Researcher Discloses Methods For Bypassing All OS X Security Protections 130
Trailrunner7 writes: For years, Apple has enjoyed a pretty good reputation among users for the security of its products. That halo has been enhanced by the addition of new security features such as Gatekeeper and XProtect to OS X recently, but one researcher said that all of those protections are simple to bypass and gaining persistence on a Mac as an attacker isn't much of a challenge at all. Gatekeeper is one of the key technologies that Apple uses to prevent malware from running on OS X machines. It gives users the ability to restrict which applications can run on their machines by choosing to only allow apps from the Mac App Store. With that setting in play, only signed, legitimate apps should be able to run on the machine. But Patrick Wardle, director of research at Synack, said that getting around that restriction is trivial. "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," Wardle said in a talk at the RSA Conference here Thursday. "It only verifies the app bundle. If Macs were totally secure, I wouldn't be here talking," Wardle said. "It's trivial for any attacker to bypass the security tools on Macs."
Good enough to criticize the mechanisms (Score:5, Insightful)
But can we have a demo since it is so trivial?
Re:Good enough to criticize the mechanisms (Score:5, Informative)
Its done every year at Pwn2Own.
Re: (Score:3)
It's, son, it's.
Re: (Score:1)
I dont believe I ever used the word trivial in this comment thread, and your incredible hostility doesnt really make me want to respond to the question on 2012 / 2013. Congrats, you figured out how to "win" a discussion!
Re:Good enough to criticize the mechanisms (Score:5, Informative)
Not sure how to 'demo' this to you guys - but this is exactly how to do it: .dmg or .zip file that contains Instruments.app as well as the external folders/frameworks with the dylibs that app tries to load - these can be unsigned/malicious :) :/
1) Find a Apple-signed or Mac App store binary the contains an *external relative reference* to a dylib. Apple's Instruments.app works great
2) Create a
3) Hide the files/folders, and create a top-level icon/alias to Instruments.app. This icon can be anything (e.g. 'Flash Installer'). This makes the download look believable
4) Get users to download this ('free photoshop!' - see OSX/iWorm for an example of Mac user's being dumb) *or* inject this into internet downloads if you have network-level presence. Tons of OS X software is distributed over HTTP
5) Even if the user has Gatekeeper set to 'only allow code from the Mac App Store' when the user runs the download the unsigned dylibs will be loaded and execute. In other words, Gatekeeper fails to do what it was designed to do - prevent MiTM attacks/user's from running unsigned code.
more technical details here [PDF]: https://www.virusbtn.com/pdf/magazine/2015/vb201503-dylib-hijacking.pdf
Re: (Score:2)
Re: (Score:1)
Because apple fan-mods are out in force with points.
Re: (Score:2)
I'm an Apple fan (well, 80%), and I would mod it up. It's important information. It's at +5 now, but I can't understand why anyone would want to mod it down, except for a malicious hacker.
Re: (Score:2)
Security through obscurity.
That was an excuse a decade ago; but have you visited an Apple Store in the past 8 years or so? They could keep them open 24/7 and they'd still be mobbed!
Re: (Score:2)
Re: (Score:2)
I'm not sure how this differs from the ability to set dyld environment variables to get dyld to search other paths for loading libraries (very useful for debugging). Of course, doing that requires the ability to set environmental variables (which any user can do with the Terminal). And dyld environmental variables are cleared for apps that run as root.
To me, this presentation looks like an overview of Mac OS X management and debugging features and an ad for "knockknock".
Re: (Score:2)
> Mac user's
Mac user's what?
> MiTM attacks/user's
OMG, there you go again. It's users, not user's.
No apostrophe on a plural, Sparky.
Re: (Score:3)
No apostrophe on a plural, Sparky.
In fact, there is.
In the plural form of the possessive, the apostrophe comes AFTER the pluralization; e.g., "users' ".
