The Mac Security Blog

Apple + Recommended + Security News

New Security Features in OS X Mountain Lion

Posted on by

Today Apple released OS X 10.8 Mountain Lion, the latest version of the operating system that runs Macs. Mountain Lion includes a number of new features and brings to OS X many facets and ideas that Apple uses in iOS, the operating system that runs the iPhone, iPad and iPod touch.

What interests us here, however, is the numerous security features that have been added to Mountain Lion or that have been changed since Mac OS X 10.7 Lion. Here’s an overview of the new or changed security features in Mountain Lion:

Sandboxing

One of Mountain Lion’s marquee security features is called sandboxing. A traditional sandbox has boundaries that allows kids to play within a certain space. In computer security, sandboxing is similar; any application you run is in a “sandbox” that prevents it from going beyond certain boundaries and performing actions that it shouldn’t.

Without sandboxing, any application can read and write files almost anywhere on your Mac. (This depends on whether you are running an administrator’s account or not. If you are, applications have more rights than if you have a standard user account.) Even if an application doesn’t need to access certain system files, it still has the right to do so. If the application is buggy, it may alter or delete essential files. But if the application is malware – such as a Trojan horse that a user mistakenly installed – then it has full rights to do anything it wants.

When an application runs in a sandbox, its rights are limited. A set of restrictions prevents the application from accessing files it doesn’t need, and a set of “entitlements” allows the application to access certain files or folders. If you use an iPhone or iPad, you can see this. Any application you use that creates or edits files can only access files it creates, or files that you expressly import to that application’s space.

Sandboxing is not only important because of the possibility of a user unwittingly installing a Trojan horse, but also to prevent threats that come through web pages: Java, Flash, QuickTime and others. Threats using these types of elements are theoretically prevented from doing anything outside the boundaries of the web browser.

Gatekeeper

Another essential security feature in Mountain Lion is Gatekeeper, a technology that prevents certain applications from being installed on a Mac. Gatekeeper looks for a “signature” in an application; this is a sort of certificate that is included in an application, and it tells Mountain Lion where the application came from. There are two types of signatures: those included in applications downloaded from the Mac App Store, and those of developers who have registered with Apple and obtained Developer IDs.

Gatekeeper gives you three options for choosing which types of applications you can install on your Mac.

In the Allow applications downloaded from section of the Security & Privacy preferences’ General tab, you can choose the option you prefer:

  • Mac App Store: check this to only allow applications from the Mac App Store to run. This may be a good idea for, say, a child’s Mac, but in practice, most people who work on their Macs won’t be able to use this setting. For example, if you use Microsoft Office, which isn’t available (yet) in the Mac App Store, or Adobe’s Creative Suite applications, this setting would prevent you from installing these programs. However, Gatekeeper won’t block applications you have already installed, or any installed when this setting was not selected.
  • Mac App Store and identified developers: choose this setting to be able to use applications from both the Mac App Store and those developers who have registered with Apple and have Developer IDs. You want to use this setting to install most of Intego’s software, for example. Those Intego applications that are not available in the Mac App Store will install because Intego is a registered developer.
  • Anywhere: if you’re not worried about the applications you install, and feel comfortable downloading and installing software from various web sites, then choose this setting.

If you try to install or launch an application that is not permitted according to the above settings, you’ll see an alert like this:

If you choose the Anywhere option, you’ll see an alert:

Note that this explains how you can bypass Gatekeeper for specific applications. Even if you choose the most restrictive settings, you can launch an application by right-clicking or Control-clicking its icon and choosing Open. In this case, you’ll see an alert confirming that you really want to open the application, and pointing out that it is from an unidentified developer.

If you choose to open an application in the above manner and you are not an administrator, a dialog will ask you for an administrator’s user name and password. Standard users cannot use the above technique to launch applications.

A setting behind the Advanced button of the Security & Privacy preference pane’s General tab allows users to choose whether OS X should download lists of “safe downloads.” These are lists of identified developers whose applications can be opened if the second setting above is used.

It’s worth noting that Gatekeeper only looks at applications, and only the first time you launch them. Malware such as the Flashback variants that used Java applets won’t be blocked, since they are elements within web pages. The same is the case for any other type of malware that can sneak through via a vulnerability in a web browser.

Also, if you upgrade a Mac from Lion to Mountain Lion, Gatekeeper won’t prevent any applications already on your Mac from launching. It only affects applications that you install after the upgrade, so it’s still essential to be careful what you download and protect your Mac from malware.

