back to article Apple's anti-malware Gatekeeper still useless: Security bloke reveals lingering holes

Apple has flubbed attempts to patch flaws in OS X's anti-malware system Gatekeeper, leaving the defenses still easy to bypass. Patrick Wardle, a former NSA staffer who now heads up research at crowdsourced security intelligence firm Synack, found a way to circumvent Gatekeeper last year. Gatekeeper is supposed to block dodgy …

  1. graeme leggett Silver badge

    they never call

    "Apple does not respond to requests for comment from The Register."

    That phrase reminds me a bit of the ones the BBC uses about being banned from reporting from a country and so their journalist is in the neighbouring one.

    Perhaps you could use something similar at next Apple conf.

    1. Anonymous Coward
      Anonymous Coward

      Re: they never call

      How about satire?

      Just call him Sveet Bojs.

    2. Anonymous Coward
      Anonymous Coward

      Re: they never call

      Why should they respond?

      It's their choice and they choose not to, fair enough.

      I think El Reg should drop the 'tude and just write the article, time to move on.

      I'm sure some people love the stock ADNRTRFCFTR (please, nobody use this abbreviation again, ever) but I'm fed up with it.

      Grow up El Reg, they don't love you. Let it go.

      1. Crazy Operations Guy

        Re: "It's their choice and they choose not to, fair enough."

        Real journalist get the perspective of every involved party when writing an article in order to get the clearest and fairest view of events. The fact that Apple hasn't responded mus be included into the article to indicate that Apple had a chance to rebut the text in the article but refused to do so (With the benefit that it protects the Register from potential charges of libel or bias).

        1. Anonymous Coward
          Anonymous Coward

          Re: "It's their choice and they choose not to, fair enough."

          So, what you are saying is every reputable journalist includes a list of those who had ignored their requests for information in every article they publish.

          I don't recognise your world.

          1. Graham Dawson Silver badge

            Re: "It's their choice and they choose not to, fair enough."

            Yes, actually, they do. Usually it's written along the lines of "X had yet to respond to requests for information at the time of publication", or words to that effect. It informs the reader that the article is incomplete and may be updated or may be followed if X ever decides to call back.

          2. Chris 3

            Re: "It's their choice and they choose not to, fair enough."

            Every reputable journalist will approach the subject of the article if it is being criticised and offer the chance to comment yes - that is exactly how it works.

      2. Archie Woodnuts

        Re: they never call

        Why should they drop the 'tude?

        It's their choice and they choose not to, fair enough.

        I think El Reg should keep the 'tude when writing articles, it isn't time to move on.

        I'm sure some people hate the stock ADNRTRFCFTR (please, everybody use this abbreviation again, always) but I'm not fed up with it.

        Don't grow up El Reg, they should love you. Keep at it.

        Two kinds of people. ^_^

    3. Arctic fox
      Windows

      Re: they never call

      God's in his heaven and all's right with the world. It is so reassuring that the Fruity Company continues with this pathetic behaviour. I realise that this will not go down well with the anti-Redmond hatebois but despite the regular slaggings that El Reg give MS (very often deserved but not always) MS usually reply when asked for a comment. However, with regard to Cupertino the only appropriate comment is "plus ça change, plus c'est la même chose "

      1. Anonymous Coward
        Anonymous Coward

        Re: they never call

        God's in his heaven and all's right with the world.

        Apple Master Control sure is some kind of Terminal Dogma area.

        1. Anonymous Coward
          Thumb Up

          Re: they never call

          Hey, an Eva reference!

    4. Dan 55 Silver badge

      Re: they never call

      They have actually responded when it's in their interests, usually when they consider there's an impending PR shitstorm. Once when they pulled an app from their app store for disabled children in 2012 and two or three times afterwards, from memory.

  2. allthecoolshortnamesweretaken

    Historical side note / fun fact: the Great Wall of China (which you can't see from the moon, BTW) didn't work out as planned because after spending A LOT on the wall itself, they didn't pay the gatekeepers properly, who consequently were easily bribed.

    1. Anonymous Coward
      Anonymous Coward

      "Historical side note / fun fact: the Great Wall of China (which you can't see from the moon, BTW) "

      First point: If the moon is visible from the Great Wall by line of sight then Great Wall must also be visible from the moon.