Re: (Score:2)
Re:Good enough to criticize the mechanisms (Score:4, Informative)
4) Get users to download this ('free photoshop!' - see OSX/iWorm for an example of Mac user's being dumb) *or* inject this into internet downloads if you have network-level presence. Tons of OS X software is distributed over HTTP :/
so, again, like every other OS X exploit, this depends solely on Social Networking to propagate.
So, IOW, after about 100 or so Macs worldwide get infected, whatever package was responsible for spreading malware via this method would be added to Apple's malware list, be pushed out automatically to all users of OS X, and, like those infrequent times before, that would be that...
Then, Apple simply adds checking of DyLibs and other add-ons to OS X, and closes this hokey forever. Problem solved!
So, thanks to the black hat who brought this exploit to Apple's attention; so that they can take care of it.
Re: (Score:1)
Then, Apple simply adds checking of DyLibs and other add-ons to OS X, and closes this hokey forever. Problem solved!
So, thanks to the black hat who brought this exploit to Apple's attention; so that they can take care of it.
WEll, not quite. Apple doesn't add essential security updates to pre Lion (10.7) systems. Since the rot set in after 10.6.8, many users are still on these OS versions simply because they're more accessible.. i.e. no new "improvements", and of course, many (like me) have just THOUSANDS of $ invested in software that is entirely obsoleted by 10.7 and up systems. These are developers that have either been bankrupted , or driven out of business, by the endless "improvements" in OSX (like the highly respected "
Re: (Score:2)
Then, Apple simply adds checking of DyLibs and other add-ons to OS X, and closes this hokey forever. Problem solved!
So, thanks to the black hat who brought this exploit to Apple's attention; so that they can take care of it.
WEll, not quite. Apple doesn't add essential security updates to pre Lion (10.7) systems. Since the rot set in after 10.6.8, many users are still on these OS versions simply because they're more accessible.. i.e. no new "improvements", and of course, many (like me) have just THOUSANDS of $ invested in software that is entirely obsoleted by 10.7 and up systems. These are developers that have either been bankrupted , or driven out of business, by the endless "improvements" in OSX (like the highly respected "Little Wing pinball", or Unsanity, creators of "Shapeshifter"), or they no longer supply updates to their OSX software. Using Snow Leopard, which is the last version to support the last 10 years worth of OSX software, exposes you to everyt malignant code for OSX in existence. Apple believes that the risk of infecting those user's computers with worms or trojans is good for the company's bottom line, somehow.... or what they are implying is that there is NO such malware after all...
As the owner of many PPC Macs, including a G5 tower that runs 10.5, (as well as "modern" Macs that can run Yosemite), and who has Mac consulting clients that still run 10.6.8'for the same reasons you mention (familiarity and software investment), I fully understand!
However, for at least the Intel Macs, there is a relatively inexpensive solution: Run 10.6 SEVER under virtualization.
So, for $69, you can purchase VMWare Fusion 7 (standard edition) direct from VMWare and then by CALLING Apple, for $19.95, y
Re: (Score:2)
When I mentioned running PPC apps under OS X Server 10.6, an alarm went off in my head about the Server install not including Rosetta. Seems I was right. But there is an easy solution. Rosetta can be installed from the 10.6 Server DVD by executing a Command Line in Terminal. [apple.com]
Also, while searching for the above, I ran into an Apple Support Forum thread that talked about installing the 10.6.8 OS X client under Parallels. However, the method for that unauthorized virtualiza
Re: (Score:2)
Mod parent up. This is one of the most informative things I've ever read on /. in a comment.
It's usually people just trying to win semantic wars about stuff and trash Microsoft (or open sores or whatever).
Nicely done. I've got a Mac and I /don't/ have any of that old-skool software you mention, but if I did this is exactly what I'd want to do (or perhaps dual-boot... not sure if OS X likes side-by-side installs).
First, thanks for the "props" (blush); but now I feel ashamed.
