Apple has announced enhanced security features in its upcoming OS X 10.8 Mountain Lion release.
The biggest change is a new function called Gatekeeper. Apple is finally introducing what appears to be a slightly more advanced version of Microsoft's Authenticode technology.
Apple will provide three options for Mountain Lion users: App Store only, App Store and applications with valid developer signatures or all software (current behavior).
This sounds like a pretty good idea to me, but unfortunately the implementation is flawed.
The first problem is that Apple is relying on the LSQuarantine technology used in their rudimentary integrated anti-virus known as XProtect.
This means Gatekeeper is essentially a whitelisting technology bolted onto the blacklisting technology it introduced two versions ago.
While this will clearly reduce the risk for users who primarily download all of their programs through popular browsers or the App Store, it only addresses the Trojan problem that has been the primary vehicle for delivering malware to OS X.
It's what Gatekeeper doesn't catch that might inspire budding criminal authors to take the next step in creating more advanced malware for OS X.
LSQuarantine only triggers on files downloaded from the internet that have been tagged by the application that downloaded it with the quarantine bit.
This means that files from USB drives, CD/DVD/BR or even network shares will all install and run without being screened.
Some applications that download from the internet like Bittorrent also do not flag downloads with the quarantine bit.
Gatekeeper code signing only applies to executable files, meaning anything that is not itself a Trojan like malicious PDFs, Flash, shell scripts and Java will still be able to be exploited without triggering a prompt.
File are only checked at the time they are initially executed, so if a rogue developer distributes a malicious app, Apple will need to revoke that certificate *before* the victim executes the download.
This one time check, combined with the limitations of what files are scanned from which sources significantly weakens the usefulness of Gatekeeper.
The second problem is a common one to all platforms, people. If a user wishes to install something and is blocked from doing so, they more often then not will override the block.
It's human nature. Yes, of course I want to install this pirated movie codec, or really snazzy screensaver. Apple's just warning me because they think I should pay $800 for this photo editing app.
Andrew Ludgate in SophosLabs pointed out that calling this feature Gatekeeper is a bit strange as well.
Going back nearly 20 years ago there was an anti-virus program for Mac called Gatekeeper.
Even the icon for the original Gatekeeper (hosted on mac.com none the less) has a remarkable similarity to Apple's new endeavor.
I think Apple is really on to something here if they implemented this feature in a more comprehensive manner. I give them an A for what they want to accomplish, but sadly only a D- on implementation.
Chester Wisniewski is a senior security advisor at Sophos Canada.