Gatekeeper is supposed to stop any application which has not received official clearance from Cappuccino invading the sacred walled garden of rounded rectangle perfection.
It’s also been a favourite target of researchers and advanced attackers desperate to gain control of Apple devices who just love seeing the smugness vanish from Apple fanboy’s faces when they realise that their faith in the ghost of Steve Jobs to protect them from all malware is a medieval style delusion.
Patrick Wardle, director of research at Synack, will demonstrate a Gatekeeper bypass he’s been working on. Wardle has told Apple, which is reportedly working on a short-term mitigation until a full patch can be pushed out to users.
The problem is that Wardle’s bypass could require some re-architecting of the operating system to fully address the design weakness being exploited. Gatekeeper carries out checks on apps before it allows one to execute on an Apple machine.
It will not allow code to execute that’s not signed with an Apple developer certificate or if it’s not downloaded from the App Store. But it does not check whether an app runs or loads other apps or dynamic libraries from the same or relative directory.
Gatekeeper signs off only on the first static check and trusts the application is secure and behaving. This means that the attacker could trick the user into downloading a signed and infected app from a third-party source to gain a foothold onto the machine.
Wardle found signed Apple binaries that he used to craft his attack, which would take the form of a DMG file (Apple disk image file) he tricks the user into downloading, for example.
Wardle said his method affects all versions, including El Capitan. He said that Gatekeeper was not a stumbling block. It is not really a bug, but a limitation of Gatekeeper and fixing it requires significant code changes.