Why? Because of what you mentioned about dual-booting two versions of OS X. And then it hit me: you're right! That's the ZERO-Cost (not counting download bandwidth) solution! So, here you go [osxdaily.com]...
And also, since all accessible partitions automatically mount at startup (unless you do some simple command-line witchery), you should have no problem accessing/moving any desired stuff from the "old OS" to the new one. IIRC, these Partitions appear in
Re: (Score:3, Interesting)
Yeah, my thoughts exactly. And, by the way, how is it a problem with the OS if a signed app has a vulnerability you are exploiting? That sounds like a problem with the app to me.
"Oh, I can own OS X - I just need to convince Microsoft Outlook to run arbitrary code with privilege elevation!"
*Yawn*
Re: (Score:3)
Its a problem because the OS isn't checking the entirety of the app for correct signatures, just part of it. Which kinda removes the point of checking at all.
Re: (Score:2)
Its a problem because the OS isn't checking the entirety of the app for correct signatures, just part of it. Which kinda removes the point of checking at all.
Apple updating Gatekeeper in 3... 2... 1...
There! Problem all gone!
Re: (Score:3)
The OS is supposed to sandbox apps so that if they do get 0wned the damage is limited and the rest of the OS and apps are not compromised. Apple has attempted to do that on OS X, but clearly it hasn't worked as well as they were hoping. Even if an app get compromised that isn't supposed to let the code take full control of the OS.
Re: (Score:3)
Re: (Score:2)
Sure, but the problem here is that the exploit executes in the sandbox process which has root. A normal, non-sandboxed app would run at normal user level and, as you say, be limited in the damage it can do. The sandboxing was supposed to add an extra layer of security, but backfired and actually helped the app to trivially get root access.
Re: (Score:2)
Re: (Score:2)
In no way does what the guy is describing magically allow code to take control of the full OS. If an application is executing, and then executes a maliciously crafted dylib, that dylib is still running as the user who executed the parent application - a.k.a. not root unless you've bent over backwards to re-enable the root user and log in as root because you completely hate security and best practices. If it wants to do something outside the permissions envelope of that user, it will still have to ask perm
Re: (Score:2)
In no way does what the guy is describing magically allow code to take control of the full OS. If an application is executing, and then executes a maliciously crafted dylib, that dylib is still running as the user who executed the parent application - a.k.a. not root unless you've bent over backwards to re-enable the root user and log in as root because you completely hate security and best practices.
so, IOW, about 100 Mac Users worldwide.
Re: (Score:1)
if apple sells an app from the apple store then its freakin responsible for the app....you know why its difficult for apple?because they just pay for the brains of these app developers and then they resell it....so they are busy minting money instead of being responsible for the app store?
Re: (Score:2)
Following your "logic", Best Buy is responsible for the millions of computers that get infected with shit from running copies of Windows that were purchased at Best Buy and not patched / maintained? Because Best Buy just "pays for the brains of these app developers and then they resell it" ?
Brilliant.
Re: (Score:3)
Re: (Score:2)
Agreed... I stopped bothering at "So if I can find an Apple-approved app and get it to load external content..."
It's a possible corner-case privilege escalation at most, and nothing near the breathless 'OMGWTFBBQwe'reallgonnaDIE!' summary and headline. Oh, and it still requires the user to do something stupid.
Wake me when someone finds a way to take remote control of an OSX box without first requiring a complicit keyboard actuator to help him do it.
Re: (Score:2)
root = same process (Score:5, Informative)
And using the same logic I can get root on any Unix box.
1) Find an application that has root
2) Get it to load external content
3) The new content bypasses all the protections on the box.
Gatekeeper prevents downloaded applications that are untrusted from accidentally being run. It doesn't prevent trusted applications from doing anything.
Re:root = same process (Score:5, Insightful)
Gatekeeper also isn't "all MacOS X security". There's separate malware detection, and in order to do much of anything the user has to enter their computer account password.
