Friday, April 24, 2015

Former US intelligence officer called a myth protection in OS X

Built-in OS X operating system protections against malicious software can be easily bypassed, says information security expert Patrick Wardle. Wardle is a former employee of the NSA, and NASA and now runs a startup cloud Synack. About his findings, he said in his report to the RSA Conference.

OS X operating system has several mechanisms of protection against malicious software, the main ones - GateKeeper and XProtect . The first limits the sources from which the user can download and install the application. By default, it is set up so that the program can be downloaded only from the official catalog of Mac App Store, where all applications are tested for viruses. The user can configure the protection so that you can install applications not only from the Mac App Store, but also directly from the developers, as well as from any source (if GateKeeper is disabled).
The problem is that only authenticates GateKeeper installation package .dmg whole but does not check its contents. According to Wardle, an attacker can take genuine installation file any developer and repack it with malicious files dynamic libraries .dylib. And as the GateKeeper does not check the files in the package, malicious content it finds.
In turn, the XProtect feature automatically checks downloaded files from the Internet, comparing their hash values ​​with hash sums from a database of malicious applications. If you recompile a malicious application, its checksum changes, and XProtect not find in this file anything suspicious. Moreover, the malicious application simply rename that protection did not work, the expert quoted Cnews .
According to the expert, it is easy to get around and other security technologies in OS X - isolating applications and digital signatures to validate programs. Function to isolate applications (Sandbox) can be circumvented by using known vulnerabilities in the kernel OS X. Some of these vulnerabilities recently the project Project Zero published corporation Google. Bypassing the same digital signature verification - even more simple task. Enough to remove the application from the digital signature, and the system will execute the program, says an expert.
In general, the task of traversing all the protection mechanisms in OS X is not particularly difficult for hackers, so the notion that the Apple operating system is more secure than Windows, several erroneous claims Wardle.