Former NSA staffer warns that bypassing OS X security tools is critical
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
May 7, 2015
A former NSA worker turned security researcher is now warning that bypassing typical OS X security tools could be damaging.
Patrick Wardle, a former NSA staffer and NASA intern who now heads up research at crowd-sourced security intelligence firm Synack, found that Apple's defensive Gatekeeper technology can be bypassed allowing unsigned code to run.
Apple's Gatekeeper utility is pre-installed in Mac OS X PCs and is used to verify code. The tool is designed so that by default it will only allow signed code to run or, depending on settings, only packages from the Mac App Store.
To be sure, Apple's built-in security mechanisms-- Gatekeeper, XProtect anti-malware, its sandboxing features and kernel code-signing requirements, are all easy to get around and are exploitable, according to Wardle.
He said he worked closely with Apple's internal security teams describing them as responsive while noting the wider consumer electronics firm had yet to embrace a culture where “comprehensive security is baked into their OS X systems" from the onset.
By contrast to OS X, iOS has solid security integration, according to Wardle. A bug bounty from Apple (along the lines of schemes introduced by Google, Microsoft and many others) would be beneficial, according to Wardle whose firm Synack would stand to benefit from such a scheme.
"Google products have themselves, become more secure because of bug bounties," Wardle added. "Introducing them seems to be a no brainer and they prove that they work in effectively protecting users."
During the course of his research, Wardle also found a method to circumvent Apple's recent security fix for the rootpipe privilege escalation vulnerability in OS X.
Wardle also coded his own malware to see if a variety of third-party anti-malware utilities could detect it. They all failed.
We caught up with Wardle after a well received tour presenting his research that took him to Infiltrate in Miami and the RSA Conference in San Francisco in April.
He explained that he hoped his Infiltrate talk, entitled Writing BadAss OS X Malware would encourage Mac defenders to improve their strategy.
"The state of OS X malware is amateur, even basic," Wardle said. “It relies on trivially detectable persistence mechanisms and generally relies on infecting users via social engineering tricks such as offering free but infected copies of PhotoShop.”
Mac malwares remain measurable in the hundreds or thousands. Mac desktop anti-virus developers can detect most of the nastiest out there even though they remain ill-prepared for the type of advanced malware nation states (think ISIS) might be able to put together, according to Wardle.
"Anti-virus software developers seem to be resting on their laurels," Wardle explained. "For example, Windows anti-virus offers heuristics and runtime behavioral analysis, but Mac may not.”
Up until recently, all Mac security software packages downloaded over unencrypted http connections, relying on Gatekeeper for code verification. Because Wardle uncovered a way to bypass Gatekeeper, this opens the door to man-in-the-middle or other attacks.
"More advanced attackers, such as nation states, would be able to see a download in progress before injecting code into legitimate downloads," Wardle warned.
Apple might like to lock down Macs and "impose more control of third party code" but this is more difficult to impose on desktop systems than on smartphones and tablets running iOS, according to Wardle.
Asked whether he was concerned that his research might be giving bad guys ideas they hadn't thought of themselves, Wardle justified his work.
"Advanced adversaries are likely already doing these things," he warned, adding by way of example the Rootpipe zero-day privileged execution vulnerability [CVE-2015-1130) that, once publicly disclosed, was subsequently found in OS X malware that predated the security vulnerability being reported to Apple.
Since Wardle first published his research, some security vendors have switched to downloads over secure (https) connections.
"I love Mac products. I have an iPhone and an iPad and I want them to be secure," he said, adding that he had released a set of free software tools to secure Macs, available at objective-see.com.
Another potential issue is that Apple's desktop OS allows locally unsigned apps to run. Once hackers have compromised a machine they can take a signed binary and add their own code before re-signing it.
"OS X won't detect that an app that used to be signed is no longer signed," and still allows it to run, Wardle explained.
Overall, OS X is also vulnerable to dynamic library hijack attacks, through abusing undocumented features of OS X’s dynamic loader.
This new class of attacks - similar to far more established DLL hijacking attacks in Windows - gives hackers another means to attack Macs.
Wardle's research also covered the possible use of encrypted Mac malware binaries and rootkit-like stealth techniques, as explained in much greater depth in slides from his RSAC presentation.
Source: Patrick Wardle.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!