It's a minor part of OS X security, mostly designed to keep casual users from installing stuff outside the apple store.
Re:root = same process (Score:5, Informative)
Gatekeeper also isn't "all MacOS X security". There's separate malware detection, and in order to do much of anything the user has to enter their computer account password.
It's a minor part of OS X security, mostly designed to keep casual users from installing stuff outside the apple store.
Yes.
There's also Mandatory Access Controls (MAC Framework) in the kernel itself, and there's BSM secure auditing in the kernel itself, and there's discretionary access controls, such as standard UNIX permissions, and there's POSIX.1e draft (it was never ratified as a standard) ACLs, and then there's whatever malware detection or antivirus protection you've jammed into the kernel as a MAC module via a KEXT, and in the absence of any access controls whatsoever, it's default deny, and then there's code signing, and encrypted pages within executables.
They didn't bypass any of that, and they wouldn't really be able to, even if they were root, because you can't get the Mac port for the kernel virtual address space without jumping through a massive number of hoops (which is why jailbreaking phones is non-trivial, and everyone uses script kiddy tools to do it, instead of jailbreaking from scratch).
And yeah, it's pretty stupid that Gatekeeper or anything else would be running as root and thus be exploitable with the escalated privilege available at install time, since it'd be pretty easy to just have it run as a role-based account, and have the kernel's cooperation, after cryptographic verification of the developer keys at the kernel level. But that doesn't let you bypass "All OS X Security": getting root doesn't really get you nearly 1/10th of the security bypassed (less, if you've installed third party anti-malware KEXTs that refuse to be unloaded except in single user mode during boot as part of an uninstall script, and are therefore always active).
They clearly do not understand the concept of "security in depth".
Re: (Score:2)
Actually, it keeps people from running stuff downloaded from untrusted sources.
Basically, anything downloaded from the Internet is considered "bad" unless they paid Apple to either host it in the Mac App Store, or they pa
Re: (Score:2)
Or, you know, you could just turn off Gatekeeper if you don't like it.
Re: (Score:2)
Re: (Score:2)
I suppose the upshot is that the OS X app store doesn't behave like some of the other app stores.
The iOS and Windows app stores do not allow you to publish an application that can execute external code. The APIs are restricted and their use may be discovered during the approval process.
OS X app store submission process doesn't appear to have the same restrictions.
Re: (Score:2)
Well it requires special permission to get an app that can run execute internal code on the iOS store. They do exist. For example gambit scheme, and I have a calculator with a javascript interpreter... They just want reasonable protections.
OSX app store though is mostly wide open. There are some restrictions, for example sandboxing and use of external services, but mostly the idea is that the App Store for OSX should have 95+% the diversity of OSX applications.
Re:root = same process (Score:5, Informative)
Gatekeeper prevents downloaded applications that are untrusted from accidentally being run. It doesn't prevent trusted applications from doing anything.
Exactly. Mod parent up.
And this is a *good* thing.
Apple has a separate sandboxing and entitlements system for more security. Apple makes apps distributed on the Mac App Store enable sandboxing. But for those apps (usually tools) that can't work within the limitations of the sandbox, developers can still ship outside the Mac App Store and do whatever they want. Code signing for GateKeeper is merely a trust checkbox that it is unlikely the vendor is doing anything really malicious or Apple would revoke their certificate and possibly pursue legal/criminal action for really nefarious activities since Apple gets a paper trail to hunt you down with as part of the process of getting a key to sign with.
If everything was locked down in the name of security, we would be denied all sorts of useful things.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
A trusted application is trusted to authorize applications. That's what it means to trust. If you want applications that are only semi-trusted: capability computing, sandboxing, virtual machines... permissions systems are not the way to go.
Worse than the summary (Score:5, Insightful)
The summary made it sound like "wow, if a program runs arbitrary code, then arbitrary code might run" which is kind of...tautological. But the article has other goodies, like "the security check to keep dangerous code out of the kernel...runs with user permissions", and "code signing only rejects an app if it has an untrusted signature, but lets it through if it has no signature".
