Apple OS X anti-malware tool easily bypassed

Apple's approach to software security was dealt another blow last week after an infosec researcher revealed the company's Gatekeeper anti-malware feature could be easily bypassed.

Gatekeeper is a feature built into the OS X operating system that verifies the authenticity of software installed on Mac computers.

Its goal is to help both novice and experienced Mac users ensure that an installed app has not been maliciously modified.

The technology - which was introduced in 2012 - only allows code digitally signed by registered devlopers to run on the Mac. Users can also alter the settings to only allow packages from the Mac App Store to run.

But Patrick Wardle, director of research of security firm Synack and former NSA staffer, last week detailed how to bypass the restrictions at the Virus Bulletin conference in Prague.

He revealed unpatched vulnerabilities in the Gatekeeper software allowed attackers to circumvent the feature and deploy unsigned binaries on victims' machines.

Wardle said the problem was Gatekeeper only verifies the signatures on app bundles  - meaning unsigned bundles stored outside an app can be loaded without being passed through the anti-malware tool.

He said once a signed application is run and pulls in an outside file, that file will be loaded and allowed to execute without being checked by Gatekeeper.

The hole makes it possible for attackers to inject malicious software into a signed application, Wardle said, leaving the door open for password loggers, audio and video-capturing apps and botnet software to be installed on the user device.

He said he had notified Apple of the security vulnerability and expected a fix to come soon.

Until then, users should stick to only downloading software from the Mac App Store, he said.