That’s according to Patrick Wardle of Synak - a company that bridges the gap between perceived security and actual security by leveraging hacker-powered exploitation intelligence. Let’s call it ‘crowdsourced’ security.
Wardle, former NSA (National Security Agency) researcher, will be presenting his findings to Shmoocon - ‘An annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues.’
Wardle says Gatekeeper is trivial to bypass. So hackers can (re)start their Trojan distributions while nation states can get back to MitM’ing (Man in the Middle attacks) HTTP downloads from the internet.
Apple patched Gatekeeper in November in response to Wardle’s revelations. Only properly digitally signed executables (programs) by registered developers, or from the Mac App Store should be able to run. This hole had existed ever since Gatekeeper was introduced in July 2012.
Apparently Apple’s fix was the ‘easy route’ only blocking the tool Wardle used instead of looking more deeply into the issue. Some analysts imply that actually fixing Gatekeeper may kill the patient.
Meanwhile CVE Details has released its "Top 50 Products by Total number of distinct vulnerabilities in 2015" . Mac OS X heads the list at 384, followed by iOS at 375. By comparison the new Windows 10 has 53.
But its Adobe that should be totally shamed – it has 1504 vulnerabilities in Flash Player, Acrobat and AIR.
The list is interesting when you also look at some of Apple’s other products – Safari (135), iTunes (100), Apple TV (57 and a second listing for 43 – perhaps an earlier version), and WatchOS (53).
Other mentions include Google’s Android (130) and Mozilla Firefox (178 and second listing 94).
Update: 17 January
Esteemed iTWire colleague and Mac man Stephen Withers has made some observations on the information in this article. While the article was prepared from official sources his observations (paraphrased) are valid and add to the article.
The CVE Details report is a crude tally that doesn't use sensible categories e.g. it lumps all versions of OS X together, but keeps all versions of Windows separate. [Agreed – it’s a case of lies, damned lies and statistics. However, Windows 10 is not subject to most of the past version vulnerabilities].
Gatekeeper was never about protection against viruses - there have not been any ‘viruses’ in the true sense that affect OS X. [The term ‘Virus’ was used in the header and has since been replaced with Malware].
There's also the question of whether a vulnerability can be readily exploited thanks to mitigations provided by the operating system or other reasons. [Agreed – a vulnerability does not automatically mean it can be exploited].
An example of this is the way Apple blocks old versions of the Flash plug-in from running. It doesn't help if your system is one of the first to be hit, but it's worth noting that old vulnerabilities account for the biggest share of successful attacks. That is, you're a lot less likely to fall foul of the dreaded 'zero-day attack' than you are to an exploit of a vulnerability that was fixed a year ago but for some reason you never got round to installing the patch.