Re:Worse than the summary (Score:4)
Ugh, quick, messy fingers. I wanted to mod this "Insightful". Clicked on "redundant".
So, posting to undo my bad deed. I could just comment "yeah, you're right" and be less publicly embarassed... But I deserve the shame :-P
Seems to not understand how it works (Score:1, Insightful)
This guy seems to think the fact that his computer is usable is an exploit. He doesn't mention anything that isn't just documented and known as the 'way it works'.
Pretty much everything he talks about makes it clear he doesn't actually understand the features and how they actually work. Every comment he makes ... makes almost no practical sense. Its not technically incorrect, its just pointless and doesn't actually mean anything from a security perspective. Its like saying These makes are insecure; the
Re:Seems to not understand how it works (Score:4, Informative)
The clueless meter went off the charts for me at "by the addition of new security features such as Gatekeeper and XProtect to OS X recently" -- XProtect has been around since mid-10.6, and Gatekeeper is just a wrapper around XProtect.
The actual Synack presentation is better (I saw the precursor at CSW): "Gatekeeper doesn't verify an extra content in the apps. So if I can find an Apple-approved app and get it to load external content, when the user runs it, it will bypass Gatekeeper," is the real security flaw here. CSW had a good presentation on how to do this leveraging dylibs. With a simple exploit dropping a crafted dylib, you can run any code you can force the user to download via drive-by as root. And it's persistent, without adding a bunch of extra junk to the target system.
That said, this method still relies on working exploits (or more often, patched torrents of popular software). The skill level to pull off the entire attack chain is fairly high too -- you're going to see governments and organized crime using these techniques, not your average bot herder.
Re: (Score:1)
The entire point behind gatekeeper is that it prevents (most) of the most common attack vectors: web downloads and email-borne malware. Using the XProtect engine, it does a really good job of this. So much so that most of the malware authors that were targeting these attack vectors have since moved on to the greener pasture that is Android. However, until the common torrent clients start setting the download flag on files, cracked commercial software and "videos" downloaded via torrents will still be a r
We're doomed ! (Score:2)
Oh no !
Web browsers allow for remote code execution through Javascript ! (and Flash and Java applets, if you feel adventurous)
We're all doomed !
Another "claim" (Score:1)
In other words... (Score:2)
If they run an app, they can... run an app? The only way to stop something like this would be to prevent any programs from running. Security would be limiting what that malicious code can do - to prevent it from running at all, you'd also have to prevent the machine from running ANY code, at all. And wouldn't that code execute inside OS X's sandbox? I'm not to update on Apple security, so I apologize, but doesn't it sandbox applications?
Personally, I'm wondering something. I know that files are locked of
Re: (Score:2)
In order to have raw access to the disk, you need to elevate permissions to root. If you can do that, there's no reason to go after the block storage - you already own the whole thing.
Therefore... (Score:1)
do not install Flash.
Is it trivial to have an app with extra baggage? (Score:3)
Seems like placing an application in the app store that has this "Extra Content" might be a bit problematic.
Perhaps not, but has there been any apps from the Mac App store with extra code to side load a program onto a Mac?
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Plus if you have your machine set to only install from the app store, doesn't it have some sort of handshake problem? I don't know how it all works, but I know when I install a new version of the OS on a Mac it only lets installs through the app store work by default. You have to disable that feature to install "Trusted" apps from outside of the App Store environment. You can also choose to wing it and allow all apps you find to install if you click the right check box.
Re: (Score:2)
In security it says:
Allow Apps downloaded from:
(3 check boxes)
1. Mac App Store
2. Mac App Store and identified developers
3. Anywhere
Seems like if you only had the Mac App Store checked then there would be no threat.
Even if option 2 was selected, it seems like it might be fairly safe if the developer's are not trying to infest a computer.
Obviously, option 3 would allow for all kinds of mayhem.
