Apple’s advice to rely on Gatekeeper as a mitigation against a Keychain attack disclosed this week by researcher Patrick Wardle doesn’t fully address the risk.
Experts, Wardle included, said that while Gatekeeper is a solid measure in preventing unsigned code from executing on a macOS machine, it doesn’t prevent, in this case, malware signed with a legitimate Apple developer certificate from executing and dumping passwords stored in the Keychain. Wardle’s proof-of-concept attack disclosed to Apple was unsigned.