Built-in antivirus for OS X

Rumours are circulating that Apple’s Snow Leopard OS will include antivirus capabilities. This is a welcome development. While OS X rightly has a good reputation for security, there is no commercial operating system that is immune from malware. In addition to malware that targets OS X itself, there are also exploits based around flash, Adobe PDFs, and even specific pieces of hardware.

Adding antivirus protection might be a bit of a public relations blow to Apple, which has cultivated a false sense that there is no malware that affects Macs. Nevertheless, it is a good security move. Indeed, the server version of OS X has included such capabilities for some time.

Author: Milan

In the spring of 2005, I graduated from the University of British Columbia with a degree in International Relations and a general focus in the area of environmental politics. In the fall of 2005, I began reading for an M.Phil in IR at Wadham College, Oxford. Outside school, I am very interested in photography, writing, and the outdoors. I am writing this blog to keep in touch with friends and family around the world, provide a more personal view of graduate student life in Oxford, and pass on some lessons I've learned here.

56 thoughts on “Built-in antivirus for OS X”

  1. The keyboard firmware hack was the best. I’ll be sure to tackle anyone walking around with an unplugged apple keyboard heading towards my MBP!

    In all honesty, this development is long overdue. Mac’s are no more innately secure than Windows, they just have a lower profile, and hence get lessor attention from the hackers.

    I am looking forward to Snow Leopard’s release this Friday, and for only $29 to upgrade its practically a steal.

  2. While $30 won’t break the bank, Snow Leopard doesn’t seem to have many new consumer-focused features: just behind the scenes changes and some general tweaks.

    Certainly nothing as essential as Time Machine, which is one of the best things added to any OS ever, when it comes to the average user. Suddenly, it was possible for the computer-illiterate to have good regular backups.

  3. Snow Leopard review
    by Joshua Topolsky posted Aug 26th 2009 at 9:01PM

    Snow Leopard. Even the name seems to underpromise — it’s the first “big cat” OS X codename to reference the previous version of the OS, and the list of big-ticket new features is seemingly pretty short for a version-number jump. Maybe that’s why Apple’s priced the 10.6 upgrade disc at just $29 — appearances and expectations matter, and there’s simply not enough glitz on this kitty to warrant the usual $129.

    But underneath the customary OS X fit and finish there’s a lot of new plumbing at work here. The entire OS is now 64-bit, meaning apps can address massive amounts of RAM and other tasks go much faster. The Finder has been entirely re-written in Cocoa, which Mac fans have been clamoring for since 10.0. There’s a new version of QuickTime, which affects media playback on almost every level of the system. And on top of all that, there’s now Exchange support in Mail, iCal, and Address Book, making OS X finally play nice with corporate networks out of the box.

    So you won’t notice much new when you first restart into 10.6 — apart from some minor visual tweaks here and there there’s just not that much that stands out. But in a way that means the pressure’s on even more: Apple took the unusual and somewhat daring step of slowing feature creep in a major OS to focus on speed, reliability, and stability, and if Snow Leopard doesn’t deliver on those fronts, it’s not worth $30… it’s not worth anything. So did Apple pull it off? Read on to find out!

  4. I think “innate security” of an OS is silly. All that matters is how actually secure it is. And how actually secure an OS is has to do with, among other things, the quantity of malware written for it.

  5. Computers basically cannot be innately secure, because they are innately permissive. They have no judgment and do exactly what they are told. As long as people keep finding ways to make machines accept their commands (using tricks like buffer overflows, etc), machines will be happy to do whatever they request afterwards.

    That being said, it is a lot harder to execute arbitrary code in a well-designed OS than in a sloppily designed one. For instance, versions of Windows where default accounts are all admins are fundamentally vulnerable to attack.

  6. My point is the theory is dispensible – what matters is how secure the systems are in reality. In practice, how often does computer X get infected with malware, not, “in theory, with an equal number of monkeys working at an equal number of malware development stations, which system would become more infected”.

  7. Fair enough, though security through obscurity isn’t a great strategy either. Relying on the fact that nobody is attacking your obscure platform or software is a strategy that can fail catastrophically as soon as someone tries.