Easy Fix (Score:2)
Bah (Score:2)
Hi I'm Patrick (Score:5, Informative)
Aloha - hopefully this provides some more context and technical insight into my 'claims.' I'm honestly not trying to overhype everything and feel I have a decent understanding how computers/malware/exploits work -thanks to my time at the NSA ;). My goal is simply to show that Apple's built-in security mechanisms are trivial to bypass by malware/local attackers.
1) So yes, Gatekeeper is designed to only allow downloaded code to execute if its signed, or from the Mac App Store. This prevents a lot of attacks, such as user's infecting themselves with trojans, or downloads that have been modified in transit (e.g. by a remote attacker w/ some network level access). The technique I described (full technical details here: https://www.virusbtn.com/pdf/magazine/2015/vb201503-dylib-hijacking.pdf), allows anybody to inject unsigned code into internet downloads. Then, even if the user has set Gatekeeper to only allow code from the Mac App Store, the unsigned code is allowed to run. Since most (e.g. all OS X AV security products and about 2/3 of the apps in my dock) OS X software is distributed via HTTP and/or user's are dumb and download all sorts of shady code - IMHO, this bypass is a problem. Yes, I understand the user still has to run the code - my point is that we can completely bypass Gatekeeper.
2) In OS X, kernel extensions must be signed. The techniques I described are known (see: https://reverse.put.as/2013/11/23/breaking-os-x-signed-kernel-extensions-with-a-nop/), but allow any unsigned kernel extension to be loaded, even on Yosemite.
3) I also showed the Apple blotched the rootpipe patch, meaning any local user can priv-esc to get r00t, even on fully patched OS X 10.10.3 or 10.10.4 beta (video of poc: https://vimeo.com/125345793).
4) XProtect (Apple's built in AV product) is signature-based, thus can be trivial bypassed. Yes this is obvious.
Re: (Score:3)
Wrong. Anyone can inject code into any data stream trivially. It's getting it to run that's the tricky part. How exactly are you going to do that? If the code that's performing the download is in on the plot, then fine, but a) you would have to get that code past the App Store review, and b) you would have to expect Apple
Re:Hi I'm Patrick (Score:4, Informative)
Re: (Score:2)
I still don't see how this is any different from just exploiting an app vulnerability, regardless of the presence of GateKeeper. What you describe is no different than the hundreds of arbitrary code execution vulnerabilities found in Flash, Java, etc. since the dawn of these frameworks.
GateKeeper was never meant to keep all malicious code from executing, ever. It was meant to give you an "are you really sure you want to run this thing that appeared in your downloads folder" chance to not screw yourself ov
Re: (Score:1)
Re: (Score:3)
1) Are you saying that the signature does not cover the entire download, and that an attacker could supplement or exchange content of the download without invalidating the signature, and have the injected code execute when the user starts the app?
2) Sounds bad.
3) Sounds bad
4) That a signature-based AV engine is only effective when attacks have been reported, analysed and a has been signature developed is bloody obvious. All an AV engines is good for is herd immunity. Which is sorta ok, except that they are
Re:Hi I'm Patrick (Score:5, Informative)
2) Agreed
3) Agreed
4) Agreed - I wrote a simple p.o.c. malware that generically bypassed all (popular) 3rd-party OS X security tools (AV, Firewall tools, etc) - even though it did common malware 'things' like persist, exfil data, download/execute commands. Your skepticism of their claims/effectiveness seem right on
Re: (Score:2)
Linux, BSD and Windows just suuuuuuck so much compared to OS X that even if it were the least secure OS, most security researchers would still run it exclusively. Source: I am a security researcher.
Wish I had mid points! Mods: Mod the Parent "Insightful".
I keep telling you... (Score:1)
One of these days....
OSX is insecure, Apple is either incompetent and/or complicit with the FBI/NSA.
