As any fan of the The Matrix trilogy of films will tell you, the Keymaker is a character in The Matrix Reloaded who has the keys to provide Neo access to the system mainframe and by so doing hopefully save Zion from the ongoing sentinel attack. In the movie, the Keymaker was a little old Chinese man who held the keys to every door, every escape route, everything. In Apple OS X the equivalent is the Gatekeeper, a key technology which prevents malware from running on machines using that operating system. It does this by effectively locking the doors to applications which are not legit and digitally signed to prove it. Or at least it should.
Now a researcher reckons the Apple Gatekeeper isn't all that. Indeed, Patrick Wardle who is the Director of Research at Security-as-a-Service specialists Synack, says that it is "trivial for any attacker to bypass the security tools on Macs." An experienced vulnerability and exploitation analyst, Wardle has a string track record in uncovering exploitable 0-day vulnerabilities in major operating systems. At Synack he heads up the cyber R&D efforts and focuses on automated vulnerability discovery as well as the emerging threats of OS X malware. Wardle is obviously a man who knows his stuff, which is why this particular warning (given during a presentation at the RSA Conference) should be taken seriously rather than being dismissed as just another theoretical attack against the Apple security posture.
So what, exactly, is Wardle saying? Well when it comes to the Gatekeeper he's warning it doesn't verify extra content in the apps which means that any Apple-approved app loading external content upon user execution will simply bypass the Gatekeeper altogether because it only verifies the app bundle itself. Thankfully, OS X also has an anti-malware system built in called XProtect. Or at least that would be thankfully were it not just as easy to bypass as the Gatekeeper according to Wardle who says he managed to get around it by recompiling malware to change the hash so it would execute or, if he wanted to be really lazy, just by changing the name of the malware itself. It really is that easy, Wardle insists.
In which case, there's always the OS X sandbox to protect users isn't there? Again, not according to Wardle. While admitting that the sandbox is of a good design Wardle also points out that Google's Project Zero has published kernel-level bugs which can be used to bypass this as well.
What do the Apple coders here at DaniWeb think about the Wardle revelations? Does he have a point or is this old ground being turned over? Should Apple be doing more to protect users from malware, or is the proof of this particular pudding in the reported security breach eating or lack thereof?
