Apple's anti-malware Gatekeeper still useless: Security bloke reveals lingering holes

Apple has flubbed attempts to patch flaws in OS X's anti-malware system Gatekeeper, leaving the defenses still easy to bypass.

Patrick Wardle, a former NSA staffer who now heads up research at crowdsourced security intelligence firm Synack, found a way to circumvent Gatekeeper last year. Gatekeeper is supposed to block dodgy apps from running, but it turns out it's easy for malicious programs to sidestep.

Apple patched Gatekeeper in November in response to Wardle's findings. However, subsequent work by the researcher ahead of this weekend's ShmooCon conference – an "East Coast hacker convention" – revealed the patch is “incredibly weak.” The update was “easy to bypass” in minutes, Wardle told El Reg.

Apple's Gatekeeper is built into OS X, and is designed to block the execution of untrusted code downloaded from the internet. Only executables digitally signed by registered developers – or, with more restrictive settings, packages downloaded from the Mac App Store – should be allowed to run. The technology debuted in July 2012.

Apple boasts that because of Gatekeeper, trojans and tampered downloads will not bother Mac systems. But this simply isn’t true right now, according to Wardle.

“Even on a fully-patched OS X 10.11.2 system, Gatekeeper is trivial to bypass,” Wardle explains in a blog post. “So hackers can (re)start their trojan distributions while nation states can get back to MitM’ing HTTP downloads from the internet.”

During a presentation at the Virus Bulletin conference in Prague last October, Wardle gave the lowdown on unpatched vulnerabilities in Gatekeeper that created a means for miscreants to distribute unsigned binaries to Mac users, outfoxing Gatekeeper in the process.

Apple released a patch shortly afterwards by simply blacklisted a tool used by Wardle to bypass Gatekeeper rather than tackling the underlying problem.

Wardle has notified Apple about his latest research and a (hopefully more comprehensive) fix is likely. In the meantime, users should stick to downloading software from the Mac App Store. Apple does not respond to requests for comment from The Register.

Waddle plans to offer a personal tool that can thwart anti-Gatekeeper programs, protecting OS X users in the process, to accompany his ShmooCon talk on Sunday. ®