3

OS X 10.8 comes with GateKeeper, which basically has three settings:

  1. Allow only apps from Mac App Store

  2. Allow only apps from Mac App Store or that are signed with a valid Apple Developer certificate

  3. Allow any apps to be installed.

I typically recommend that all users leave it set to 1. unless they are installing a third party app that they trust. My thinking is that you're much less likely to be hit by a browser-based exploit that might download a malicious application onto your machine. Does this actually make a difference for things like browser-based exploits?

Obviously it was aimed at stopping installations of "fake" programs, but is it also a useful tool to reduce the surface area of something like a browser-based remote code execution exploit? Or is that sort of exploit immune to the protection that GateKeeper offers, since the browser itself is already trusted?

MDMarra
  • 325
  • 4
  • 13
  • It might stop drive by downloads from running...but i would assume other web-based exploits can run since it's the browser (or extensions of the browser) that is being exploited – KDEx Aug 27 '12 at 17:28
  • 1
    I'd note that you can bypass GateKeeper by rightclicking the file and selecting 'Open'. This is by design as when you select 2 (at a minimum) the OS notifies you of this option. – Megan Walker Aug 27 '12 at 19:55

2 Answers2

1

No. This is not a benefit of Gatekeeper.

The primary benefit of Gatekeeper is that it prevents the user from being fooled into installing a malicious application. It prevents social engineering attacks.

(Also, if you are downloading an application over an insecure channel, it prevents a man-in-the-middle from changing the binary to something different and causing you to install malware.)

Gatekeeper does not prevent drive-by download attacks that exploit a vulnerability in your browser to compromise the browser and then trigger execution of malicious code. If your browser has a remotely exploitable vulnerability, and you browser to a malicious website, you are hosed. At that point, it doesn't matter whether you've got Gatekeeper enabled or not: you're hosed. This is not the scenario that Gatekeeper tries to protect you from. That risk is mitigated in other ways (e.g., by having browsers auto-update themselves; by using sandboxing and privilege separation in the browser architecture; and so on), but not by Gatekeeper.

D.W.
  • 99,525
  • 33
  • 275
  • 596
0

In short, I think it depends on the attack vector(s) against which you wish to protect yourself.

From the docs:

Signing your applications, plug-ins, and installer packages with a Developer ID certificate lets Gatekeeper verify that they are not known malware and have not been tampered with.

For the end-user, this only attempts to solve the problem of an app being infected with malware by a man in the middle (between the developer and the end-user). What of the case in which an app is malware, introduced by an unscrupulous developer? Indeed, Mountain Lion offers more privacy controls, but my gut tells me that someone who trusts an app enough to install it is likely to say yes to most permissions requests anyway.

There have certainly been a few iOS cases in which, to put it as delicately as possible, what ought to be private data has not always been handled with the greatest care (see Path).

Still, it's a good start. Really, nothing will prevent a user blindly granting permissions to an app because they want to use it.

msanford
  • 815
  • 1
  • 9
  • 26
  • I just finished updating a downloadable OS10 desktop app for Gatekeeper.

    You can always run any downloaded unsigned application just by right clicking it and selecting 'open. This warning dialog is not that different from the 'identified developer' dialog.

    Gatekeeper is better than nothing, but can be defeated with just a bit of human engineering.

     – Jim In Texas Aug 28 '12 at 01:21
  • Social engineering defeats a lot of security. Not to be ignored, especially in this context, is the sheer appeal of the app: I've been shocked at how many apps in the Android market want my "Location: fine (GPS)" that have no business requesting it. I have the feeling that 99% of those who encounter that permission-request warning just install it anyway because they want to use the app. – msanford Aug 28 '12 at 02:58