Last year in October, Apple’s OS X Gatekeeper security feature was bypassed by Patrick Wardle, research director of Synack. Wardle bundled up a legal Apple-signed application with an unsigned malicious app that was put in the same directory and wrapped it up in Apple disk image file. In response to this, Apple attempted to block Wardle’s attack method (CVE-2015-7024) with the release of OS X El Capitan 10.11.1.
Apple blocked this mechanism and created a set of blacklisted files that could potentially be bundled up with gatekeeper and eventually result in malware. A permanent solution has not yet been found by Apple and this blockage mechanism has once again been bypassed by Wardle.
Wardle has found another file that was not a part of the blacklist and used it to successfully undergo the attack.
The OS X GateKeeper bypass process can be carried out in 3 steps:
1. The attacker identifies a signed application that loads and executes an external binary at runtime.
2. The attacker creates a .dmg file in includes the malicious file.
3. The attacker delivers the malicious .dmg file to users by injecting it into insecure download connections or by spreading it using third-party app stores
Though the particular file that was presented by Kaspersky Lab has been added to the list, the problem still remains. Gatekeeper continues to allow all Apple disk images, even those with malicious executable, if the initial executable is not malicious. Once the image mounts, all executable files of the bundle are executed, regardless of their malicious nature or not. Unless and until Apple comes up with a permanent and realistic solution to this, there is a greater possibility that an attacker can identify a new signed application that is able to load and execute external library at runtime.