Columns

Perhaps the closest modern real-world analogue to the Trojan horse is the bogus caller who hopes to be invited in so they can steal or defraud. From childhood we are schooled in the ways of tricksters. We put up security chains and electronic alarm systems to keep intruders at bay. Yet stumbling across a bit of software bling - maybe momentary titillation, a bit of a laugh or a glistening new tool - we throw all caution to the winds.

It is a great challenge to those who implement security features in operating systems to provide robust protection from Trojan horses. Whereas in Tiger and earlier there were almost no features to warn of potential Trojans, Leopard tags your browser, email and iChat downloads, and warns you when you first open them. This is achieved, using metadata that record the date, time, and mode of download, so that information can be inserted into the alert displayed when the file is first opened.

Apple claims that this single alert is the most effective way of warning users - and logically that has to be about right.

The first problem with the new scheme though is that it does not work universally. The new security rules seem to apply only to applications that are obtained in archive formats such as StuffIt or Zip archives. If the application is presented ready to install by dragging and dropping from a disk image (DMG), then it will be tagged and you will be warned when it is first run. But documents such as QuickTime movies and Acrobat PDF files

ADVERTISEMENT

attract no such warning. Neither do applications in the form of an installer package (PKG) on a disk image, Apple's recommended mode of delivery for fresh installations and updates.

Given the steady succession of security vulnerabilities that have appeared in relation to various document formats, even such apparently innocent and passive types such as Jpeg images, omitting all documents from Trojan checks is significant. According some software installation systems a privileged status is also dangerous: while it does take extra effort to fashion an application into an installer package, that is hardly going to stop someone determined to unleash a Trojan at us. Indeed, as we are well used to authenticating the installer to allow components to be installed into protected folders such as /Library, we should be more suspicious of packages supplied as disk images.

Eventually the newly introduced feature of software signatures might improve protection for installer packages but for the moment at least, this is a capability rather than a reliable path. The other missed opportunity for now is running suspect applications inside Leopard's new sandbox.

At present, few applications in Leopard are run in their own sandbox that limit the facilities that they can use, abuse, or be abused by. Ironically in addition to potentially exposed components such as the heart of Bonjour and Kerberos security sign-on, Apple has sandboxed 'programs that routinely take untrusted input' such as Quick Look and Spotlight. Yet the untrusted input to those system tools, freshly downloaded documents and newly installed applications doesn't merit sandbox protection.

At least Leopard has the vital system features that will allow Apple to respond robustly to the changing security landscape.

If you are staying with Tiger for the time being though, this may be bad news. If a malware author is prepared to forsake the street cred of targeting Leopard, Tiger remains wide open to Trojans. And it has little or no potential for improvement despite its continuing security updates.