As any fan of the The Matrix trilogy of films will tell you, the Keymaker is a character in The Matrix Reloaded who has the keys to provide Neo access to the system mainframe and by so doing hopefully save Zion from the ongoing sentinel attack. In the movie, the Keymaker was a little old Chinese man who held the keys to every door, every escape route, everything. In Apple OS X the equivalent is the Gatekeeper, a key technology which prevents malware from running on machines using that operating system. It does this by effectively locking the doors to applications which are not legit and digitally signed to prove it. Or at least it should.

Now a researcher reckons the Apple Gatekeeper isn't all that. Indeed, Patrick Wardle who is the Director of Research at Security-as-a-Service specialists Synack, says that it is "trivial for any attacker to bypass the security tools on Macs." An experienced vulnerability and exploitation analyst, Wardle has a string track record in uncovering exploitable 0-day vulnerabilities in major operating systems. At Synack he heads up the cyber R&D efforts and focuses on automated vulnerability discovery as well as the emerging threats of OS X malware. Wardle is obviously a man who knows his stuff, which is why this particular warning (given during a presentation at the RSA Conference) should be taken seriously rather than being dismissed as just another theoretical attack against the Apple security posture.

So what, exactly, is Wardle saying? Well when it comes to the Gatekeeper he's warning it doesn't verify extra content in the apps which means that any Apple-approved app loading external content upon user execution will simply bypass the Gatekeeper altogether because it only verifies the app bundle itself. Thankfully, OS X also has an anti-malware system built in called XProtect. Or at least that would be thankfully were it not just as easy to bypass as the Gatekeeper according to Wardle who says he managed to get around it by recompiling malware to change the hash so it would execute or, if he wanted to be really lazy, just by changing the name of the malware itself. It really is that easy, Wardle insists.

In which case, there's always the OS X sandbox to protect users isn't there? Again, not according to Wardle. While admitting that the sandbox is of a good design Wardle also points out that Google's Project Zero has published kernel-level bugs which can be used to bypass this as well.

What do the Apple coders here at DaniWeb think about the Wardle revelations? Does he have a point or is this old ground being turned over? Should Apple be doing more to protect users from malware, or is the proof of this particular pudding in the reported security breach eating or lack thereof?

Edited by happygeek

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

2 Years
Discussion Span
Last Post by MrWonderful1961

Part of the problem with Mac systems is that the default user has admin privileges, much like Windows systems do by default, so malware can install software that can bypass other system security measures. This is not the case with most Linux systems unless the user, as root, alters the /etc/sudoers file to allow someone root privileges without a password. I'm not sure if the Mac default user has to input their password when installing new software, but hackers could compromise that if needed.

Good system security is very difficult. Just ask Bruce Schneier! Any system can be hacked - just ask the NSA...


As I understand it, this is no different from any linux system.

Most RPM installs require sudo anyway. The main user in OS X is a member of the admin group, but needs to authenticate with a password during most software installation.

If you get your apps from a known-good source, you shouldn't have any issues -- just like on linux.


$ visudo
visudo: /etc/sudoers: Permission denied
visudo: /etc/sudoers: Permission denied

$ shutdown
shutdown: NOT super-user

$ mkdir /test
mkdir: /test: Permission denied
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.