The Apple Gatekeeper bypassed once again by a researcher

Pierluigi Paganini January 16, 2016

Once again, the security expert Patrick Wardle has demonstrated how to bypass the Apple Gatekeeper security feature.

Once again, a security expert demonstrated how to bypass OS X’s Gatekeeper security feature, and the worst news is that the patch distributed by Apple fixes the problem only temporarily.

Apple tried to mitigate the attack method (CVE-2015-7024) with the release of a new OS version, the OS X El Capitan 10.11.1.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

Last year Patrick Wardle, director of research at Synack, first demonstrated how to bypass the Apple Gatekeeper with a method called Apple dylib hijacking, and later he presented a second method at Black Hat USA that relies on the fact that Gatekeeper only implements static checks of the app bundles.

Wardle explained that an attacker can use a malware that remain silent during the Apple Gatekeeper checks, then it activates the malicious code.

The GateKeeper bypass is a three-step process composed of the following phases:

  1. The attacker identifies a signed application that loads and executes an external binary at runtime.
  2. The attacker creates a .dmg file in includes the malicious file.
  3. The attacker delivers the malicious .dmg file to users by injecting it into insecure download connections or by spreading it using third-party app stores.

Apple gatekeeper bypass

The OS X El Capitan 10.11.1. doesn’t completely fix the issue because its behavior simply consists in blocking the signed applications abused by Wardle in his demo, but the expert in December has found another binary trusted by Apple that allowed him to bypass Gatekeeper.

The principal problem is that the Apple Gatekeeper will be bypassed again if attackers in the wild will identify another signed app that loads and executes an external library at runtime.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Apple Gatekeeper, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]

you might also like

leave a comment