Despite Apple’s marketing about Gatekeeper, the application verification program introduced with Mac OS X Mountain Lion seems to mostly just be Security Theater.
A few months back Patrick Wardle found an easy way to launch an unsigned app as long as it was in the same directory as an app that was signed. This meant that it was possible to bundle malware in OS X and have it install itself without the user ever knowing. Keep in mind Gatekeeper is specifically designed to prevent this scenario from happening.
When Wardle disclosed the vulnerability to Apple, Apple released a patch that should have fixed the issue. But, in a report by Ars Technica, it turns out that Apple didn’t fix the issue at all, but simply went after the symptoms and blocked the signed apps that Wardle had been using to demonstrate the flaw.
When Wardle found this out, he showcased the vulnerability yet again, this time with a signed file by security company Kaspersky Lab. Apple promptly released a patch that blacklisted that specific signed app.
Only a specific handful of apps can be piggybacked to allow this exploit to occur — it has to be authorized to execute other additional apps — but Apple appears to be manually blocking those apps instead of fixing the underlying issue.
According to Ars Technica, an Apple representative said that “Apple is aware of Wardle's research and continues to work on ways to make Gatekeeper more effective,” and that, “the new files Wardle privately reported have been blocked using XProtect, an antimalware feature that's a complement to Gatekeeper.”
Because Gatekeeper only checks the first executable file in an Apple disk image (dmg), by renaming an app already signed by Apple and placing it in the same dmg as other executable malware, Gatekeeper is easily bypassed.
Wardle will be presenting the exploit in detail this weekend at the Shmoocon security conference.