  8. Note that the Snow Leopard upgrade breaks some software:

    Adobe Photoshop CS2
    ClamXav
    CuteFTP
    Cyberduck
    Fallout II
    Google Gears
    Parallels 3.0
    PGP Desktop
    PGP Whole Disk Encryption
    RealVNC
    SilverKeeper
    TextMate
    X-Lite

    Others

  9. I’m anticipating the arrival of both operating systems (OS X and Windows 7). I’ve owned a 64bit capable computer since 2005, but these will be my first attempts at a 64 bit operating system.

    Regarding Snow Leopard not running previous software, such is life. I suspect the upgrade to 64bit makes it difficult to accommodate previous software. I think a bigger issue is that OS X 10.6 will only run on Intel Macs. Any PPC users are stuck with older versions.

  10. Thank you Milan. That was what I meant by prefacing innately to what I was saying.

    In reality Windows does have 100 times (if not more!) malware written for it, making it the higher risk is to run. However the two variables that make it so (time and effort of hackers) are outside of the OS’ control and can also change over time making any assertion of relative security specific to the moment in time the statement is made.

    In essence though the difference between Windows with Anti Virus and OSX without is like comparing a house with a locked door to one with an unlocked one. Sure in reality the unlocked one is safe because no one is trying to get in, but that doesn’t change the fact that a locked door is innately safer.

  11. Regarding Snow Leopard not running previous software, such is life.

    True, but a lot of people are going to need to pirate newer versions of Photoshop, which is a pain. Not least because so many of them are laden with tacked-on malware.

  12. I quite liked XPx64 (which is more akin to Win Server 2003 than XP) and still run it, I never went to Vista, but I have the half price Win7 Pro on preorder and have the 32bit RC on an older PC slated to be donated to charity and really like it. Especially since it runs well on an older Northwood 2GHz P4 with only 512MB of DDR RAM. Granted the wipe and fresh OS install helped it still feels fairly fast compared to Vista on the same box.

    Regarding the apps not compatible, my biggest concern is minor bugs with Photoshop CS3, which was not on that list RK mentioned. Though I don’t know what those bugs are I got my info from this site:

    http://snowleopard.wikidot.com/

  13. True, but a lot of people are going to need to pirate newer versions of Photoshop, which is a pain. Not least because so many of them are laden with tacked-on malware.

    That’s probably the best way to get one’s not-so-desirable code to execute on OS X: put it into an installer for pirated software. That way the person enters their password (or in my case and others, leaves it blank because that IS their password) and the code can run.

  14. R.K.,

    Thanks for the heads up. I’m doing some tech support for Macs right now, so I expect lots of confused people asking questions after the upgrade.

  15. “Sure in reality the unlocked one is safe because no one is trying to get in, but that doesn’t change the fact that a locked door is innately safer”

    So, first you empty “innately” of any meaning in reality, and then you re-assert it?

  16. My legitimately purchased version of Photoshop is CS1.

    Will Snow Leopard break it?

    Losing it and TextMate would be savage blows from the snow-dusted cat.

  17. I did. I think we are arguing semantics. Perhaps a better word would be intrinsic.

    Semantically, how do you define “security”, and more importantly assess it? Does the assessment to determine if something is “secure” or not include only an evaluation of the mechanisms that prevent harm or does the assessment also include the larger context of the number of threats as well?

    I think most people don’t think in terms of the larger context when they call something “secure” or not. They would call something “secure” based on the mechanisms alone. I would call the number of threats “risk level” or something like that.

    I think the problem is when we try to reconcile the two conditions into one term, security. And then we go and do a relative comparison on top of that! Something can be highly secured yet high at risk, while another can be not secured but low at risk. Because it is high at risk, doesn’t change the fact that its highly secured, just like the fact that something is low at risk, does not change the fact that something is not secure.

  18. Call it “innate” or “intrinsic” if you want, what you really mean is outside the real world. Things are only secure or not with reference to real world threat, not ideal ones. So, there is no such thing as “innate” security because outside of the context of actual existent malware, no threats exist at all. No system can be “more innately secure” than any other because “innately” no system is secure at all, or every system is perfectly secure, because “security” has no meaning at all in that context.

  19. “They would call something “secure” based on the mechanisms alone.”

    Then they are an idiot and should be ignored – because mechanisms are only “secure” insofar as they work with reference to actual threats.

