CVE-2015-7024

Vulnerability

A untrusted search path vulnerability exists in Apple OS X versions prior to 10.11.1. This flaw allows a locally placed Trojan horse program to be loaded from an unexpected directory by an application that has a valid Apple digital signature, thereby bypassing Gatekeeper restrictions.

Exploitation

An attacker with local access (e.g., a malicious user or via malware) can place a Trojan horse executable in a directory that is searched by a signed Apple application. When the application loads the program, Gatekeeper does not block it because the application itself is signed, bypassing the intended protection. No additional user interaction beyond having the signed application run is required.

Impact

Successful exploitation allows the attacker to execute arbitrary code with the privileges of the signed application, potentially escalating to root or system-level access. This undermines Gatekeeper's security model by allowing untrusted code to run under the guise of a signed application.

Mitigation

Apple addressed this issue in OS X El Capitan 10.11.1 and the corresponding Security Update 2015-004 Yosemite and Security Update 2015-007 Mavericks. Users should update to these versions or later. No workaround is known for unpatched systems.