Apple's new OS X tightens screws on some malware

Computerworld - Apple will introduce a new Mac security model with OS X Mountain Lion this summer that by default lets users install only programs downloaded from the Mac App Store or those digitally signed by a registered developer.

Some experts called Gatekeeper -- Apple's name for the model and technology -- a game-changer while others criticized it as less than watertight.

Gatekeeper will block the installation of the most common kind of Mac malware yet: Trojan horses unwittingly executed by users who have been duped into downloading and installing fake software.

Last year, several campaigns of "scareware," programs that posed as antivirus software but actually infected systems with attack code, made headlines. Apple responded to the scareware threat by repeatedly updating a rudimentary blocking list that debuted two years earlier.

Apple even took the trouble during the skirmishing to issue a tool that scrubbed infected machines of the "Mac Defender" malware.

Mountain Lion, which Apple said Thursday will ship late this summer, uses a new mechanism to bar malicious applications from most Macs.

By default, only software downloaded from the Mac App Store -- the Apple curated market that debuted in January 2011 -- or signed with certificates Apple provides free-of-charge to registered developers can be installed on Mountain Lion.

Because each digital certificate is linked to an individual developer or company, Apple will know who was responsible for, say, sneaking a malicious app by users, and be able to revoke the certificate and ban the developer from its program.

Apple will not review these digitally-signed third-party programs, but Gatekeeper lets the company retaliate against malicious application makers, and by revoking certificates, gives it a way to block new installs and stifle a malware campaign in its early stages.

Mountain Lion's Security & Privacy preferences screen also has options for tightening or loosening Gatekeeper's vigilance. If "Mac App Store" is selected, only software downloaded from Apple's mart can be installed; choosing "Anywhere" lets users install programs obtained from, well, anywhere. The latter is the wide-open model that Macs -- and Windows PCs -- have used since personal computing's infancy.

At its default setting, Gatekeeper, which has roots in moves Apple has been making with OS X for several years, is a set-and-forget "whitelist," or list of approved programs. "It's like a giant whitelist button," said Andrew Storms, director of security operations at nCircle Security, of Gatekeeper.

Some security experts were enthusiastic about Gatekeeper.

Rich Mogull, a security consultant and former Gartner analyst, called it a game-changer in a post he wrote for the TidBits blog Thursday. And in a more technical description of Gatekeeper on his firm's blog, he argued it would attack hackers where it hurts.