Skip to main content

PSA: Apple hasn’t fixed the Gatekeeper vulnerability, only blocked specific apps using it

gatekeeper

The security researcher who identified a serious flaw in Apple’s Gatekeeper reports that the vulnerability remains despite two security patches applied by the company. Each, he says, only blocks the specific apps he used to demonstrate the method.

Gatekeeper in theory allows users to ensure that their Mac will only run apps downloaded from the Mac App Store – or alternatively, signed by a known developer if you opt for a lower level of protection. But Patrick Wardle last September found a major vulnerability in this protection which would allow any malicious app to be run no matter what Gatekeeper setting was chosen.

Wardle informed Apple, which issued a security patch in response, but Wardle has now reverse-engineered the patch and found that it provides only extremely limited protection …

Engadget reports that Apple simply blocked the specific apps Wardle had used as proof of concept. He was able to work around this by using a new set of apps, and Apple again responded only by blocking those specific apps. The Apple team has, however, assured him that it is working on a more comprehensive fix.

The only way to protect against the vulnerability for now is to ensure that a Mac has only ever downloaded apps from the Mac App Store or from trusted developers that provide downloads over an https link.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Great job Apple!

    • Lawrence Krupp - 8 years ago

      Yeah, fixing software faults properly so the fix isn’t worse than the bug is sooooo simple isn’t it. Any 10 year old could do it, right? Apple should have fixed this the day after they were alerted, right? You just snap your fingers and poof!, it’s fixed. Or maybe Apple engineers are just incompetent. Or maybe Apple knows that a fix for this vulnerability is very complex and continues to work on it.

      I’m thinking your sarcasm is misplaced at best and uninformed.

      • In your haste to defend Apple, you miss the most critical point. The fix Apple issued wasn’t a fix. Simply blacklisting the apps provided by the researcher and calling it a fix is, at best, lazy and at it’s worst, irresponsible. Whether it’s a complex problem or not, you don’t tell your customers you issued a fix(es) when you know all you did is put a a bandage on the problem. One malicious a-hole is all it takes to make the problem worse than it should have been.

        So what’s the solution in your mind? Are we to depend on the researcher to keep finding apps that breach Gatekeeper and Apple adds them to the blacklist one by one? /s

      • linux-modder - 8 years ago

        @lawrence, A slower more tested fix while possibly extending the attack vector vuln window is MUCH MUCH better than a quick shoddy fix that like @dee stated makes a astute mailicious actor that much more dangerous in such a scenario.

  2. linux-modder - 8 years ago

    Anyone have Wardle ‘s contact info — Patrick if you happen to follow this thread please contact me regarding this i seem to have a similar vuln and possibly not just macs….GPG is fine keys on mit and elsewhere.

  3. William - 8 years ago

    Worth noting this sentence in the Engadget story: “Wardle says the team has reiterated that they are working on a more comprehensive fix.”

  4. As I understand it, the vulnerability is due to the fact that Gatekeeper only checks apps when they run for the first time. Gatekeeper is not checking the signature of the app every time it launches (it appears Gatekeeper is only checking it’s own whitelist of approved apps based on file name). As a result, the app can be modified and continue to be allowed if the file name never changes. In this regard, Gatekeeper is working as designed (albeit poorly designed). Here’s hoping they redesign Gatekeeper.

  5. littlebokchoy - 8 years ago

    at some point people have to take responsibility for what they run on their computers — you can’t really make them idiot proof

    • mahmudf2014 - 8 years ago

      If you want to take the reponsibility for everything you do on your computer, get a PC and problem solved but we are talking about Mac and OS X here. The reason why i use Mac is to be safe and because i trust my Mac, i can open any file without getting worried. So if they keep making those mistakes, i will not trust to my Mac either. And that could lead me to switch to PC.

      • SKR Imaging - 8 years ago

        threatening to switch to PC is not a sound measure.. You should use a Mac if you like what it has to deliver.. in a sense, If both environments (MAc and PC) have the same malicious software potential, I personally would stay with Mac.. I have tried using Windows 10 recently with Bootcamp and have made my choice to stick with the OSX system… nothing compels me to switch to the Windows OS.

  6. Louis Veillette - 8 years ago

    Wow! impressive. So say a car has a problem, it’s like the automaker not recalling and/or fixing the problem, but simply preventing drivers to use specific roads where the problem has been reported. It no fix at all, just dumbing down an application.

    • varera (@real_varera) - 8 years ago

      You probably do not understand the fix in full. It was an issue that a malicious app accepted to App store could then evade the protection and run a secondary malware binary.

      Apple is blocking such applications in the App store. That is exactly what has to be done.

  7. varera (@real_varera) - 8 years ago

    What did you expect? It is obvious Apple wants to have users contained in App store only. Hence settings in the Gatekeeper. They will check and kill any application that is trying to use the trick, if this app is committed to App store.

    Changing enforcement requires a different techniques and a much bigger development efforts. It may also backfire for any app that is complex and may reconfigure itself after an update, installation of additional tools, etc.

    Apple is doing what is logical and simple here: if you want to be safe, use App store only. There will be no malicious app in the app store trying to evade protection. End of story

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear