Compromising Macs with simple Gatekeeper bypass

Discussion in 'other security issues & news' started by ronjor, Oct 1, 2015.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,755
    Location:
    Texas
    http://www.net-security.org/secworld.php?id=18919
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    How malware developers could bypass Mac’s Gatekeeper without really trying
    http://arstechnica.com/security/201...bypass-macs-gatekeeper-without-really-trying/
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    This is huge news for me, I didn't know it was so easy.

    For what I see, GateKeeper works in a similar way of UAC: Once UAC pops and the user allows the program to elevate priviledges, it can run other programs with elevated pribiledges without UAC popping agian. This can be reproduced by downloaded MSI After burner. Upon executing it, UAC will pop (if it's set to do so). Then this installer will execute RivaTunner's installer, but since the first installer already got clearance, the second installer won't need them. In this case, however, the second installer is in the same .exe as the first installer (IIRC), but I assume the same behavior could be seen if the second installer was outside the first .exe.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,066
    I don't use Mac but I guess that it could be compared. From article it seems that trusted files are used in this attacks. I don't know if user is presented with popup for those files. Maybe Apple auto allows those files?
     
  5. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,979
    Location:
    Brasil
    I don't use Mac either :p My comparison was about how the first executable has to get clearance, but the second one doesn't.
     
Loading...