Apple's Gatekeeper vulnerability still needs to be fixed
A previous security update only blacklisted nefarious apps.
Back in September, Synack security researcher Patrick Wardle disclosed a nasty issue with Apple's nefarious-app stopping Gatekeeper system in OS X. While the software is great at stopping malware-infected apps that users have downloaded from the bowels of the internet, it did have a flaw: a signed app could, upon launch, initiate an unsigned program if it resided in the same directory. Because the end user is never aware that this second application is launching, it's a great way to infect a computer. As a responsible researcher, Wardle informed Apple and got a security update as a result. That should have been the end of it, right? Yeah, not so much.
After the release, Wardle reverse-engineered the security patch to see how Apple was dealing with the Gatekeeper problem. He then noticed that the actual underlying vulnerability wasn't addressed. Instead, the company had blacklisted the binaries Wardle was using to demonstrate the issue. When he talked to Apple about it, the company issued a new security update that just blacklisted the latest apps he was working with.
Basically, instead of treating the disease, Apple went after the symptoms. Wardle is quick to point out that the security team at Apple is a bright group, and that he's been in contact with them while doing his research. The team has reiterated that it's working on a more comprehensive fix.
However, Wardle is concerned about end users that have put their trust in a security update that doesn't actually fix the problem. "I can reverse engineer this [security patch] in five minutes," he told Engadget, "so it's something others can do as well."
The vulnerability is especially concerning, because it opens up Macs to altered apps that are the result of man-in-the-middle attacks when something is downloaded via regular HTTP instead of secure HTTPS.
While Apple is working on a fix, Wardle suggests only downloading apps from the Mac App Store or from trusted vendors that use HTTPS -- something you should be doing already, really. We've contacted Apple and will update this post if we get a response.