Kaspersky (Score:2)
My browser tells me that the SSL certificate for the site hosting TFA is owned by Kaspersky Labs. Now, whilst that doesn't necessarily mean that what the author says is wrong, I do get suspicious when anti-virus software vendors publish articles about new ways in which my computer is not secure.
10+ years of OSX and still no virus outbreaks (Score:2)
this guy's theoretical hack is still not practical, probable, or verified in meatspace. It's vaporware.
Re: (Score:3, Insightful)
Yeah it really is stupid. Is he saying "If you let me run malicious code on your computer, then I can run malicious code on your computer"? That's what it sounds like to me.
As far as I've ever heard, it is theoretically impossible to stop that kind of attack. If a user runs your code, then yeah, duh, your code can do whatever. I don't think that counts as a security vulterability.
Re:Clickbait (Score:4, Insightful)
Not quite it is more if you have a good approved app and If that app has a security flaw, you can use that flaw to hijack the OS.
Still it seems stupid. It is like saying you have permission to run scripts you can run a malicious script.
Re: (Score:2)
I think it's more saying "we have a security gizmo so that if you manage to run code here, it can't get out", and using a flaw to get out.
Re: (Score:3)
Re:Clickbait (Score:5, Funny)
It does sound and awful lot like the notorious MS07-052: Code execution results in code execution [msdn.com]
.
Re: (Score:1)
Gatekeeper is supposed to prevent unsigned/non-Mac App Store code from running... so either if a download has been MitM'd or if the user was coerced into downloading something shady (e.g. trojan). The bypass I described bypasses this requirement - allowing unsigned code to be injected into existing downloads or hackers to now re-distribute unsigned/malicious trojans. So yah, it's about allowing unsigned code to execute - when Gatekeeper should block that.
Re: Clickbait (Score:4, Interesting)
Allowing unsigned code into the app bundle changes the app bundle and makes the signature invalid. That's how signatures work. The idea here is that a legitimately signed and installed app can then execute code outside the app bundle which will run without additional controls in place.
It depends. If you can add metadata to the bundle without it being detected (a problem that has cropped up with Linux repositories several times) then this is a genuine vuln. If OTOH it's something like "If you install a Python interpreter then you can use that to run arbitrary code that isn't validated by Gatekeeper" then it's a "Code execution results in code execution" issue. In the great tradition of journalists everywhere, the ThreatPost article never provided any links to any original material, so all we have is the writer's interpretation of what's actually going on,
Assuming the previous reply was by the guy who gave the talk, is it online anywhere?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Gatekeeper is supposed to prevent unsigned/non-Mac App Store code from running... so either if a download has been MitM'd or if the user was coerced into downloading something shady (e.g. trojan). The bypass I described bypasses this requirement - allowing unsigned code to be injected into existing downloads or hackers to now re-distribute unsigned/malicious trojans. So yah, it's about allowing unsigned code to execute - when Gatekeeper should block that.
Wrong.
Gatekeeper's default setting allows only signed apps; but the user can opt for lesser security. But that's on the user, not Apple.
Re: (Score:2)
As far as I've ever heard, it is theoretically impossible to stop that kind of attack. If a user runs your code, then yeah, duh, your code can do whatever. I don't think that counts as a security vulterability.
No, definitely not a security issue when you have a piece of software that is only supposed to let the app store signed code run and then as long as there's a signature somewhere near it will run whatever the fuck you've put in this app that macuser101 has no suspicion of because 'macs are virus proof'. It will be a funny day when the first big mac virus sweeps through now that macs are numerous enough to present a valid target and casually brushes aside any token security measures.
Re: (Score:2)
No. Coming up on ten years ago, dude. Time to move on.
Re: (Score:1)
Easier than that. Just say it's a video of Job's next blockbuster project that nobody knows about. He didn't complete it before he died. All you have to do is download this codec to see it...
I bet you'd get 90% of the apple Fanbois. That's because they'd all download it in the 1st 10 minutes it would be out there.