Feeds

Apple sneaks malware protection into Snow Leopard

Coverage goes only so far

Securing Web Applications Made Simple and Scalable

Apple is dipping yet another toe into the anti-malware pond with a feature in the latest beta version of its forthcoming Snow Leopard operating system.

The protection was quietly added earlier this month to Snow Leopard 10A432, the most recent build of the new version of Mac OS X that is due for release this Friday, according to someone who has tested the feature and asked not to be identified because pre-release versions of Snow Leopard come with non-disclosure clauses. A separate Snow Leopard tester said the functionality is included in 10A421a, an even earlier build.

The feature causes users who try to install applications known to be malicious to receive a pop-up window warning that the file will damage the computer and should be moved to the Trash.

At the moment, though, the feature offers fairly limited protection. Based on an analysis of a corresponding preferences file called XProtect.plist, it appears that the feature checks for only two known Mac trojans. And it only flags those files if they were downloaded from the internet using Entourage, iChat, Safari, and a handful of other applications, according to this person. Files that were downloaded using Skype and dozens of other net-facing applications aren't covered, nor are files on DVDs and thumb drives.

The revelations come as Apple has issued a fresh round of commercials that portray the Mac as a haven free of malware threats. "I want [a computer] that just works without thousands of viruses and a ton of headaches," a prospective customer complains in this spot. An Apple spokeswoman didn't return a phone call seeking comment.

The protection appears to build off one added to the Tiger version of Mac OS X that automatically opens some files after downloading. That feature scans files downloaded with Safari and several other applications and automatically opens them if they are deemed safe. The safety checks in this feature are much more limited than those used in full-fledged anti-virus software, said Dino Dai Zovi, co-author of The Mac Hackers Handbook.

So it's not surprising to find this latest addition lacking in many respects as well. According to the person who has seen the latest beta, it checks only for the RSPlug and iServices trojans. While those are two of the most active threats confronting Mac users, the number of malware programs actively targeting the OS is most likely measured in the hundreds, security experts said.

And as we said, users who try to install one of those two trojans will receive a warning only if the file was downloaded from the internet with a small number of applications, which in addition to Entourage, iChat, and Safari, also includes Mail, Firefox, and Thunderbird, according to the person who's seen the feature. The protection also appears to be lacking any means to scan an entire hard drive for malicious files.

But it wouldn't be difficult to beef up the offering. Updating the XProtect.plist file could be easily done the next time Apple issues an update. It's unclear how easy it would be make other applications work with the feature. Dai Zovi speculates they use an application programming interface supplied by Apple engineers.

It still remains to be seen what Apple's intentions are. To offer more comprehensive protection, the company would have to update the definitions a couple of times a week to stay abreast of variations that are regularly pumped into the ecosystem. It's questionable whether Mac aficionados would have the patience to download updates that often.

"This is something that's not in the Mac users' culture," said Dai Zovi, who has not yet tested Snow Leopard. "What would be awesome is if the user could plug in their own anti-virus like Clam for a minimally obtrusive anti-virus thing."

Intego, which provides anti-virus software for the Mac, offers a bare bones write up of the new feature here. ®

This story was updated to include the observations of a separate Snow Leopard tester.

A screenshot of the Snow Leopard malware warning

A screenshot of the Snow Leopard malware warning

The smart choice: opportunity from uncertainty

More from The Register

next story
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Who cares about T&Cs when there's LIteCoin to mint?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.