This week has not been a good week for Apple on the security front. After serious bugs in iOS and OS X were disclosed yesterday, a researcher by the name of Patrick Wardle, director of research at Synack says that all of the protections in OS X are simple to bypass and pwning a Mac as an attacker isn’t hard. Here’s the high level overview starting with Gatekeeper which is a key security framework of OS X:
“Gatekeeper doesn’t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,” Wardle said in a talk at the RSA Conference here Thursday. “It only verifies the app bundle.”
Lovely. But Gatekeeper is backed up by XProtect which protects a Mac from malware. That has to come to the rescue, right? Wrong:
Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence.
“It’s trivial to bypass XProtect,” he said.
Great. But OS X sandboxes apps. Surely that provides protection. Well….. :
“While the core sandbox technology is strong, there are plenty of bugs that can bypass it,” he said.
This is depressing. But apps have to be code signed so that they can run on OS X. That’s not much good apparently:
“The code signing just checks for a signature and if it’s not there, it doesn’t do anything and lets the app run,” he said. “I can unsign a signed app and the loader has no way to stop it from running.”
Why is that? Here’s why:
The check for this runs in user mode, which is a huge security fail because the attacker would be in user mode.” he said. “He could just modify a kernel extension or load unsigned ones.”
Bottom line. OS X security isn’t secure. This report isn’t going to go over well at 1 Infinite Loop. Plus you can bet that evil doers are right now using this info to stage attacks on Macs. Which means Apple needs to step up their game when it comes to security. And they need to do it now.
Like this:
Like Loading...
Related
This entry was posted on April 23, 2015 at 8:18 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Apple Security Questioned As Researcher Finds Method To Bypass OS X Security
This week has not been a good week for Apple on the security front. After serious bugs in iOS and OS X were disclosed yesterday, a researcher by the name of Patrick Wardle, director of research at Synack says that all of the protections in OS X are simple to bypass and pwning a Mac as an attacker isn’t hard. Here’s the high level overview starting with Gatekeeper which is a key security framework of OS X:
“Gatekeeper doesn’t verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper,” Wardle said in a talk at the RSA Conference here Thursday. “It only verifies the app bundle.”
Lovely. But Gatekeeper is backed up by XProtect which protects a Mac from malware. That has to come to the rescue, right? Wrong:
Getting past XProtect turns out to be just as simple as bypassing Gatekeeper. Wardle found that by simply recompiling a known piece of OS X malware, which changes the hash, he could get the malware past XProtect and execute it on the machine. Even simpler, he could just change the name of the malware, which also lets it sneak in under the fence.
“It’s trivial to bypass XProtect,” he said.
Great. But OS X sandboxes apps. Surely that provides protection. Well….. :
“While the core sandbox technology is strong, there are plenty of bugs that can bypass it,” he said.
This is depressing. But apps have to be code signed so that they can run on OS X. That’s not much good apparently:
“The code signing just checks for a signature and if it’s not there, it doesn’t do anything and lets the app run,” he said. “I can unsign a signed app and the loader has no way to stop it from running.”
Why is that? Here’s why:
The check for this runs in user mode, which is a huge security fail because the attacker would be in user mode.” he said. “He could just modify a kernel extension or load unsigned ones.”
Bottom line. OS X security isn’t secure. This report isn’t going to go over well at 1 Infinite Loop. Plus you can bet that evil doers are right now using this info to stage attacks on Macs. Which means Apple needs to step up their game when it comes to security. And they need to do it now.
Share this:
Like this:
Related
This entry was posted on April 23, 2015 at 8:18 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.