware isn't a massive problem for OSX, but there definitely are some well-known families out there, with more being created all the time, Wardle said. Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence.
More coverage, including pretty graphics, on ZDNet.
(Score: 3, Informative) by Aichon on Saturday April 25 2015, @06:48PM
The Gatekeeper "attack" isn't a new vector for getting around Gatekeeper. It was done that way by design so that trusted apps could load new resources more easily. What he seems to be suggesting is that you can create a trusted app that acts in an untrustworthy manner by pulling down malware, but in a case like that, Apple will simply revoke your trusted status, resulting in the app going dead on all Internet-connected Macs with default Gatekeeper settings. Gatekeeper would be functioning as designed. What would have been a noteworthy attack would be if he had provided a method for loading external content into arbitrary trusted apps that were not his own, but as it is right now, he'd have to do this on a case-by-case basis with attacks on specific apps, and even then, once the attack was discovered, either the developer would patch the hole or Apple would revoke the developer's trusted status until this was all sorted out.
[For those not familiar with Gatekeeper, it's a security feature that controls which apps can be run, and has three settings:
1) "Allow apps downloaded from Mac App Store" (i.e. completely locked down)
2) "Allow apps downloaded from Mac App Store and identified developers" (i.e. signed apps from registered Apple developers)
3) "Allow apps downloaded from anywhere" (i.e. the way it used to be and the way it still is with most other OSes)
I believe that #2 is the default (which is good, since there are entire classes of apps disallowed in the Mac App Store due to its restrictions on certain functions), and it works surprisingly well in practice. Despite grabbing a lot of indie software, I think I've only run into an unsigned Mac app once since Gatekeeper launched.]
Likewise, the XProtect "attack" isn't new information. Yes, it's trivial to change a hash to circumvent XProtect. What's less trivial is to get distribution of your updated malware. You can't just post a link after all. You usually have to package it in with a torrent for pirated software, but it can take weeks or months for a torrent of Mac software to have any sort of meaningful number of downloads, whereas Apple silently pushes out XProtect updates to every single user overnight. XProtect was never designed to provide 100% protection—particularly for those engaging in risky behavior—by recognizing new variations on-the-fly. Rather, Apple is going for the lower-hanging fruit of protecting everyday users from the vast majority of attacks. Towards that end, XProtect continues to work just fine, since as soon as the malware with updated hashes starts to get out there, Apple notices and pushes out a new signature. There was a malware developer a few years back who pushed out updated hashes every few days for several weeks, and he eventually gave up since Apple was catching all of the new hashes in less than 24 hours, meaning that it never had a chance to spread beyond users engaging in the riskiest sorts of behaviors.
(Score: 1) by Farkus888 on Saturday April 25 2015, @08:20PM
I didn't take this to be that overblown. Just an informative layout of how apple is currently trying to protect macs and the shortcomings of those systems. Since I'm not an apple user but I am interested in security this was an interesting read for me.
Out of curiosity android has a similar system to gatekeeper. If I set it to allow anything and install some untrusted software, then return it to allowing only trusted software my new app will stay. Does gatekeeper work the same or will it attempt to remove the untrusted software when I return it to a stricter setting?
(Score: 2) by Aichon on Saturday April 25 2015, @08:26PM
I believe it works the same way, but don't quote me on that.