    Calling a system “innately secure” is like calling a car “innately safe” without knowing what kind of context it will be operated in. If you don’t know in advance whether the threats are normal road type or demolition derby time or road salt type or driving underwater type, the notion of “safety” can not be applied to the car at all.

    And ya, this is semantics. Semantics concerns what words mean. So, if we want to talk to each other, it might be a bit important to discuss “semantics” in cases where it is unclear what the words we are using mean.

  20. This could get very philosophical but I actually agree with you on this point (I wouldn’t use the strong language you use though):

    “Then they are an idiot and should be ignored – because mechanisms are only “secure” insofar as they work with reference to actual threats.”

    Yet the common usage of the word is often meant objectively simply meaning how “locked” something is. Its like saying 1024 bit encryption is more secure than 128 bit encryption. I think that is a true and fair statement. It certainly is if no additional context is given. Can you agree to that?

    If using your larger context definition it might not be true if half the world is trying to break the 1024 bit encryption and only one person is trying to break the 128 bit encryption.

  21. I didn’t engage in a personal attack. If you read what I said. I said people who believe a house is secure because it is locked, without reference to the fact it exists in a world, are idiots. However, I sincerely doubt that these “people” who R. K. seems to think are everywhere, actually exist. When people say locked is more secure than unlocked, they assume a consistent context over both situations in order to compare them – this is not the same as considering the lock without reference to any possible attacks. So, unless someone can prove that people actually deeply confused about security, it isn’t a personal attack.

    “Its like saying 1024 bit encryption is more secure than 128 bit encryption. I think that is a true and fair statement. It certainly is if no additional context is given.”

    R.K., your mistake here is to infer from the fact that no context is given, to the unjustified and unargued assertion that no context is implied. What is implied in the “more secure” here is that the context is the same for both levels of encryption. 1024 bit is more secure than 128 given the same degree and intensity of attack. This is a useful and justifiable assumption when comparing PCs with PCs – Macs are secure because the cannot be compared with PCs with respect to intensity or numbers of attacks. I’m not the only one who understands this – a large part of Mac’s marketing strategy is hinged on just this fact about security.

  22. For something to be ‘secure,’ it needs to be able to avoid harm from agents that maliciously attack it as well as recover quickly when such attacks succeed. It may also be important to adapt to past attacks, identify attackers, and sometimes initiate active counterattacks.

    The key difference between ‘safety’ and ‘security’ is that safety is resilience in the face of non-actor risks, such as weather. Security, by contrast, is all about things that intentionally attack you.

    It is possible to be very secure against some threats, while very vulnerable to others. For instance, an airplane might be well protected against antiaircraft guns and missiles, but not protected from being hijacked by someone aboard.

    Things aren’t really ‘secure’ or ‘insecure.’ They are just secure or insecure relative to situations: either the one they are in, or one they might find themselves in. For instance, a lightly armoured car might be quite adequate for Paris, but not for Baghdad.

    It does seem fair to say that one operating system is inherently more secure than another, relative to a particular threat or attacker. Features like limiting what low-level users can do, and implementing permissions for files and folders, give UNIX systems some claim to being inherently more secure than Windows systems.

  23. Features like limiting what low-level users can do, and implementing permissions for files and folders, give UNIX systems some claim to being inherently more secure than Windows systems.

    Windows has had permissions since Windows NT. Windows XP includes permissions, as well as different privileges for different user accounts. You should see how locked down the IT department at my work has its XP machines. Without admin rights, they won’t let you do much.

  24. immunity from the will of others

    Concise and correct.

    L’enfer c’est les autres. Of course, heaven is also others.

  25. “It does seem fair to say that one operating system is inherently more secure than another, relative to a particular threat or attacker.”

    Yes. Exactly. And because no particular threat or attacker is constant across different OS’s, it doesn’t make a lot of sense to say one kind of system is inherently more secure than another. In fact, it might be that the notion of “inherently” just doesn’t mean much when applied to situations in the world where the context can’t be idealized as uniform.

  26. The Story of a Simple and Dangerous OS X Kernel Bug

    “At the beginning of this month the Mac OS X 10.5.8 closed a kernel vulnerability that lasted more than 4 years, covering all the 10.4 and (almost all) 10.5 Mac OS X releases. This article presents some twitter-size programs that trigger the bug. The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works. Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways.”

