We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

How does your Mac NOT protect you?

Published October 25th, 2013 at 11:33 AM EDT , modified October 25th, 2013 at 11:33 AM EDT

I spend a lot of time telling people about how their Mac protect them from malware. I have even written an entire section on the topic in my Mac Malware Guide. So it may be a bit surprising that I seem to be suddenly turning around and saying the opposite.  That’s not the case, though. The Mac still protects you just as I have said… but it’s also important to keep in mind where the holes in those defenses are. Just as a house isn’t secure if the owner is unaware that the back door is unlocked, neither is a Mac safe if the owner isn’t aware of the holes in its security.

Before I start discussing these vulnerabilities, it’s important to understand the defenses. If you aren’t already familiar with them, I would refer you to my Mac Malware Guide – specifically, the section titled How does Mac OS X protect me?. Once you have read that and understood the defenses, we can discuss weaknesses.

The most notable weakness is a little-discussed issue with the entire file quarantine system in Mac OS X. This system works great on files that you download directly to the computer through an app like Safari or Mail. When you do so, the downloaded file is marked as being quarantined, and when opened, Mac OS X defenses like XProtect and Gatekeeper come into play.

quarantine alert

A quarantine alert for a downloaded app

However, there are ways of getting files past the quarantine system, and I’m not talking about sneaky hacker tricks. I’m talking about normal things. For example, copying a file from an external hard drive, flash drive, CD or DVD bypasses quarantine. If that file already has the quarantine flag set after being downloaded on another Mac, and is stored on media that respects Mac metadata, then great, but if not, it will not be quarantined. Care must therefore be taken with files on external drives or optical media whose sources aren’t known.

Similarly, the quarantine system relies on the app being used for downloading doing things properly. Not all do, and this can result in the quarantine flag not being set on downloaded files. Thus, it’s important to know whether or not a particular app properly supports file quarantine. You can assume any Apple app does, but when it comes to third-party apps, a simple test is necessary. Download an application that you are sure is safe, then test to see if you can open it. If you don’t see a warning that the application was downloaded from the internet, the application you used to download that file isn’t properly supporting quarantine, and should not be trusted.

It’s also worth pointing out that malware that comes onto the system through vulnerabilities in third-party software, such as Java, Adobe Flash Player or Microsoft Office, bypass quarantine entirely. The infamous Flashback malware, for example, used Java vulnerabilities to copy executable files into the system. Since this was done behind the scenes, out of view of quarantine, those executables were able to run without any user interactions whatsoever. Keeping third-party software updated, and limiting the “attack surface” by reducing or eliminating use of browser plug-ins like Java and Flash, is important for protecting against such attacks.

Flashback.A warning

XProtect preventing a trojan from opening

The next potential hole in the chain involves XProtect. Since XProtect is essentially just a basic anti-virus scanner, it has the same limitations as most such tools. Namely, if the malware in question hasn’t been seen by Apple and added to the XProtect definitions, XProtect won’t block it. Every time new malware appears, there is always a delay before it is added to XProtect. Sometimes that delay is very short, but other times it can be unacceptably long. For example, in the recent case of Icefog, Apple didn’t add the definition to XProtect until two weeks after they were alerted to the malware.

Unfortunately, there’s not much the user can do to solve this issue, beyond the difficult-to-quantify advice frequently given to exercise caution about what is downloaded, or possibly using another layer of security (like anti-virus software). It’s important to note that anti-virus software can sometimes protect the user sooner than XProtect, as was the case with Icefog, but not always.


Gatekeeper settings

Other security holes involve Gatekeeper. This is great technology, but it’s only as good as the user allows it to be. Some users disable it, either entirely or on a case-by-case basis, to run apps that don’t come from identified developers. That’s okay in some cases – I myself have some apps that I had to bypass Gatekeeper for – as long as you are positive the app is legit. However, careless bypassing can remove this layer of security entirely. Gatekeeper should be kept set at its default, medium-security setting, or the more secure App Store-only setting, to avoid such problems. Exceptions should be made, if at all, by control-clicking the application and choosing Open, rather than by disabling Gatekeeper entirely.

