DLL hacking – a new threat to OS X

It was only a matter of time before someone found a way to bypass Gatekeeper; according to Patrick Wardle of Synack (interviewed by Michael Mimoso on the Threatpost blog here) that has just happened.

Gatekeeper is the security module in recent versions of OS X which decides whether a newly-installed app (and some other types of software) can be run. Controlled in the General tab of the Security & Privacy pane, most users set it to allow apps downloaded from the Mac App Store (most secure), or that and identified developers (on the second notch).

This forces a check on a special signature tucked away in the app. If the signature is missing or incorrect, OS X will refuse to run it, and potentially protect you from a Trojan or other malware. You can still manually override the check, of course, but that is quite a deliberate move and not something done routinely. When the app has been opened once, it is no longer checked by Gatekeeper, and will continue to open thereafter as normal.

Wardle has already informed Apple of this vulnerability, and later this week will be demonstrating it at a security conference, CanSecWest.

Once he is able to sneak malware onto the Mac through this method, he claims to be able to implant malicious code past Gatekeeper. This can in turn hijack existing dynamic library (dylib) code on the Mac to stay there, grab data, and pass that back to online services such as iCloud. He also has malware which demonstrates infection of Xcode, Apple’s development environment for OS X (and iOS), to add malicious code to apps produced by a developer without them being aware.

Although these are significant vulnerabilities which could dramatically alter the threat environment for OS X users, there is no need to panic just yet. Hopefully Apple will shortly close this vulnerability in Gatekeeper, although Wardle’s other hijacking exploits will still need a careful watch. Current versions of anti-virus utilities were apparently unable to detect his demonstration malware, but this may change as their vendors update their products in the light of this information.

Now is a good time to ensure that you keep up to date with OS X updates, and security updates in particular.