  27. Adobe Creative Suite and Snow Leopard: what you should know: Adobe has drawn the line in the sand between Intel and PPC for upcoming versions of its Creative Suite, and now it’s doing so again between CS3 and CS4 when it comes to Snow Leopard support. It might not please everyone, but that’s the price some of us pay for staying on the cutting edge.

  28. And because no particular threat or attacker is constant across different OS’s, it doesn’t make a lot of sense to say one kind of system is inherently more secure than another.

    There are some kinds of attacks that can be targeted against multiple operating systems. For instance, attempts to hijack SSL via man-in-the-middle attacks, or trying to exploit vulnerabilities in cross-platform applications like Flash and Adobe PDF.

    There are also tactics that theoretically work with all operating systems, such as the buffer overflows mentioned above.

    Virtualization may further increase the range of threats that are cross-platform.

  29. Snow Leopard includes several security enhancements. According to Apple, Snow Leopard supports 64-bit applications, which the company claims are more secure than 32-bit applications because of the way the operating system handles function-passing. Mac OS X 10.6 also includes hardware-based execution control for heap memory, stronger checksums for preventing memory corruption attacks, and antivirus capabilities.

    Symantec, a leading maker of security software, says Snow Leopard’s File Quarantine feature only offers basic malware protection. “It is not a full-featured antivirus solution and does not have the ability to remove malware from the system,” the company said in an e-mailed statement. “File Quarantine is also signature-based only. Malware signatures are only as good as the definitions, requiring Apple to provide regular, timely updates.”

    Symantec also notes that Mac OS X’s Software Update mechanism is not fully automatic and lacks a user interface to see which signatures have been downloaded.

    Symantec also observes that Apple’s security enhancements do not protect against unauthorized access to sensitive files or block the transmission of sensitive information, like Norton Internet Security for the Mac. The company also says that Mac OS X’s firewall is turned off by default and isn’t as configurable as its product.

  30. Snow Leopard ‘downgrades’ Flash to vulnerable version

    Apple ships outdated Flash with OS upgrade; users must manually update to stay safe
    By Gregg Keizer
    September 3, 2009 11:46 AM ET

    Apple has shipped an out-of-date and vulnerable version of Adobe Flash Player with Snow Leopard, security companies have warned.

    Worse, say experts, is that Snow Leopard silently “downgrades” once-secure editions of Flash Player to the buggy version that ships with the Mac OS X 10.6 operating system upgrade.

    On Monday, Intego, an Austin, Texas firm that specializes in Mac security software, noted that Snow Leopard installs Flash Player 10.0.23.1. The current version of Flash Player for the Mac, however, is actually 10.0.32.18. “It seems that Apple is shipping an outdated, even dangerous version of Flash Player,” Intego spokesman Peter James said on a company blog.

  31. These flash issues are all the more reason to use Firefox and NoScript.

    The latter can be annoying to use, since you need to manually whitelist sites, but it significantly reduces your exposure to new and existing vulnerabilities.

  32. The issue of OS X shipping with an older version of something or rather doesn’t really phase me provided the OS updater downloads new versions after an install. In a year, presumably many things on the disc will be out of date and people doing re-installs from the disc they bought in September 2009 will have to update anyway.

    The disc that shipped with my 2005 laptop is Windows XP home SP2. Many updates, including a service pack has been released since then. If I ever do a reinstall, I expect to just download the updates from Microsoft’s site.

  33. A manual patch is available from Adobe.

    Apparently, Windows XP SP3 also shipped with a vulnerable version of Flash, which I think further demonstrates the value of taking secondary precautions, like using NoScript.

  34. Mac OS X 10.6.1 update now live

    Well, that was fast — just over week after Snow Leopard officially shipped, the first update’s on the books. Nothing major in the changelog here, but we’re told Flash has been updated to a newer, more secure version. Let us know how it goes for you, eh?

  35. Snow Leopard Missed a Security Opportunity

    By kdawson on where-did-you-put-it-what-you-know-where-do-you-think-oh

    CWmike writes “Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. ‘Apple didn’t change anything,’ said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker’s Handbook, and winner of two consecutive ‘Pwn2own’ hacker contests. ‘It’s the exact same ASLR as in Leopard, which means it’s not very good.'”

