"Up until recently all Mac security software packages downloaded over unencrypted http connections, relying on Garekeeper for code verification. Because Wardle uncovered a way to bypass Gatekeeper, this opens the door to man-in-the-middle or other attacks.
"More advanced attackers, such as nation states, would be able to see a download in progress before injecting code into legitimate downloads,"
Wardle found that users could turn off the signed protections in OS X (actually a feature of Gatekeeper to allow users to not be limited to the Apple Mac App Store) to download any app they wanted. . . oh, the horrors of users choice. . . which he thinks should be prevented!
Wardle's complaints were covered in a previously posted article on FR last month when he made the same complaints before the RSA Conference in San Francisco. . . and roundly criticized there by other computer security experts. Wardle did find another way to do the Rootpipe, not the same as the original, which was extremely difficult to exploit in the first place, requiring physical possession of the computer as does Wardle's later vulnerability. Apple has closed that one too. PING!
Apple Security Ping!
If you want on or off the Mac Ping List, Freepmail me.
The latest Freepathon is rushing to the wire, so let's put it over the top! I challenge the members of the Apple ping list to each donate at least $10 each to the latest Freepathon. I HAVE donated $100. Many members of the Apple Ping list are already rising to the challenge. Join them. Let's show the power of the Apple Ping list in supporting Freerepublic!
MAKE A DONATION TO THE FREEPATHON!