      Maybe you can't resolve the detail of the Great Wall from the moon with the naked eye, but we have lenses that will get you a good view,

      We can buy such lenses here on earth, you just need to take the equipment to the moon and look back.

      Sadly my budget doesn't allow for me to go to the moon and take a photo showing the Great Wall to prove you wrong, you'll just have to take my word for it that you are.

      1. Mike Bell

        I wondered what had become of Black Bag the Faithful Border Bin Liner. Now I know!

      2. I. Aproveofitspendingonspecificprojects

        you'll just have to take my word for it that you are.

        You nor we can go to the moon but we can take you word for it instead of actually being able to see the great Wall of China from the moon, do you mean?

        Aaaaaand now I have forgotten what remark of remarkable pedagoguery I was about to remark. Ta! (What hurts more than the annoyance you don't care is that what I would have stated might have astounded you but you will never know (or care.. you....))

  3. What? Me worry?

    He's already placed the app online

    It appears Patrick Wardle has already uploaded his new security app. https://objective-see.com/products/ostiarius.html

  4. tempemeaty
    Meh

    Well, it's not like Apple can do any better...

    You can't really expect more from Apple these days. This is the best they can do with OSX and still keep up with their release schedule. I wished Apple would do better but I don't think they want to. I don't even think they can.

    ¯\_(ツ)_/¯

  5. gnasher729 Silver badge

    I did a bit extra work and checked what this "vulnerability" actually is.

    The vulnerability is that applications that are legitimately installed and download and execute additional code which then may not be code signed. And that is _not_ a problem.

    What Apple's Gatekeeper guarantees is that you download say an app by XYZ Company, then the app you downloaded is actually created and signed by XYZ company. Once the app is running, it does what it is programmed to do. If it does something malicious, you can sue XYZ company. That's what Gatekeeper achieves.

    If that application downloads other code carelessly, and that code isn't code signed and it is malicious, then you still sue XYZ company.

    1. Frumious Bandersnatch

      gnasher, you didn't understand the vuln. Gatekeeper only verifies one blob (the vendor-provided bit) but if that blob depends on external libs, you can bundle up a valid, signed blob along with a malicious version of the external libs. Gatekeeper only validates the blob and when the application is run it calls the malicious libs and the machine is hacked.

      You say it's not a problem, but it is. All I have to do is put a blog post saying that company XYZ has released a new version of the app and provide a link to a tainted bundle. Gatekeeper will tell you that the protected blob part is valid and you'll be none the wiser that something bad happened.

      I'm not 100% sure about how the "bundling" happens, but in terms of an analogy, it seems to be like providing a signed RPM or DEB package on Linux, but only signing the files to be installed while allowing arbitrary, unsigned install scripts to be included, leading to ownage.

      1. gnasher729 Silver badge

        Frumious, I've had enough battles with Gatekeeper to fully understand how it works.

        The bundle must be code signed and after that it cannot be modified anymore without being rejected by MacOS X. So the "problem" can only happen if the original, code signed application itself randomly loads other software without checking. If an application by company XYZ doesn't do stupid things then no, you can't just publish a tainted bundle.

        1. Roo
          Windows

          "So the "problem" can only happen if the original, code signed application itself randomly loads other software without checking."

          ... or someone finds a vulnerability in the signed application and exploits it to cause the application to load "other software" thereby bypassing Gatekeeper. Essentially Gatekeeper isn't capable of enforcing the policy.

  6. Pointer2null

    Be smart

    don't buy apple.

  7. Naselus

    Sounds familiar

    This is Apple's usual strategy for dealing with a vulnerability - just blacklist apps which take advantage of it and leave a glaring hole wide open. They did it about six months ago, when they just cancelled a certificate (the apple fans here also felt that was an absolutely fine way of dealing with it, rather than a 1993 approach).

    It's a bit like if Microsoft responded to Windows vulnerabilities in the wild by just releasing a new hosts file which blocked websites hosting malware using the vector... Apple's entire philosophy when it comes to security in both iOS and OSX is so out of date that it's embarrassing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like