Tools available on Mac computers designed to protect users from malicious content can easily be circumvented, according to a security researcher.
Speaking at the RSA conference in San Francisco on Thursday, SYNACK director of research Patrick Wardle described how the two tools security used in OS X can be bypassed to run malware.
Wardle, according to ZDNet stated: “If Macs It was absolutely safe, I would not be here to speak. "
The two security features, Gatekeeper and XProtect, were added to the most recent versions of OS X in response to growing threats from malware.
The Gatekeeper feature has been added to OS X 10.8 "Mountain Lion", and restricts how applications can be opened and run on a computer. Most apps are set to be verified through the Apple App Store, or by trusted developers. XProtect, a rudimentary malware scanner for Mac and added by OS X 10.6 "Snow Leopard." It can also block specific applications and plugins if they have known vulnerabilities.
"Gatekeeper does not verify the content of applications," Wardle said. When an application goes to run, either Gatekeeper knows where it is from and allows it to start or it does not know and does not let the application start. He does not constantly monitor the application, which according to Wardle could be a problem.
"So if I can find an Apple-approved app and convert it to load external content when the user runs it, Gatekeeper can be bypassed."
He also stated that XProtect was very easy to bypass.
A recompiling to a known sample of malware can change its hash, so Wardle was able to pass malware under the XProtect.
In addition, although he called the XProtect sandboxing feature "strong", it can still be bypassed with a number of known kernel-level vulnerabilities.