  36. How would you change Snow Leopard?

    Ah, Snow Leopard. It’s the same cat you’re used to caressing (or beating, as the case may be), but in a much, much colder climate. Or something like that. OS X 10.6 promised Leopard users a “refined” experience, and one that would only cost upgrading users $29. At that price, most Apple fanatics figured that picking it up on launch day was a no-brainer, but as we’ve come to sadly expect from Cupertino’s software labs these days, all wasn’t perfectly well with the big snowy cat. Even now, users are still kvetching about broken functionality and mental pains that are literally indescribable. Even if you’re not in that camp, we’re eager to hear how your Snow Leopard experience has been. Are you satisfied with the upgrade? Will you never, ever install an Apple update again before a million others try it first? Are you already looking forward to 10.7 Windows 7? Tell all in comments below — you never know who could be tuning in.

  37. Snow Leopard guest account bug deletes user data

    By AppleInsider Staff
    Published: 01:10 PM EST

    Reports of a potentially critical Snow Leopard bug that can erase a user’s account data have continued to surface since the operating system’s debut.

    Since Mac OS X 10.6 launched in late August, numerous reports online have detailed the issue, which is triggered by logging in and out of a guest account on a Snow Leopard machine. Upon logging back in to their regular account, users will find that it has been wiped of all data.

  38. “I bought Photoshop CS4 (Windows) on eBay (I know, dumb, dumb, dumb, and more dumb). Packaging, product numbers, and dvds looked real, and it worked for exactly 30 days. Adobe says that serial number is invalid. Have read stories on Internet about trojans in MAC Photoshop CS4 software. I’ve run spyware and virus scans and turn up nothing. Is there any way I can be sure that this counterfeit software hasn’t left a rootkit or something else nasty on my computer. Thanks!”

  39. First Malicious iPhone Worm In the Wild

    “After the ikee worm that displayed a picture of Rick Astley on jailbroken iPhones, the first malicious iPhone worm (Google translation; original, in Dutch) has now been discovered in the wild. Internet provider XS4ALL in the Netherlands encountered several of such devices (link in Dutch) on the wireless networks of their customers and put out a warning. After obtaining a copy of the malware it was discovered that the jailbroken phones, which are exploited through openSSH with a default password, scan IP ranges of mobile internet providers for other vulnerable iPhones, phone home to a C&C botnet server, are able to update themselves with additional malware and have the ability to dump the SMS database as well. Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present.”

  40. Intego’s “Year In Mac Security” Report

    “Mac OS X and iPhones that haven’t been jailbroken fare pretty well (although vulnerabilities exist, there’s not been a lot of exploitation). Apple does come in for criticism for ‘time to fix’ known vulnerabilities. Jailbroken iPhones are a mess. The biggest risk to Macs are Trojan horses, often from pirated software.”

  41. Over the past few months, my iMac became woefully slow and buggy. It was my hope that upgrading to Snow Leopard might unclutter it a bit. Thankfully, it has done exactly that.

    Because the Snow Leopard installer wouldn’t recognize my hard drive as a valid installation target, I had to back everything up using Time Machine (and a few DVDs for really critical files) and then do a low-level format on the drive.

    So as to still have iPhoto, I then used the system recover feature on the Mac OS boot disc to copy all my data back from the external drive. The Snow Leopard installer was then happy to run.

    Everything is working better and more smoothly. Programs load faster, even websites, and the system feels zippy and stable.

  42. SecureMac and Intego, among other security firms, today alerted the Mac community to a new Trojan threat, trojan.osx.boonana.a (Intego gives it the name OSX/Koobface.a), which is spreading via social networking sites like Facebook and e-mail. The trojan appears as a link in messages with the subject “Is this you in this video?”, and when users click on the link, a Java applet downloads an installer, which modifies system files to bypass passwords and other protections….

  43. “That’s new ground for Apple,” Storms said, pointing out that the move is a first for the company, which until now has only offered a bare-bones malware detection mechanism in Mac OS X 10.6, aka Snow Leopard, and then only populated it with a handful of signatures.

    “Not only is Apple going to help customers remove [Mac Defender], but by doing so, they’re also admitting that there are security problems with Mac OS,” Storms said.

    MacDefender — which also goes by names such as MacProtector and MacSecurity — first popped up earlier this month when French security company Intego said it had found the scareware in the wild.

Leave a Reply

Your email address will not be published. Required fields are marked *