Over the summer, security researcher Patrick Wardle notified Apple of vulnerabilities in a critical Mac antimalware program called Gatekeeper. Soon thereafter, the press wrote about the problem and Apple released a patch. Mr. Wardle thought that was the end of the story.
Then, in December, as Mr. Wardle worked up a presentation about the Gatekeeper flaw for a security conference, he noticed something was amiss with Apple's fix.
"Their patch was horrible," said Mr. Wardle, director of research at Synack, a cybersecurity firm. Gatekeeper was still susceptible to attack.
Technically, the Gatekeeper flaw isn't a bug. The program still does exactly what it's meant to do – authenticate programs that Apple users download from the Internet. But Web apps often come with unsigned, third-party libraries and extensions, such as Photoshop plugins or certain browser components. Gatekeeper was not built to check those for authenticity. Attackers could – and still can – hide malware in those third-party inclusions.
When Apple patched Wardle's discovery, the update did not stop authentic programs from unintentionally installing malware through the third-party libraries or extensions. Instead, the patch blacklisted the specific examples of Gatekeeper-dodging malware that Wardle had used to prove his concept.
"I told them from day one the issue was that Gatekeeper was not verifying third-party extensions and here are one or two applications I could abuse, even though I'm sure I could find other examples," he said.
Wardle worries that fixing what amounts to a symptom rather than the actual problem could unleash a host of new Mac attacks.
"If I'm a Mac hacker, and Apple has a history of not fully patching issues, I'm going to wait until they send out a patch and reverse engineer how to get around it," he said.
Wardle will present his latest findings at ShmooCon, a security conference this weekend in Washington, alongside his own working patch, available on his website. He cautions that his patch is an unofficial product meant more as a demonstration than an official solution – users should download at their own risk.
Apple declined to comment for this story. Wardle says Apple told him that a more comprehensive fix was in the works. More immediately, Apple has already blacklisted the examples Wardle mentions in his upcoming talk.
Though Wardle remains a dedicated Mac user, he would very much like to see the issue finally be resolved.
He joked, "I love my Apple products. But I travel internationally, and I’m sure hackers would like to steal the bugs I’m working on. Apple doesn’t pay outside researchers to report bugs, so this is almost entirely about protecting my own work."