Thursday, 16 February 2012

Apple's Gatekeeper in Mac OS X 10.8 Mountain Lion

--
[Revised 2012-02-20 @11:30 pm]

Let's get happy! Apple has set up a new approach to nailing Trojan horse malware for the upcoming new version of Mac OS X, code named Mountain Lion, aka 10.8. AND! Apple did it right! It uses both and application blacklisting and whitelisting.  It also uses application security certificates (aka digital signing). Only Apple gets to provide them, as opposed to the ongoing SSL certificate highjacking mess with hundreds of certificate providers.

If this concept sounds familiar, it's because Microsoft started doing it with 64-bit Windows Vista, where it was a profound failure. Why a failure? Because Microsoft GOUGED their developers with punishing fees per security certificate. Developers ignored it. This resulted in, among other things, a lack of hardware drivers for 64-bit Vista. Profound OOPS factor! Eventually Microsoft got the clue and relented on their fees. Therefore, the 64-bit 7ista release received far better developer support.

Apple's approach builds upon Mac OS X Snow Leopard and Lion's XProtect anti-malware system by providing users with new Security & Privacy Preferences accessible options and warnings:



1) Allow applications downloaded from: Anywhere. You can choose to keep things the way they are now. However, Apple provides WARNINGS about potential problems known about specific programs found on their current blacklist. Similar to XProtect, the blacklist is updated over the Internet every day. Apple will also be daily revoking bad app developer security certificates.

Example:
You download an app off a random site off the Internet and Apple pops up a message warning you that this particular app is known to upload your entire Address Book to their server. That's dangerous! It could mean the developer could take that list and perpetrate a SPAM ATTACK! That SPAM could include links to Phishing sites, further malware, etc. Your friends will not be pleased.

This feature alone is going to infuriate the malware rats. Users cannot turn it OFF as long as you are the administrator for your account. I like it! The result is a great short-circuiting of most social engineering malware.

The drawback is more popup boxes on the screen that you have to dismiss, IOW an increased safety factor as well as an increased annoyance factor.

2) Allow applications downloaded from: Mac App Store. You can choose to only download software from Apple's Mac Store. This provides maximum security because as of Mountain Lion's release date ALL Mac Store provided apps will be sandboxedwhereby every app is limited to accessing only the Apple APIs it requires and the apps run within a restricted memory space. Think of all the memory corruption vulnerabilities constantly being patched in applications. Now the damage they can do will be severely limited.

Example:
You download a crappy xhumans-style app that plays you videos about moths. The app will not be able to rifle through your Address Book for suckers to SPAM. All developers will have to justify every API their app accesses as being critical to its functions.

This remarkable approach for protecting users from malware already gives malware rats painful anxiety hemorrhoids. The result for users is very similar to the wonderful 'walled garden' available to all iPhone / iPod Touch / iPad users. This is the ideal setting to lock into place for all the 'LUSERS' in our midst. It will be nearly impossible for them to infect their Mac. They cannot turn this off, as long as you don't provide them with the administrator password.

The drawbacks here are:
  • Paranoia about Apple ruling the software world.
  • The profit loss to developers by selling their apps via Apple's Mac Store.
  • The sense of losing our freedom to do as we like with our computers. 
But keep in mind that you can turn this feature OFF and continue to enjoy your freedom-filled life as a positive anarchist. (^_^)

3) Allow applications downloaded from: Mac App Store and identified developers. You can choose the compromise setting of using both the Apple Mac Store and make use of Apple's blacklist of dangerous apps, whitelist of safe apps and app security certificates. In other words, you can download whatever you like off the Internet, but Apple's lists will not only warn you of potentially bad software, it will prevent you from being able to install it at all.

Example:
You got this really kewl email telling you about an incredible application that will remind all your friends of your upcoming birthday, maximizing your receipt of birthday cards, congratulation messages and presents. You click the link to go to the website, which actually automatically downloads the software directly to your computer, like it or not. But then BAM! Apple's Gatekeeper STOPS the installation because this app is on their blacklist as potential scamware. Apple warns in a popup box that this app will not only grab your Address Book, but will PWN your Twitter account, Google+ account and Facebook account then grab all your friend contacts. The result could be a major scale SPAM, Phishing and linked malware attack on every single person you know.

This is a great default setting for everyone for every day use. You could be temporarily brain compromised, clicking on every link on the Internet, downloading goodness knows what, and the computer will stop you. And again keep in mind that you can turn this OFF, as long as you are your account administrator.

Meanwhile, malware rats will be restricted to only short term mass infection of suckers. Once Apple catches up with new malware on its blacklist, the malware rats will be ripping their hair out with consternation. What fun!

The Time and Sharing Problems:


It is difficult to keep Apple's XProtect perfectly up-to-date. On occasion it has taken Apple a number of days to provide malware signatures. We can expect a similar lag with their application blacklist and security certificate revocation.

Note that this is not entirely Apple's fault! Knowing the anti-malware community as well as I do, I can verify that it can be extremely hard to get a copy of the latest malware for analysis, signature creation and infection prevention. The anti-malware community is outrageously unprofessional in many respects. Therefore, there is almost NO SHARING of malware between anti-malware companies and providers. That includes sharing malware with Apple. If at some point the anti-malware community grows up and becomes serious, standardized and scientific in its approaches, all this competitive rubbish will go away. But don't hold your breath. We're still living in a metaphorical Wild West of computer security. Thankfully, Apple is taking the role as the new sheriff in town.

There is a wonderfully detailed article about Mountain Lion's Gatekeeper by Rich Mogull. You can find it on the TidBITS website:

Gatekeeper Slams the Door on Mac Malware Epidemics

Rich Mogull has also provided a follow up article with more technical details, available at his Securosis blog:


Meanwhile, Macworld has been providing a series of articles about Mountain Lion, including coverage of Gatekeeper that goes into further detail:

Mountain Lion: Hands on with Gatekeeper


No doubt, further details and analysis will be provided as Mountain Lion approaches. Please tell us about further information in the comments!
--

No comments:

Post a Comment

Search