Sophos Cloud Optix
Apple has announced enhanced security features in its upcoming OS X 10.8 Mountain Lion release.
The biggest change is a new function called Gatekeeper. Apple is finally introducing what appears to be a slightly more advanced version of Microsoft’s Authenticode technology.
Apple will provide three options for Mountain Lion users: App Store only, App Store and applications with valid developer signatures or all software (current behavior).
This sounds like a pretty good idea to me, but unfortunately the implementation is flawed.
The first problem is that Apple is relying on the LSQuarantine technology used in their rudimentary integrated anti-virus known as XProtect.
This means Gatekeeper is essentially a whitelisting technology bolted onto the blacklisting technology it introduced two versions ago.
While this will clearly reduce the risk for users who primarily download all of their programs through popular browsers or the App Store, it only addresses the Trojan problem that has been the primary vehicle for delivering malware to OS X.
It’s what Gatekeeper doesn’t catch that might inspire budding criminal authors to take the next step in creating more advanced malware for OS X.
LSQuarantine only triggers on files downloaded from the internet that have been tagged by the application that downloaded it with the quarantine bit.
This means that files from USB drives, CD/DVD/BR or even network shares will all install and run without being screened.
Some applications that download from the internet like Bittorrent also do not flag downloads with the quarantine bit.
Gatekeeper code signing only applies to executable files, meaning anything that is not itself a Trojan like malicious PDFs, Flash, shell scripts and Java will still be able to be exploited without triggering a prompt.
File are only checked at the time they are initially executed, so if a rogue developer distributes a malicious app, Apple will need to revoke that certificate *before* the victim executes the download.
This one time check, combined with the limitations of what files are scanned from which sources significantly weakens the usefulness of Gatekeeper.
The second problem is a common one to all platforms, people. If a user wishes to install something and is blocked from doing so, they more often then not will override the block.
It’s human nature. Yes, of course I want to install this pirated movie codec, or really snazzy screensaver. Apple’s just warning me because they think I should pay $800 for this photo editing app.
Andrew Ludgate in SophosLabs pointed out that calling this feature Gatekeeper is a bit strange as well.
Going back nearly 20 years ago there was an anti-virus program for Mac called Gatekeeper.
Even the icon for the original Gatekeeper (hosted on mac.com none the less) has a remarkable similarity to Apple’s new endeavor.
I think Apple is really on to something here if they implemented this feature in a more comprehensive manner. I give them an A for what they want to accomplish, but sadly only a D- on implementation.
Is it possible these can shortcomings/oversights be corrected before 10.7 comes out?
The growth of OS X will attract a lot more non-tech savvy users, the types of users who were compromised all too easily while using Windows. I think Apple are trying to create a situation under OS X where they will *never* have the same number of problems as have been seen on Windows.
Maybe OS X will never have the same level of attraction to scam artists and malware writers as Windows has. But with the OS X market growing exponentially, there is no harm in getting users used to the idea that if they get content (applications or anything else) from locations other than those which are trusted by the system then they should take care.
Apple don't want to have to have Anti-malware solutions on their platform, that puts them in the same place as they used to make fun of Windows for. The benefit with introducing Gatekeeper now is to condition users to those threats without having to apply the amount of rigour you are looking for. So if the threat level on OS X ever starts to grow with the platform, they have users who are better able to deal with the threat without needing to install third party security.
"Gatekeeper"? Maybe their next piece of security software should be called "Keymaster". :o)
I cannot even download the new Java 11 without buying the "Lion". Ugh… DD