In addition, hackers have been known (in the cases of the KitM and Janicab trojans) to use throwaway developer IDs to sign their malware, thus bypassing Gatekeeper. This trick only works as long as the malware is not discovered by Apple, at which time they can revoke the developer ID and “kill” the app, but for tightly targeted malware, that could be a long time. There’s not much to be done about avoiding signed malware beyond (again) using some additional form of anti-virus software, which may or may not catch something that gets past XProtect and Gatekeeper.

So, what’s the takeaway message here? For the most part, as long as you’re aware of these issues and careful about what you open, you’ll be okay. However, that’s not a guarantee of safety. There are ways that malware could sneak in, using tricks that could sometimes fool reasonably savvy users, or newly-discovered vulnerabilities in the system or third-party software. Some users may benefit from the use of anti-virus software, as an additional layer of security, though that’s certainly far from a requirement. If you do decide to use anti-virus software, be sure to be aware that it may not protect you any better from a brand new threat that is capable of bypassing the security in Mac OS X.

If you do decide that you need anti-virus software, be sure to do your research. Many anti-virus programs aren’t much more than a Mac wrapper around a Windows-based app, and they don’t provide you a decent amount of protection against Mac threats. Others can protect you well, but may cause problems, like destabilizing your system. Don’t install anti-virus software lightly, be sure you know how to properly remove it if it causes problems, and remember that the most aggressively-marketed software is often not the best.

Tags: , , , ,


  • Logan Smith says:

    Excellent analysis of XProtect. Thank you for your service to the Mac community.

  • Ptsp says:

    Are the drive-by downloads treated the same way as an intentionaly downloaded file?
    Thank you for this great article.

    • Thomas says:

      Nope. Drive-by downloads occur through vulnerabilities in something like Java or Flash, and as pointed out in the article, that goes behind quarantine’s back. Fortunately, at this time, there are no vulnerabilities affecting an up-to-date Mac OS X system that allow drive-by downloads.

  • Peter says:

    * Great article * Thank you for the well written, easy to understand overview. Your website is a tremendous resource. I’ve learned a lot from it and your posts in Apple’s discussion forums. I’m most grateful : )

    Parenthetically, I wonder if it might be useful to mention that though (too) similar in name, “Java” and “JavaScript” are different technologies and should not be confused. I can picture someone with the best of intentions thinking they’ve reduced their exposure to a web-based Java threats by deselecting “enable Javascript” in Safari’s Preferences, something particularly problematic if they’re running an older version of Safari (and/or OS X) without the new built-in warning messages and protections.

  • Darren Kehrer says:

    Did Xprotect for SL ever get updated to include the invisible attacks?

    • Thomas says:

      Are you referring to my Invisible malware article? If so, note that there is no actual malware currently using that trick, it’s just a theoretical new possibility for hiding malware. Thus, there would be nothing to add to XProtect.

  • Melissa says:

    Thomas, what are your thoughts on “computing” as a standard user as opposed to an admin user? I’ve seen recommendations for this on Apple’s Support Communities site. According to these threads, a Mac user should do their day-to-day surfing as a standard user since malware can do more serious (possibly irrevocable) damage to an admin account. The “root” of the issue (pun intended) seems to be admin privileges and root access. I haven’t seen this advice in your guide, so I’m interested to hear what you think.

    • Thomas says:

      I have mixed feelings. On the one hand, using a standard user account definitely will prevent malware from attaining root permissions and burying itself deeply in your system. On the other, most Mac malware doesn’t do that anyway, because even as an admin user, doing so requires asking for a password. It’s easier, and less prone to tipping off the user, to just install malicious components in “user space” where you already have permission to play. If you get infected as a standard user, all your data – which is the only truly important part of your computer – is in just as much danger as if you got infected as an admin user.

      So I generally don’t consider it to be worth the hassle that it can be on a Mac to use a standard account day-to-day. But if you don’t find it to be a hassle to use a standard account, then that would add a layer of security that would mean that, worst case scenario, you would only lose your user folder in the case of a nasty infection, but could still rely on the system’s integrity without the need to reinstall it.

This post is more than 90 days old and has been locked. No further comments are allowed.