The Mac Security Blog
We often publish articles about Flash Player security alerts and updates, warning users to update their version of the Flash Player plugin, which can be a vector for remote attacks on their computers. The current version of Flash Player for Mac is 10.0.32.18, but if you go to the Flash Player version test page after installing Snow Leopard, you’ll find that you have version 10.0.23.1, even if you were up-to-date before the upgrade. It seems that Apple is shipping an outdated, even dangerous version of Flash Player.
We therefore recommend that you go to Adobe’s Flash Player download page and grab a copy of the latest version and update your Mac. This one’s been out for a while; there’s no reason why Apple should be shipping an old version.
While Snow Leopard, Apple’s new version of its Mac OS X operating system, contains a number of security enhancements (such as this very limited anti-malware feature), it could have had more, according to an article in The Register. “Known as ASLR, or address space layout randomization, the measure picks a different memory location to load system components each time the OS is started.” This feature – ASLR – is only partially used in Snow Leopard. “The halfhearted attempt at implementing ASLR has been a chief complaint of security researchers since Leopard, Snow Leopard’s predecessor.” Security researchers contacted for the article in The Register say that ASLR has not been improved since Leopard, and remains partial.
However, some new hardening features have been implemented. “One, called DEP, has been greatly expanded in Snow Leopard. It prevents shellcode and similar data that is supplied by a user from being executed by the OS.” And sandboxing has been extended so certain system components are limited in the actions they can carry out.
So what does Apple think about malware? All you need to do is ask: enter the word “malware” in Apple’s Help under Snow Leopard and you get the following:
Mac OS X 10.6 Snow Leopard includes a new anti-malware function, which scans some files downloaded or received with some applications for a handful of Trojan horses and other malware. While Apple is finally recognizing the malware threat to Macs, this function is very limited compared with Intego VirusBarrier X5. The following is a comparison of the two, showing why Intego VirusBarrier X5 is far superior to Apple’s simple anti-malware function included in Snow Leopard.
Intego’s Virus Monitoring Center, with a decade of experience protecting Macs from malware, has been the first to discover almost every strain of malware that affects Macs. Intego issues new virus definitions for VirusBarrier within hours of discovering new malware, or new variants of existing malware.
Intego has been the precursor in protecting Macs since it released the first personal firewall for Mac (NetBarrier) in 1999, and has a full line of security products that protect Mac users’ security and privacy.
| Intego VirusBarrier X5 | Apple’s anti-malware function |
|---|---|
| VirusBarrier X5 runs on Mac OS X Snow Leopard, Leopard and Tiger (10.4 or later) and protects Macs with both PowerPC and Intel processors. | Apple’s anti-malware function runs only on Mac OS X 10.6 Snow Leopard, and only on Macs with Intel processors. |
| VirusBarrier X5 scans files downloaded by any application: web browsers, e-mail clients, instant messaging programs, FTP programs, BitTorrent clients and any other file transfer software. | Apple’s anti-malware function only scans files downloaded with a handful of applications (Safari, Mail, iChat, Firefox, Entourage, and a few other web browsers). |
| VirusBarrier X5′s real-time scanner scans all files automatically so malware is detected immediately. | Apple’s anti-malware function only scans files that have been downloaded with certain applications, and only when those files are double-clicked or opened. |
| VirusBarrier X5′s on-demand scanner can also scan individual files, folders or applications on demand, and performs fast scans using Turbo mode. | No such feature. |
| VirusBarrier X5 uses behavioral analysis to spot new variants of existing malware as soon as they appear. | No such feature. |
| VirusBarrier X5 spots polymorphic and metamorphic malware. | No such feature. |
| VirusBarrier X5 scans most types of archives, including disk images (.dmg), Zip archives (.zip) and other common formats. | No such feature. |
| VirusBarrier X5 scans outgoing e-mails for malware. | No such feature. |
| VirusBarrier X5 scans files that are copied to a protected Mac from network volumes, CDs, DVDs or external storage devices such as USB thumb drives. | No such feature. |
| If you have a MobileMe account (formerly .Mac), and your friends put files in your iDisk’s Public folder, VirusBarrier X5 scans them during download. | No such feature. |
| VirusBarrier X5 scans for all kinds of Mac malware: viruses, Trojan horses, worms, macro viruses, scareware, rootkits, etc. | Apple’s anti-malware function currently only scans for two Trojan horses, as of the initial release of Snow Leopard. |
| VirusBarrier X5 scans for Windows viruses, so Mac users don’t pass infected files on to colleagues, or to your own Windows installation. | No such feature. |
| VirusBarrier X5 can repair infected files or put them in a quarantine zone, so you don’t lose data if you get a malware infection. | No such feature. |
| VirusBarrier X5 also repairs infected Macs, by deleting malware from infected files or removing malicious files that malware has installed. | No such feature. |
| VirusBarrier X5 updates its virus definitions regularly, at least twice a week, and issues special updates as soon as new malware is spotted. | Apple’s anti-malware function receives occasional updates via Apple’s Software Update. |
| VirusBarrier X5 keeps full logs of its activity which are easily accessible to users. | No such feature. |
| VirusBarrier X5 provides users with a thorough interface, allowing a number of settings, schedules, and many more features. | Apple’s anti-malware function has no interface and no other features. |
| VirusBarrier X5 can be deactivated if needed. | Apple’s anti-malware function cannot be deactivated. |
| You can send suspicious files to Intego’s Virus Monitoring Center. | No such feature. |
Download a PDF of this comparison in English, French, German, Italian or Spanish.
With the release of Mac OS X 10.6, Snow Leopard, tomorrow, security experts are musing about how much this new version of Apple’s operating system will improve overall security. Security researchers who focus on the Mac – such as Dino Dai Zovi and Charlie Miller – tend to do so because they are fans of the Mac Dai Zovi said, “I’m an avid Mac user. So I have a vested interest in them being more secure.” But they are not blind to the problems that exist in Mac OS X. Miller said, “Apple hasn’t implemented all the security features that Vista has. “They made some improvements in Leopard, but they are still behind.”
Security is a big issue in Snow Leopard, with Apple adding an anti-malware feature as well as touting the security improvements made in the OS. Regarding the former, Miller said, “It will mark a fundamental change in that Apple will be admitting that their operating system is as susceptible to malware as other operating systems.”
It’s worth reading this CNet article, which outlines some of the issues surrounding security on Mac OS X, and highlights some of the improvements in Snow Leopard. But we need to bear in mind that security involves more than just the operating system. As author Elinor Mills says in the article, “In addition to considering how buggy the software is, how secure the operating system code is, and whether malware writers are creating viruses and Trojans for the platform, another factor in play is how likely Mac users are to be duped into visiting a malicious site, opening a malicious e-mail attachment, and downloading a fake file.”
We reported yesterday that we had obtained information regarding an anti-malware feature in Snow Leopard, Mac OS X 10.6. Macworld has confirmed this with an extensive article about “Snow Leopard’s hidden malware protection”. The article points out that this feature only works with a handful of programs, and currently only scans for two (!) types of malware: one a common Trojan horse, RSPlug, which Intego discovered in 2007, and the second, the iServices Trojan horse, which was found in a number of pirated versions of Mac software earlier this year. But this feature would not even detect the iServices Trojan, because it does not seem to work with BitTorrent clients; it only, according to Macworld, scans files downloaded with web browsers, e-mail clients and iChat.
Well, for now, we’ll say we’re underwhelmed. Stay tuned for a detailed comparison of Intego VirusBarrier X5 and this new anti-malware feature in Snow Leopard. We’ll be posting a number of articles about this tomorrow.