GMA News Online

Apple OSX 'Gatekeeper' vulnerable to malware?

February 17, 2012 7:32pm
Gatekeeper, the security feature in Apple Inc.'s upcoming OS X Mountain Lion operating system, may be letting malware sneak in through the backdoor, a computer security firm said.
Sophos said that while the idea behind the security is sound, its implementation - at least at this stage - could be somewhat flawed.
"I think Apple is really on to something here if they implemented this feature in a more comprehensive manner. I give them an A for what they want to accomplish, but sadly only a D- on implementation," Sophos' Chester Wisniewski said in a blog post.
With Gatekeeper bundled in the recently released developer preview of OS X Mountain Lion, Apple aims to give users a measure of security against malware downloaded from the Web.
Three options are available for Mountain Lion users: App Store only, App Store and applications with valid developer signatures or all software (current behavior).
But Wisniewski noted Apple is relying on the LSQuarantine technology used in its rudimentary integrated anti-virus known as XProtect.
This means Gatekeeper is essentially a whitelisting technology bolted onto the blacklisting technology it introduced two versions ago, he said.
"While this will clearly reduce the risk for users who primarily download all of their programs through popular browsers or the App Store, it only addresses the Trojan problem that has been the primary vehicle for delivering malware to OS X," he added.
Yet, he said LSQuarantine only triggers on files downloaded from the Internet that have been tagged by the application that downloaded it with the quarantine bit.
"This means that files from USB drives, CD/DVD/BR or even network shares will all install and run without being screened," he said.
Worse, he said some applications that download from the internet like Bittorrent also do not flag downloads with the quarantine bit.
Also, he said Gatekeeper code signing only applies to executable files, meaning anything that is not itself a Trojan like malicious PDFs, Flash, shell scripts and Java can be exploited without triggering a prompt.
Also, he said files are only checked at the time they are initially executed - so if a rogue developer distributes a malicious app, Apple will need to revoke that certificate *before* the victim executes the download.
"This one-time check, combined with the limitations of what files are scanned from which sources significantly weakens the usefulness of Gatekeeper," he said.
Another problem is a common one to all platforms - fooling the user into overriding the security software, he said.
"It's human nature. Yes, of course I want to install this pirated movie codec, or really snazzy screensaver. Apple's just warning me because they think I should pay $800 for this photo editing app," he said.  — TJD, GMA News
Go to comments

We welcome healthy discussions and friendly debate! Please click Flag to alert us of a comment that may be abusive or threatening. Read our full comment policy here.
Comments Powered by Disqus