Top 3 Security Flaws in OS X 10.9 Mavericks: Gatekeeper is Putting Your Mac at Risk

By @peevesky on

Users updating their Mavericks may have to watch out for a security flaw. According to reports, Apple may have unintentionally included a grave security flaw into its OS X 10.9 Mavericks. So how much danger are users in with the new Mavericks? 

Lawrence Lin from Trend Micro, posted in his blog that Apple included a security setting within its OS X's software-screening application, Gatekeeper, which can put the OS at risk. The setting allows users to "whitelist" suspicious software packages conveniently. 

The latest setting allows suspicious software packages a Gatekeeper "pass" through altering specific metadata corresponding to the package. Likewise, Lin also indicated that the altered component remains active despite copying the software package from one Mac to another. 

This means that anyone who wants to attack other Macs can do so by distributing malicious applications. They can use non-Internet folders like USB sticks or shared folders. Gatekeeper is also one of the most convenient ways to initiate the attack. 

Unfortunately, infected Mac users will not get warnings even if they are about to run a malicious software. 

"It's a small hole, since nobody shares programs via USB drives these days," Robert Graham, chief executive officer of Atlanta-based Errata Security, said in Twitter. 

"But I wonder if there aren't other ways to exploit it not described in the Trend advisory." 

Unwarranted Pass 

Gatekeeper was first introduced via the OS X 10.8 Mountain Lion in 2012. It was also back-ported to OS X 10.7 Lion. The main function of the Gatekeeper is to restrict the type of software people can install on their Macs. 

Gatekeeper offers three settings: one setting only allows programs from Mac App store; another setting turns off the Gatekeeper allowing software installation regardless of the source and the default setting allows apps or software that has Apple's develop ID digital signature. 

The software categorizes every software package accessed from the Internet. The program tags a package in "quarantine" depending on the kind of threat they are perceived. Lin discovered that packages accessed from other sources aside from Mac app store and lacking with Apple's developer ID digital signature acquires a "0002" quarantine value. 

If anyone attempts to access the application via either two of the more stringent Gatekeeper settings, they will be warned. The device will put out the following message: "can't be opened because it is from an unidentified developer." Nonetheless, Lin pointed out that when the new Mavericks rolled out last October 22, Apple included another option. The tab enumerates what application is blocked but there is an option saying: Open Anyway. 

The quarantine tag changes from "0002" to "0062." This also changes the permit of the application to a lifetime pass. 

"If the file is transferred to another Mac (if copied using a compatible file system)," Lin wrote, "this setting will also be honored by this other device." 

Lack of Checks 

The security flaw is alarming enough. However, another forum cited that the problem may have been present even before the Mavericks. StackExchange pointed out that the security problem is way back Mavericks. 

A user named Ron M. stated the following: 

"GateKeeper allows me to install anything, no checks are done," wrote a user called Ron M. 

"I can download applications from custom websites, and run them, even when my gatekeeper settings are at 'AppStore Only.' This is my application - it's not even signed," the user added. 

 "What could be the reason for that? I can reproduce this behavior on all my 3 Macs." 

Prior to Mavericks, the device allowed "whitelisting" of unsigned programs despite administrative privileges of the user.

Join the Discussion