For years, Apple has been telling the world, through its legions of tame journalists, that its security features such as Gatekeeper and XProtect to OS X protect Mac gear completely.
But Patrick Wardle, director of research at Synack said that all of those protections are simple to bypass and hacking a Mac isn’t much of a challenge at all.
Apple claims that Gatekeeper gives users the ability to restrict which applications can run on their machines by choosiing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine.
But Wardle said that Gatekeeper doesn’t verify an extra content in the apps. So if he can find an Apple-approved app and get it to load external content, it will bypass Gatekeeper. Gatekeeper only verifies the app bundle.
Apple’s anti-malware system for OS X still depends on people not writing much malware for the machines. Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Just changing the name of the malware also lets it sneak in under the fence.
OS X also now includes a sandbox, which Wardle said is well-designed, but there are a number of known kernel-level OS X vulnerabilities that can bypass the sandbox. Using any one of them gets him the ability to bypass the sandbox.
One of the other key security technologies in OS X is code signing. However, it’s not much of a task to get around that requirement, because the code signing just checks for a signature and if it’s not there, it doesn’t do anything and lets the app run.
“I can unsign a signed app and the loader has no way to stop it from running.”
Starting with OSX Mavericks, all of the code that runs in the kernel has to be signed. But the mechanism that checks for the signature is flawed, too, Wardle said.
“The check for this runs in user mode, which is a huge security fail because the attacker would be in user mode.” he said. “He could just modify a kernel extension or load unsigned ones.”
On the whole, the security tools in OS X don’t present much of a challenge for attackers right now, Wardle said.