At the end of last year, Apple applied corrections to Gatekeeper of OS X after a security researcher finds flaws in protecting system applications. The feature known for allowing only digitally signed products by the company to run on Macs, whether distributed through the Mac App Store or hosted on the developers' direct channels.
The changes were expected to mitigate a method capable of enabling a legitimate application to access other executables and malicious files, without violating the OS X.Porm code signing rule, according to Patrick Wardle, who spoke again to Ars Technica about what Apple did in response to its discovery, it was not very difficult to find a way to get around the corrections presented.
The tactic employed by Wardle was to work with files already trusted by OS X to repackage applications containing malicious code that would be reliable; then Apple responded using XProtect, its native anti-malware feature, to block these files from running through unsigned software. However, the same flaw was able to be reused when the researcher used a new, reliable system file format to explore it.
Since the test was carried out last Thursday (1/14), the files used have been sent to Kaspersky to be used in third-party antivirus signatures, until Apple has been notified of the issue and has updated XProtect. The initiative, however, is considered flawed, as it leaves Macs exposed to the same problem while files capable of exploiting it can be found easily.
In a statement, Apple says it is working to increase the Gatekeeper's effectiveness against attacks of this nature. Wardle proposed a method capable of enabling an inspection of new executables whenever a file obtained from the internet is opened by a user, but it is still unclear whether this technique will be used in OS X in the future.