Security biz scoffs at Apple's anti-Trojan Gatekeeper
Apple dev ghetto fears - plus it only probes executables
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Security watchers are expressing reservations about whitelisting security that Apple plans to integrate with OS X Mountain Lion this summer.
The security feature, dubbed Gatekeeper, restricts the installation of downloaded applications based on their source. Users can choose to accept apps from anywhere (as now) but by default Gatekeeper only lets users install programs downloaded from the Mac App Store or those digitally signed by a registered developer. More cautious users can decide to accept only applications downloaded from the Mac App Store.
The technology is designed to make it harder to trick Mac fans into installing Trojans. Apple is essentially acting to nip the problem of scareware scams and the like on Macs in the bud, before Apple-targeting malware gets out of control.
From a system security perspective that's a laudable aim but there may be less palatable consequences.
The move could be a step along the road to making OS X as closed to unapproved developers as iOS.
"Gatekeeper also begins to solidify Mac's walled garden," Sean Sullivan, a security advisor at F-Secure notes. "In the future, when Apple decides to further close its platform, device drivers could also be required to use Apple Developer IDs. Apple is famous for its focus on user experience, and it isn't really very difficult to imagine it revoking third-party peripheral drivers in order to 'secure' that experience."
Gatekeeper is billed as offering: "More control for you" – "I keep reading it as: more control – over – you," Sullivan observes wryly. "By 2014, I expect somebody out there will be jailbreaking their Mac…"
Aside from these political issues, other security watchers warn that Apple's implementation of whitelisting technology may be flawed.
Chester Wisniewski of Sophos notes that the technology only looks at executable files downloaded via the internet. That means files from USB drives, CD/DVD/BR or even network shares "will all install and run without being screened". In addition, other potentially malicious files might be missed, he says.
"Gatekeeper code signing only applies to executable files, meaning anything that is not itself a Trojan – like malicious PDFs, Flash, shell scripts and Java – will still be able to be exploited without triggering a prompt," Wisniewski warns.
Gatekeeper is based on the same LSQuarantine technology previously used by Apple in XProtect, a basic anti-malware system built into recent releases of Mac OS X since August 2009.
Wisniewski is supportive of Apple's objectives in developing Gatekeeper but dismissive of its initial efforts, which he categorises as a failure. "I think Apple is really on to something here if they implemented this feature in a more comprehensive manner," Wisniewski concludes. "I give them an A for what they want to accomplish, but sadly only a D- on implementation." ®
Bootnote
Computer security historians would be interested to note that 20 years ago there was an anti-virus program for Mac, also called Gatekeeper. The software, developed by independent programmer Chris Johnson, was shelved many years ago.
COMMENTS
Love the "expert" commentary here
Look, grandma is tired of viruses and the like. She wants something to email the kids and see pictures on. She doesn't care about kernel hacking and getting some home made gizmo to work. Few people care about anything under the hood. They just want it to work and catering to them, the 95%, makes far more sense. This stuff has to be as simple and dumbed down as TV or it just won't fly.
Looks more like Apple locking people into the app store to me
Yet again Apple try and stop users getting their own software.
In context. MS get forced to show other browsers are available instead of IE which is built in. Yet no such change for apple/safari and when they lock the systems down more to only allowing signed or app store applications, the more they corner the market. One rule for everyone and a 'special' rule for Apple.
Re: Re: Looks more like Apple locking people into the app store to me
I agreed with you right up until
And if you want to talk about locked down, how come no-one ever said windows was locked down because it only allows me install windows apps. I want it to run my mac & *nix apps and it wont.
and from then on your comment was tainted by the outright idiocy in the above. What Apple are (accused of) trying to do is to implement a system that ensures that software written for the Mac won't run unless they've approved it. I don't think this is actually the case (defending Apple? I'll get myself checked out by the Doc tomorrow!) but it's very different to 'My Mac App won't run on Windows"
And unless things have changed dramatically, I suspect you'd also have problems running your Windows Apps on Macs without a bit of software in between.
The thing that makes me laugh is the observations of the security guy - You can still run files from disk, network shares etc. To me it reads as if Apple are trying to protect the idiots from themselves whilst minimising the hassle for other use. Yet to see scareware served over the LAN but YMMV
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
