A former NSA staffer turned security researcher is warning that bypassing typical OS X security tools is trivial.
Patrick Wardle, a former NSA staffer and NASA intern who now heads up research at crowd-sourced security intelligence firm Synack, found that Apple's defensive Gatekeeper technology can be bypassed allowing unsigned code to run. Apple's Gatekeeper utility is pre-installed in Mac OS X PCs and used to verify code. The tool is designed so that by default it will only allow signed code to run or, depending on settings, only packages from the Mac App Store.
Apple's built-in mechanisms - Gatekeeper, XProtect anti-malware, sandboxing and kernel code-signing requirements - are "easy to get around" and "trivially exploitable", according to Wardle.
Wardle said he worked closely with Apple's internal security teams describing them as "responsive" while noting the wider consumer electronics firm had yet to embrace a culture where “comprehensive security is baked into their OS X systems" from the onset. By contrast to OS X, iOS has solid security baked in, according to Wardle.
A bug bounty from Apple - along the lines of schemes introduced by Google, Microsoft and many others - would be beneficial, according to Wardle whose firm Synack would stand to benefit from such a scheme. "Google products have themselves, become more secure because of bug bounties," Wardle said. "Introducing them seems to be a no brainer."
During the course of his research Wardle also found a way to circumvent Apple's recent fix for the "rootpipe" privilege escalation vulnerability in OS X. Wardle also coded his own malware to see if a variety of third-party anti-malware utilities could detect it. They all failed.
El Reg caught up with Wardle after a well received tour presenting his research that took him to Infiltrate in Miami and the RSA Conference in San Francisco last month. He explained that he hoped his Infiltrate talk, entitled Writing Bad@ss OS X Malware (pdf), would encourage Mac defenders to up their game.
"The state of OS X malware is amateur, even basic," Wardle told El Reg. “It relies on trivially detectable persistence mechanisms and generally relies on infecting users via social engineering tricks such as offering ‘free [but infected] copies of PhotoShop’.”
Mac malwares remain measurable in the hundreds or thousands. Mac desktop anti-virus developers can detect most of the nasties out there even though they remain ill-prepared for the type of advanced malware nation states might be able to put together, according to Wardle.
"AV [anti-virus] developers seem to be resting on their laurels," Wardle explained. "For example, Windows anti-virus offers heuristics and runtime behavioral analysis, but Mac may not.”
Up until recently all Mac security software packages downloaded over unencrypted http connections, relying on Garekeeper for code verification. Because Wardle uncovered a way to bypass Gatekeeper, this opens the door to man-in-the-middle or other attacks.
"More advanced attackers, such as nation states, would be able to see a download in progress before injecting code into legitimate downloads," Wardle explained.
Apple might like to lock down Macs and "impose more control of third party code" but this is more difficult to impose on desktop systems than on smartphones and tablets running iOS, according to Wardle.
Asked whether he was concerned that his research might be giving bad guys ideas they hadn't thought of themselves, Wardle justified his work.
"Advanced adversaries are likely already doing these things," he said, adding by way of example the Rootpipe zero-day privileged execution vulnerability [CVE-2015-1130) that - once publicly disclosed - was subsequently found in OS X malware that predated the vulnerability being reported to Apple.
Since Wardle first published his research some vendors have switched to downloads over secure (https) connections.
"I love Mac products. I have an iPhone and iPad and I want them to be secure," he said, adding that he had released a set of free software tools to secure Macs, available at objective-see.com.
Another problem is that Apple's desktop OS allows locally unsigned apps to run. Once hackers have compromised a machine they can take a signed binary and add their own code before re-signing it.
"OS X won't detect that an app that used to be signed is no longer signed," and still allows it to run, Wardle explained.
OS X is also vulnerable to dynamic library hijack attacks, through abusing undocumented features of OS X’s dynamic loader. This new class of attacks - similar to far more established DLL hijacking attacks in Windows - gives hackers another means to attack Macs.
Wardle's research also covered the possible use of encrypted Mac malware binaries and rootkit-like stealth techniques, as explained in much greater depth in slides from his RSAC presentation here (pdf). ®