Researcher: Malware Can Easily Bypass Security on Mac OS X

A security researcher states that it is not particularly difficult for malware to bypass security on OS X. A test showed that Apple’s built-in protection could not prevent installation of malware.

Wardle presented his research at the RSAC conference held at the Moscone Center in San Francisco in recent days. The slides of his presentation have been put online. Among other things, he showed that it is easy to circumvent Gatekeeper: this security mechanism ensures that only verified apps from the Mac App Store can be downloaded. According to Wardle, however, “extra” content that is included in those apps is not looked at. For example, if a malicious person succeeds in ‘injecting’ a verified app with malware, Gatekeeper will not pick up on it.

The security researcher also states that Xprotect, another built-in security mechanism in OS X, can be bypassed. The anti-malware scanner can be fooled by recompiling a known piece of malware, changing its hash and preventing Xprotect from recognizing it. In addition, Wardle mentions the sandbox environment in which applications run on OS X: it is said to be susceptible to about twenty bugs that allow apps to ‘escape’ from the environment.

The presentation featured several examples of pieces of malware that can be written to circumvent security on OS X. Although there is little malware for OS X, Wardle says his research shows that better security tools are needed. Apple has not yet commented on the findings.