The patch for Mac keeper vulnerability is invalid and can still be bypassed for attacks.

The patch for Mac keeper vulnerability is invalid and can still be bypassed for attacks.

Recently, security expert Patrick Wardle said that the patch released by Apple to fix the Mac OS X keeper vulnerability is invalid and cannot protect the security of users' Mac computers. In May September 2015, it was Patrick Wardle who first discovered the vulnerability.
Vulnerabilities discovered in March
Back in March last September, Patrick reminded Apple users on his blog about the security check mechanism GateKepper on Apple computers, which has security vulnerabilities.
Patrick found that the Keeper check mechanism is only a one-time static check, that is, only checks during application installation. If the application needs to load binary files during running, the Keeper will not check these Dynamically Loaded files.
FreeBuf encyclopedia
Let's take a look at the GateKepper function on the Apple Computer as follows,
Keeper is a function in Mountain Lion and OS x Lion v10.7.5. It is based on the existing malware check of OS X, it helps protect Mac against malicious software downloaded from the internet and abnormal apps.
1. Mac App Store is the safest and most reliable place to download and install apps. Before Mac App Store accepts an app, Apple will review it. If the app has problems, Apple can quickly delete it from the Store.
2. For apps downloaded from outside the Mac App Store, developers can obtain a unique Developer ID from Apple and use it to digitally sign their apps. With the Developer ID, Keeper can block apps created by malware developers and verify that the apps are tampered with (because they have been signed ). If an app is developed by an unknown Developer (it does not have a Developer ID) or has been tampered with, the Keeper can prevent the app from being installed.
3. You can use keeper to control the installation content more effectively. You can select the safest option to only open apps from Mac App Store. In addition, an option is provided to only enable apps developed by Mac App Store and recognized developers. Alternatively, you can select to allow all apps to be opened, just like OS X of earlier versions.
In short, Keeper can be said to be a real-time detection tool to filter installed apps to protect users' computer security.
However, according to Patrick's research, attackers can exploit the above vulnerability to put the compiled malicious application in a dedicated folder and put it under the application directory, load the execution files in the dedicated directory by using the application detected by the keeper to launch attacks. For more information, see the following figure,

Apple has no effect in fixing and reinforcing the Keeper vulnerability.
Apple previously announced that it had released patches to fix the problem. For specific patches, refer to Mac OS X El Capitan 10.11.1. However, Patrick found that, the released patch is not just a simple blacklist tool, as Apple said.
Patrick mentioned,
Apple does not really solve the source of the problem, but introduces another new security check tool, XProtect, by detecting the blacklist of binary files, to check whether the application loads malicious binary files.
In addition, the blacklist is basically a simple list, not a mature detection system. Therefore, we can also know that this simple blacklist method is very easy to bypass to detect whether the application has loaded malicious files.
This solution released by Apple also made many security experts confused: "How did Apple consider it?
POC video
Conclusion
For Apple computer users, it is recommended to download the App in the app Store as much as possible. Although sometimes it is not so convenient, it is still necessary to ensure security.

Recently, security expert Patrick Wardle said that the patch released by Apple to fix the Mac OS X keeper vulnerability is invalid and cannot protect the security of users' Mac computers. In May September 2015, it was Patrick Wardle who first discovered the vulnerability.
Vulnerabilities discovered in March
Back in March last September, Patrick reminded Apple users on his blog about the security check mechanism GateKepper on Apple computers, which has security vulnerabilities.
Patrick found that the Keeper check mechanism is only a one-time static check, that is, only checks during application installation. If the application needs to load binary files during running, the Keeper will not check these Dynamically Loaded files.
FreeBuf encyclopedia
Let's take a look at the GateKepper function on the Apple Computer as follows,
Keeper is a function in Mountain Lion and OS x Lion v10.7.5. It is based on the existing malware check of OS X, it helps protect Mac against malicious software downloaded from the internet and abnormal apps.
1. Mac App Store is the safest and most reliable place to download and install apps. Before Mac App Store accepts an app, Apple will review it. If the app has problems, Apple can quickly delete it from the Store.
2. For apps downloaded from outside the Mac App Store, developers can obtain a unique Developer ID from Apple and use it to digitally sign their apps. With the Developer ID, Keeper can block apps created by malware developers and verify that the apps are tampered with (because they have been signed ). If an app is developed by an unknown Developer (it does not have a Developer ID) or has been tampered with, the Keeper can prevent the app from being installed.
3. You can use keeper to control the installation content more effectively. You can select the safest option to only open apps from Mac App Store. In addition, an option is provided to only enable apps developed by Mac App Store and recognized developers. Alternatively, you can select to allow all apps to be opened, just like OS X of earlier versions.
In short, Keeper can be said to be a real-time detection tool to filter installed apps to protect users' computer security.
However, according to Patrick's research, attackers can exploit the above vulnerability to put the compiled malicious application in a dedicated folder and put it under the application directory, load the execution files in the dedicated directory by using the application detected by the keeper to launch attacks. For more information, see the following figure,

Apple has no effect in fixing and reinforcing the Keeper vulnerability.
Apple previously announced that it had released patches to fix the problem. For specific patches, refer to Mac OS X El Capitan 10.11.1. However, Patrick found that, the released patch is not just a simple blacklist tool, as Apple said.
Patrick mentioned,
Apple does not really solve the source of the problem, but introduces another new security check tool, XProtect, by detecting the blacklist of binary files, to check whether the application loads malicious binary files.
In addition, the blacklist is basically a simple list, not a mature detection system. Therefore, we can also know that this simple blacklist method is very easy to bypass to detect whether the application has loaded malicious files.
This solution released by Apple also made many security experts confused: "How did Apple consider it?
Conclusion
For Apple computer users, it is recommended to download the App in the app Store as much as possible. Although sometimes it is not so convenient, it is still necessary to ensure security.