Five months after a security researcher found a hole in OS X’s Gatekeeper, he says he has managed to bypass it once again. The researcher added that Apple took a short-cut approach when issuing a patch last year.
Patrick Wardle, the director of research at Synack, who found a simple workaround to bypass Gatekeeper in September last year, said this week that Apple’s implementation is still not fully secure.
Apple’s Gatekeeper is a security mechanism intended to protect OS X users from malicious software. Gatekeeper ensures that the programs that runs on OS X are signed and verified. The feature, introduced in OS X Mountain Lion, restricts the sources from which a user can download and install applications.
In September, Wardle found that when an application looks for secondary content in the same installer package, the auxiliary content isn’t being verified by Gatekeeper. Apple had issued a patch to fix the security hole last year, but apparently that doesn’t fix the problem.
As per Wardle, Apple took a timesaving approach to fixing the aforementioned issue. The company, he added, only blacklisted a small number of known files that he had reported. He added that it took him just a few minutes to find a new Apple trusted file that hadn’t been blacklisted by the company.
“It literally took me five minutes to fully bypass it,” Wardle told Ars Technica. “So yes, it means that the immediate issue is mitigated and cannot be abused anymore. However the core issue is not fixed so if anybody finds another app that can be abused we are back to square one (full gatekeeper bypass).”
Wardle says he would like Apple to take a more sophisticated approach at fixing the security holes. He suggests that Gatekeeper should be able to monitor all the process executions.
An Apple representative told Ars Technica that the new issue reported by Wardle has been fixed and the company “continues to work on ways to make Gatekeeper more effective”. However, the existence of the vulnerability and moreover company’s inability to fix it in the first go speaks volume about the way Apple is handling the issue.