A new piece of backdoor malware originally discovered on Windows has found a new home in macOS. Disguising itself as a legitimate Adobe Flash Player installer, the malware burrows into pre-existing macOS folders making it harder to spot. Having used a valid developer’s certificate, the malware was set to run free on macOS even with Gatekeeper enabled.
These certificates were created to help validate applications with Gatekeeper, but lately have been used to spread malicious software. This is the second reported malware incident in the past week using a valid certificate.
During Apple’s WWDC 2016 session What’s New in Security, the company shared two interesting changes to the way Gatekeeper works in macOS Sierra – one visible, one not.
The security researcher who identified a serious flaw in Apple’s Gatekeeper reports that the vulnerability remains despite two security patches applied by the company. Each, he says, only blocks the specific apps he used to demonstrate the method.
Gatekeeper in theory allows users to ensure that their Mac will only run apps downloaded from the Mac App Store – or alternatively, signed by a known developer if you opt for a lower level of protection. But Patrick Wardle last September found a major vulnerability in this protection which would allow any malicious app to be run no matter what Gatekeeper setting was chosen.
Wardle informed Apple, which issued a security patch in response, but Wardle has now reverse-engineered the patch and found that it provides only extremely limited protection …
A security researcher has found an extremely simple way to bypass Gatekeeper to allow Macs to open any malicious app, even when it is set to open only apps downloaded from the Mac App Store.
Patrick Wardle, director of research at security firm Synack, told arsTechnica that once Gatekeeper okays an approved app, it pays no more attention to what that app does. The approved app can then open malicious apps – which Gatekeeper doesn’t check.
Wardle has found a widely available binary that’s already signed by Apple. Once executed, the file runs a separate app located in the same folder as the first one […] His exploit works by renaming Binary A but otherwise making no other changes to it. [He then] swaps out the legitimate Binary B with a malicious one and bundles it in the same disk image under the same file name. Binary B needs no digital certificate to run, so it can install anything the attacker wants …
Update: Macworld and The Verge report that Apple will actually not begin rejecting apps that utilize hotkeys.
According to a report from TUAW, Apple will soon begin rejecting OS X apps submitted to the Mac App Store that utilize hotkey functionality. The report does not cite a specific source, and app developers we have talked to seem to be unaware of the change. TUAW claimed Apple will only allow existing “hotkey apps”, and those released before June 1, to issue future bug fixes. New apps and existing apps that are releasing updates with new features will apparently not be permitted to use hotkeys:
TUAW has been told that Apple will be rejecting all apps with hotkey functionality starting June 1, regardless of whether the new features are hotkey related or not. Basically, if you’re developing one of those apps, an app that assumes you can still add hotkeys, don’t bother submitting it to the Mac App Store.
The June 1 deadline lines up with the latest deadline Apple set for sandboxing Mac App Store apps, which is a new requirement that limits an app’s access to certain areas of the operating system. Apple is pushing sandboxing as “a great way to protect systems and users by limiting the resources apps can access and making it more difficult for malicious software to compromise users’ systems.” It appears it will also prevent apps from using hotkeys.