Recent OS X security improvements and their limitations
Mac OS X, originally built on BSD UNIX, has a strong security model. In 2009, with the release of OS X 10.6 Snow Leopard, Apple added limited malware scanning through the Launch Services Quarantine (LSQuarantine) system and XProtect technology. In mid-2011, XProtect became a dynamic push update service with more power to detect and clean up files fingerprinted as malicious.
In mid-2012, with OS X 10.8 Mountain Lion, Apple introduced Gatekeeper, which manages code execution permissions for code obtained through approved software. By default, Gatekeeper pre-authorizes all software signed with an official Apple developer key that has not been blocked due to previous abuse.
Gatekeeper is a significant and welcome improvement in Mac security, but it is only a partial solution. Software copied from USB, already on the computer, copied directly between computers, or transferred by non-standard file transfer systems such as BitTorrent will evade it. Individual users with administrator credentials can change Gatekeeper’s default settings to allow unsigned apps to install without any alert.
Users or running processes can still strip the LSQuarantine flag from files. Unsigned programs can be authorized and launched simply by right-clicking on them in the Finder and selecting Open, instead of just double-clicking on the icon. Versions of OS X older than 10.8 don’t include Gatekeeper.
Finally, the runtime interpreters for Java, Flash, and OS X shell scripts are all pre-authorized by Apple. These interpreters are free to run whatever code they wish. Java and Flash have been major attack vectors on the Mac platform. This may gradually become less of a problem—the Mac version of Java was recently hardened, and Adobe Flash is gradually being replaced by HTML5.
< Back Next >