Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to avoid Mac malware by using Gatekeeper and common sense

Glenn Fleishman | July 12, 2016
Two new attacks on Mac users and a coming change in macOS Sierra show that educating users beats malware.

The vector of distribution for OSX/Keydnap is unknown, but it arrives in the form of a ZIP archive that has to be extracted, and then a file inside must be double-clicked to launch.

Neither app has been signed by a valid Apple developer certificate. Apple allows anyone to join the developer program, and apps can be signed by an active cryptographically secured certificate without getting Apple's approval, although that approval is required to make items available for purchase in the Mac App Store (MAS).

Unsigned apps can only launch in one of two ways: the first is by right-clicking the app after it's downloaded, selecting Open from the contextual menu, and then agreeing to launch the app even though it's unsigned. This action only has to take place the first time it's launched, and it's retained from then on as a change in the app's attributes. The second is if the Security & Privacy system preference pane's General tab has Allow Apps Downloaded From set to Anywhere. In almost all cases, Mac App Store and Identified Developers is the correct setting.

gatekeeper dialog

This option worried developers and veteran Mac users when it first appeared, as it seemed to herald a day when the only option would be a third one, which only launches apps from the MAS. That one is valid if you're administering a computer for someone else and want to prevent them from accidentally installing software outside the ecosystem for security or other reasons.

In macOS Sierra, the Gatekeeper option has been simplified: Anywhere was removed as a choice, and only Mac App Store or Mac App Store and Identified Developers remains. However, unsigned apps can still be launched with the right-click sequence described above. Requiring that in every instance reduces the odds of someone setting the preference by accident. El Capitan raised the stakes in a different way through System Integrity Protection, which makes it nearly impossible for software to modify the contents of many system files and folders, again reducing the chance for a small mistake to turn into a colossal blunder.

Some colleagues say in their particular disciplines or industries, many software developers making useful utilities (some are rarely updated, but they still work) don't bother to or lack the interest in going through Apple's signing system, and so they distribute their apps unsigned. While it's always hard to complain about people generously distributing software, they're contributing to the overall risk by training users to open unknown packages.

The takeaway lessons

Two pieces of Mac-focused malware in a week is a rare occurrence, and it may foretell nothing at all. While there are many criminal syndicates and independent developers creating software to infiltrate computers, mobile devices, and networks, the high bar that Apple has set keeps it from being low-hanging fruit for attackers.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.