HackDig : Dig high-quality web security articles for hacker

The Apple Gatekeeper bypassed once again by a researcher

2016-01-16 17:10

Once again, the security expert Patrick Wardle has demonstrated how to bypass the Apple Gatekeeper security feature.

Once again, a security expert demonstrated how to bypass OS X’s Gatekeeper security feature, and the worst news is that the patch distributed by Apple fixes the problem only temporarily.

Apple tried to mitigate the attack method (CVE-2015-7024) with the release of a new OS version, the OS X El Capitan 10.11.1.

The Apple Gatekeeper is designed to protect OS X users by performing a number of checks before allowing an App to run. In fact, you will not be able to execute code that wasn’t signed by an Apple developer, you will not be able to run apps that weren’t downloaded from Apple’s store if the device is not jailbreaked of course.

Last year Patrick Wardle, director of research at Synack, first demonstrated how to bypass the Apple Gatekeeper with a method called Apple dylib hijacking, and later he presented a second method at Black Hat USA that relies on the fact that Gatekeeper only implements static checks of the app bundles.

Wardle explained that an attacker can use a malware that remain silent during the Apple Gatekeeper checks, then it activates the malicious code.

The GateKeeper bypass is a three-step process composed of the following phases:

  1. The attacker identifies a signed application that loads and executes an external binary at runtime.
  2. The attacker creates a .dmg file in includes the malicious file.
  3. The attacker delivers the malicious .dmg file to users by injecting it into insecure download connections or by spreading it using third-party app stores.

Apple gatekeeper bypass

The OS X El Capitan 10.11.1. doesn’t completely fix the issue because its behavior simply consists in blocking the signed applications abused by Wardle in his demo, but the expert in December has found another binary trusted by Apple that allowed him to bypass Gatekeeper.

The principal problem is that the Apple Gatekeeper will be bypassed again if attackers in the wild will identify another signed app that loads and executes an external library at runtime.

Pierluigi Paganini

(Security Affairs – Apple Gatekeeper, hacking)

The post The Apple Gatekeeper bypassed once again by a researcher appeared first on Security Affairs.


Source: lmth.repeeketag-elppa-ssapyb/gnikcah/23634/sserpdrow/oc.sriaffaytiruces

Read:627 | Comments:0 | Tags:Breaking News Hacking Apple Apple Gatekeeper malware

“The Apple Gatekeeper bypassed once again by a researcher”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud