Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Don't FREAK out about the latest security warnings

Glenn Fleishman | March 13, 2015
FREAK is last week's worry, but installing untrusted applications is a perennial worry. It's a two-fer (or two-fear) in this column, about security issues new and old.

The installer scam involves software, often legitimate and desirable, that is wrapped in a package that makes it seem as if one needs to also install other, unrelated software. Some of it is pure malware, but all of it hijacks some aspect of your experience, such as adding browser extensions, redirecting your default search engine, or generating popups. The intent is to capture your attention to add clicks that the installation software maker is paid for or to fool you into purchases.

For purposes of software hygiene, I recommend never installing OS X software downloaded from anywhere but the Mac App Store or the developer's site, unless it's via a link provided by the developer to an alternate download. With some open-source, free, or alternate distribution model software, you may need to download elsewhere, but the project's home will almost always guide you there. (This assumes any given developer isn't unethical, which is nearly always true.)

The next level of safety is in the Security & Privacy preference pane (in Yosemite). In the General tab, the Allow Apps Downloaded From set of choices lets you determine the level of default installation risk. You can opt for Mac App Store only, the store plus Identified Developers, or Anywhere--if you dare.

For less-sophisticated Mac users you know or help with their computing needs, the Mac App Store might be the best choice. If they don't routinely or perhaps ever install third-party software or always require your or someone else's help, it's a good way to prevent a bad, accidental outcome.

The middle choice, Mac App Store plus Identified Developers, only allows the straightforward installation of software that's been signed by a digital certificate issued by Apple to a specific developer. The installer scam software may, in fact, come from parties that paid the $99-a-year fee to be part of Apple's OS X developer program, and are misusing their membership or stretching it to the extreme limits.

This is why avoiding download sites is a good strategy to begin with, rather than relying on this security setting in OS X. Apple can revoke developer certificates easily enough and push out other remedies, but it's better to not fall into a situation in which that recourse is what you rely on.

I always advise against the Anywhere setting, because then you let down your guard. With the middle setting, you can still install unsigned software. Find the application itself, right-click it, and select Open, and you're prompted to confirm that you want to launch it.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.