Software Updates

Mountain Lion brings a major change to the way you update OS X and its applications. Instead of having a Software Update application, as in previous versions of Mac OS X, Mountain Lion provides all updates through the Mac App Store application. While there is still a Software Update preference pane, it only lets you change settings related to updates. You can choose whether or not to check automatically for updates, and whether to download and install updates in the background.

When updates are available, Notification Center will display an alert, and a badge will display on the Mac App Store icon in the Dock (if it’s there). If you launch the Mac App Store application, the Updates tab will also show if any updates are available, either for OS X or for purchased apps. You will, of course, still need to update other software as you did before. In same cases, this is using an application’s own auto-updater (often there is a Check for Updates menu item), or by downloading new versions of applications.

Intego’s Mac Security Blog provides information about essential security updates for the applications that most Mac users work with. For example, web browsers other than Safari will still need to be updated on their own, as will such plug-ins as Adobe Flash Player. So while the Mac App Store will centralize many updates, you’ll still need to get some on your own.

You can no longer choose a frequency to check for updates; these checks are performed each day, and you can either allow automatic checks or turn these off. Regardless of your settings, Mountain Lion will make daily checks for security updates.

In addition, the Software Update preference pane will tell you if there are software updates available. If this is the case, the Check Now button becomes Show Updates, and you can click this button to open the App Store application and see which updates are available.

Privacy Settings

Mountain Lion includes a number of privacy options, many of which already existed in Lion. For example, in the Security & Privacy pane of System Preferences, the Privacy tab lets you activate or deactivate Location Services and choose which applications can access this feature, as well as shows you which applications have used it in the past 24 hours.

A Contacts item shows you which applications want to access your Contacts (formerly Address Book). Again, you can deactivate any of these. When you launch an application that wants to access your contacts, a dialog asks if you will allow it to do so, and you can choose to allow or deny this access.

Another item shows which applications have asked to access your Twitter account information. And other items will show up depending on which applications you are using on your Mac.

Finally, a Diagnostics & Usage item lets you choose if you want to send anonymous diagnostic information to Apple.

Safari also has a Privacy tab in its preferences. There are two new settings here. The first, Ask websites not to track me, activates the Do Not Track header in the web browser. Do Not Track is a voluntary system that tells advertisers and websites not to track you across websites. While web browsers offer this setting, advertisers don’t seem to want to respect it.

The second setting, Prevent search engine from providing suggestions, lets you turn off those automatic suggestions you see when entering search terms in a search engine. Apple says you can keep your searches private by checking this setting, but in our tests this had no effect.

Safer Browsing

A feature designed to help users manage website passwords has been added to Mountain Lion. A new Passwords tab in Safari’s preferences let you see all of the websites where you have logged in with a user name and password. You can see the site, the user name and the password, and you can right-click on any of these entries to copy the name of the site, your user name or your password.

You can also click on Show Passwords to display all the passwords Safari has stored, and you can remove any or all of these sites and their credentials.

Safari is simply displaying information that is stored in your keychain, and which is accessible in the Keychain Access utility, but it is much easier to view in this Safari preference pane.

Another small feature in Safari helps you know when you’re on a secure web site. Secure web sites are those that use the https protocol, where information you send is encrypted. This is essential if you’re buying something from a web site, so your credit card number can’t be discovered both in transit and by people who host the web site.

Web browsers generally use some form of padlock icon to indicate secure web sites. In Mountain Lion, Safari 6 has a more obvious way of telling you that a web site is secure. The padlock and the letters “https” are more visible:

In addition, for “extended validation” https certificates, the Safari Address Bar shows the name of the company whose certificate is being used and highlights it in green:

These are special certificates that companies can request after providing incontrovertible proof that they are who they say they are.

Parental Controls

The OS X Parental Controls preference pane offers limited protection for children using Macs. The only changes here are choices to allow users to join multi-player games in Game Center, and to allow them to add Game Center friends.

There is also a setting to disable the use of Dictation, which is disabled by default when Parental Controls are applied to an account.

Dictation

Since we mentioned dictation just above, it’s worth mentioning how this works. If you already have an iOS device that supports dictation, you may be aware that Apple takes the words you speak and sends them to a remote server to be converted to text. Apple points out that:

Your computer will also send Apple other information, such as your first name and nickname; and the names, nicknames, and relationship with you (for example, “my dad”) of your address book contacts. All of this data is used to help the dictation feature understand you better and recognize what you say. Your User Data is not linked to other data that Apple may have from your use of other Apple services.

If you’re concerned about personal information being sent to Apple, then make sure to not use their Dictation feature. You can turn it on or off at any time from the Dictation preference pane.