The Inquirer-Home

Sophos rubbishes Gatekeeper on Mac OS X 10.8 Mountain Lion

Poor implementation
Fri Feb 17 2012, 13:15

SECURITY VENDOR Sophos has said that Apple's Gatekeeper security feature on its latest desktop operating system "leaves a lot to be desired".

Apple announced Mac OS X 10.8 Mountain Lion yesterday that includes Gatekeeper, which it claims is a "revolutionary" security software addition. However, Sophos has charged that Gatekeeper is flawed.

Apple Mac OS X Mountain Lion Gatekeeper

Mac OS X 10.8 Mountain Lion will give users three sources from which applications can be downloaded - the Mac App Store, the Mac App Store and identified developers or simply anywhere.

Chester Wisniewski, a senior security advisor at Sophos said, "This sounds like a pretty good idea to me, but unfortunately the implementation is flawed. The first problem is that Apple is relying on the Lsquarantine technology used in their rudimentary integrated anti-virus known as Xprotect."

"This means Gatekeeper is essentially a whitelisting technology bolted onto the blacklisting technology it introduced two versions ago," he added.

This will reduce the risk for users who stick to the App Store but it only addresses the traditional Trojan problem seen with Mac OS X in the past. Wisniewski points out that what it won't catch might tempt hackers to create more advanced malware.

Lsquarantine, which asks the user what to do with files downloaded from the internet, only works with integrated programs like web browsers, so files from sources such as USB, CD, network sharing and even some web sites like Bittorrent don't flag the software with the quarantine bit. Therefore it will not be checked by Gatekeeper.

Wisniewski said, "Gatekeeper code signing only applies to executable files, meaning anything that is not itself a Trojan like malicious PDFs, Flash, shell scripts and Java will still be able to be exploited without triggering a prompt."

The other thing that Sophos sees as a problem is human nature. The user can easily override a block given by the software to install anything they desire.

"I think Apple is really on to something here if they implemented this feature in a more comprehensive manner. I give them an A for what they want to accomplish, but sadly only a D- on implementation," concluded Wisniewski. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Apple announces the iPhone 6, iPhone 6 Plus and Apple Watch

Which of Apple's new products will you be buying?