Feeds

Apple sneaks malware protection into Snow Leopard

Coverage goes only so far

Seven Steps to Software Security

Apple is dipping yet another toe into the anti-malware pond with a feature in the latest beta version of its forthcoming Snow Leopard operating system.

The protection was quietly added earlier this month to Snow Leopard 10A432, the most recent build of the new version of Mac OS X that is due for release this Friday, according to someone who has tested the feature and asked not to be identified because pre-release versions of Snow Leopard come with non-disclosure clauses. A separate Snow Leopard tester said the functionality is included in 10A421a, an even earlier build.

The feature causes users who try to install applications known to be malicious to receive a pop-up window warning that the file will damage the computer and should be moved to the Trash.

At the moment, though, the feature offers fairly limited protection. Based on an analysis of a corresponding preferences file called XProtect.plist, it appears that the feature checks for only two known Mac trojans. And it only flags those files if they were downloaded from the internet using Entourage, iChat, Safari, and a handful of other applications, according to this person. Files that were downloaded using Skype and dozens of other net-facing applications aren't covered, nor are files on DVDs and thumb drives.

The revelations come as Apple has issued a fresh round of commercials that portray the Mac as a haven free of malware threats. "I want [a computer] that just works without thousands of viruses and a ton of headaches," a prospective customer complains in this spot. An Apple spokeswoman didn't return a phone call seeking comment.

The protection appears to build off one added to the Tiger version of Mac OS X that automatically opens some files after downloading. That feature scans files downloaded with Safari and several other applications and automatically opens them if they are deemed safe. The safety checks in this feature are much more limited than those used in full-fledged anti-virus software, said Dino Dai Zovi, co-author of The Mac Hackers Handbook.

So it's not surprising to find this latest addition lacking in many respects as well. According to the person who has seen the latest beta, it checks only for the RSPlug and iServices trojans. While those are two of the most active threats confronting Mac users, the number of malware programs actively targeting the OS is most likely measured in the hundreds, security experts said.

And as we said, users who try to install one of those two trojans will receive a warning only if the file was downloaded from the internet with a small number of applications, which in addition to Entourage, iChat, and Safari, also includes Mail, Firefox, and Thunderbird, according to the person who's seen the feature. The protection also appears to be lacking any means to scan an entire hard drive for malicious files.

But it wouldn't be difficult to beef up the offering. Updating the XProtect.plist file could be easily done the next time Apple issues an update. It's unclear how easy it would be make other applications work with the feature. Dai Zovi speculates they use an application programming interface supplied by Apple engineers.

It still remains to be seen what Apple's intentions are. To offer more comprehensive protection, the company would have to update the definitions a couple of times a week to stay abreast of variations that are regularly pumped into the ecosystem. It's questionable whether Mac aficionados would have the patience to download updates that often.

"This is something that's not in the Mac users' culture," said Dai Zovi, who has not yet tested Snow Leopard. "What would be awesome is if the user could plug in their own anti-virus like Clam for a minimally obtrusive anti-virus thing."

Intego, which provides anti-virus software for the Mac, offers a bare bones write up of the new feature here. ®

This story was updated to include the observations of a separate Snow Leopard tester.

A screenshot of the Snow Leopard malware warning

A screenshot of the Snow Leopard malware warning

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.