Archive

Archive for September 14, 2015

System Integrity Protection and the end of XProtect management for browser plug-ins

September 14, 2015 13 comments

OS X El Capitan adds a new security feature named System Integrity Protection (SIP). Among other things, SIP prevents parties other than Apple from adding, deleting or modifying directories and files stored in certain directories:

  • /bin
  • /sbin
  • /usr
  • /System

Apple has indicated that the following directories are available for developers to access:

  • /usr/local
  • /Applications
  • /Library
  • ~/Library

All directories in /usr except for /usr/local are protected by SIP.

SIP’s protection of /System affects XProtect’s XProtect.plist and XProtect.meta.plist configuration files as they are stored in the following location inside /System:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

As the XProtect configuration files will be locked against editing on OS X El Capitan, this means that they can no longer be managed to allow older versions of the Flash and Java browser plug-ins to run.

If your shop includes a mission-critical system that requires using older Flash or Java browser plug-ins, I recommend working with your vendor and/or in-house developers to find out:

  1. If the use of the Java and/or Flash browser plug-ins can be discontinued.
  2. If their use can’t be discontinued, if the system in question can be updated to support the latest versions of these plug-ins and continue to be compatible as new versions of the Java and/or Flash browser plug-ins are released.

Update – 9-14-2015: Josh Dyson has pointed out that there is a way to allow older plug-ins to access specific sites.

By adding the needed sites to a whitelist in Safari and setting those specific sites to Allow Always, those sites’ functions will be accessible with the older browser plug-in even if XProtect would otherwise block the use of the plug-in. Websites not included in the whitelist would still have the use of the plug-in blocked.

Screen Shot 2015-09-14 at 8.20.10 PM

Apple has provided a KBase article showing how to manage Safari plug-in options, including how to whitelist websites, using a configuration profile. It’s available via the link below:

https://support.apple.com/HT202947

%d bloggers like this: