Modern field guide to security and privacy

Apple's malware-blocking Gatekeeper still plagued with weaknesses

Even though security research previously revealed the Gatekeeper program contained flaws, Apple still hasn't released a patch to fully protect Mac users from malicious software attacks.

|
Robert Galbraith/Reuters

Over the summer, security researcher Patrick Wardle notified Apple of vulnerabilities in a critical Mac antimalware program called Gatekeeper. Soon thereafter, the press wrote about the problem and Apple released a patch. Mr. Wardle thought that was the end of the story.

Then, in December, as Mr. Wardle worked up a presentation about the Gatekeeper flaw for a security conference, he noticed something was amiss with Apple's fix.

"Their patch was horrible," said Mr. Wardle, director of research at Synack, a cybersecurity firm. Gatekeeper was still susceptible to attack. 

Technically, the Gatekeeper flaw isn't a bug. The program still does exactly what it's meant to do – authenticate programs that Apple users download from the Internet. But Web apps often come with unsigned, third-party libraries and extensions, such as Photoshop plugins or certain browser components. Gatekeeper was not built to check those for authenticity. Attackers could – and still can – hide malware in those third-party inclusions.

When Apple patched Wardle's discovery, the update did not stop authentic programs from unintentionally installing malware through the third-party libraries or extensions. Instead, the patch blacklisted the specific examples of Gatekeeper-dodging malware that Wardle had used to prove his concept.

"I told them from day one the issue was that Gatekeeper was not verifying third-party extensions and here are one or two applications I could abuse, even though I'm sure I could find other examples," he said.

Wardle worries that fixing what amounts to a symptom rather than the actual problem could unleash a host of new Mac attacks.

"If I'm a Mac hacker, and Apple has a history of not fully patching issues, I'm going to wait until they send out a patch and reverse engineer how to get around it," he said.

Wardle will present his latest findings at ShmooCon, a security conference this weekend in Washington, alongside his own working patch, available on his website. He cautions that his patch is an unofficial product meant more as a demonstration than an official solution – users should download at their own risk.

Apple declined to comment for this story. Wardle says Apple told him that a more comprehensive fix was in the works. More immediately, Apple has already blacklisted the examples Wardle mentions in his upcoming talk.

Though Wardle remains a dedicated Mac user, he would very much like to see the issue finally be resolved.

He joked, "I love my Apple products. But I travel internationally, and I’m sure hackers would like to steal the bugs I’m working on. Apple doesn’t pay outside researchers to report bugs, so this is almost entirely about protecting my own work."

 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Apple's malware-blocking Gatekeeper still plagued with weaknesses
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0115/Apple-s-malware-blocking-Gatekeeper-still-plagued-with-weaknesses
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe