Published in News

Apple’s Gatekeeper patch does not work

by on15 January 2016


Patch was just a Placebo

The Tame Apple Press did its best to tell the world that the fruity cargo cult Apple had fixed the Gatekeeper bug in its iOS software, however it looks like it is still broken and the patch was a placebo.

For those who came in late Gatekeeper was Apple’s security technology that blocks harmful applications from being installed. When a user downloads an application, Gatekeeper checks if it has a digital signature and blocks those that don't have one approved by Apple. However instead of a guard dog, it turned out to be daft Labrador who would let anyone in for the price of a biscuit and a scratch on the base of the tail.

Apple finally issued a patch in October and told everyone that had sent the problem away. No-one appeared to check that this was the case until Patrick Wardle, director of research with the company Synack, said he reverse-engineered a patch and found it was as effective as a chocolate teapot.

Wardle could still bypass Gatekeeper and install malware and he is expected to tell the world exactly how this afternoon at a US security conference.

"Releasing a patch claiming it is fixed kind of doesn't solve the problem. Users will think they're secure when they're not," he moaned to the media. It seems he has totally missed the point of what issuing a patch is supposed to do. It is not to make Macs more secure, that is far too hard. They are designed to make Apple users feel more secure by telling them everything is ok.

Wardle, who has studied OS X extensively, found the original bug that Apple patched, CVE-2015-7024. In fact all Apple’s patch did was blacklist the Apple-signed code that Wardle had used in his proof-of-concept code and some of its own files. All he had to do was target the same flaw with different code.

When Wardle pointed out to them what “proof of concept” meant Apple said that “working on a more effective patch” but he decided to go public anyway since users were still at risk.

Last modified on 15 January 2016
Rate this item
(6 votes)

Read more about: