Apple XProtect anti-malware feature defends against just two Trojans

The industry has been speculating that Apple's Snow Leopard operating system (released today) would include anti-virus functionality. In reality, the Apple XProtect anti-malware feature defends against just two Trojans, says one security vendor.

"Apple is positioning this more as anti-malware defense-enhancing default security, not anti-virus," says Chet Wisniewski, security analyst at Sophos. The function is intended to defend against two common Trojan attacks that could hit users not using anti-virus software, he says.

While Snow Leopard does have the ability to update this feature to defend against more types of malware, Apple is informing traditional anti-virus vendors that it won't compete in full-fledged anti-virus defense, Wisniewski says.

"This is very basic," Wisniewski says. "What they're doing is pattern-matching for two well-known Trojans, including one that pretends to be a video player."

said by ashrc4 :

it's possible to harbour either of their virus on either machine.
EDIT; "in part" added

Apple Engineers missed a key opportunity to implement an industry-standard technology in their latest operating system that would have made it more resistant to hacking attacks, three researchers have said.

Known as ASLR, or address space layout randomization, the measure picks a different memory location to load system components each time the OS is started. While Microsoft has had it implemented since the roll-out of Windows Vista, the analogous protection in Snow Leopard, which went on sale Friday, suffers from a crucial deficiency: It fails to randomize core parts of the OS, including the heap, stack and dynamic linker.

That means that attackers who identify buffer overflows and similar bugs in OS X components have a much better chance of causing the vulnerability to execute malicious code that compromises the machine. The halfhearted attempt at implementing ASLR has been a chief complaint of security researchers since Leopard, Snow Leopard's predecessor. Many had hoped it would be made more robust in the new version.

"ASLR is really only useful if EVERYTHING is randomized," Charlie Miller, co-author of The Mac Hacker's Handbook, wrote in an email to The Register. "If there is anything that is not randomized, it defeats the purpose mostly. This is a major shortcoming of Apple, and I'm disappointed they didn't take this opportunity to implement full ASLR."

Not that the new OS hasn't improved some security offerings. One, called DEP, has been greatly expanded in Snow Leopard. It prevents shellcode and similar data that is supplied by a user from being executed by the OS. Had OS X had the protection over the past two Pwn2Own hacking contests neither of Miller's winning exploit entries would have worked.

One possible weakness with the new DEP offering: several parts of the Safari browser remain both writable and executable, a shortcoming that may make it easier for attackers to strike at one of the most targeted Apple applications.

Apple has made additional changes, including expanded menu options in its firewall and Safari plug-ins that run as separate processes. While Mogull said the latter should make it harder to exploit buggy add-ons, Dai Zovi worried that the change might allow attackers to repeatedly crash them unbeknownst to the user.

Apple's $29 operating-system upgrade, Snow Leopard, is for most users a straightforward and worthwhile upgrade. But some are regretting their haste in upgrading to Mac OS X 10.6. Little incompatibilities with existing apps are causing headaches and slowing down work flow.

It's not the current versions of the big apps that don't work, of course. The latest version of Photoshop still runs. Even the current versions of the close-to-the-metal virtualization applications Parallels and VMware Fusion work in Snow Leopard. Apple's own apps--Mail, Calendar, and iTunes--all work great. And Firefox runs fine, even though Apple has its own competing browser, Safari.

But many little things don't work, and the niggles are frustrating. Dealing with them makes the Mac experience very un-Mac-like. For some users who have spent time tweaking their Mac setup, the operating-system upgrade means a step backward in the pleasure and smoothness of using the platform. They feel a hit in productivity. For people like me, it's the little hacks that make the Mac experience uniquely personal and help me paper over some of the Jobsian UI dictums of which I'd rather not be reminded.

Necessary disclaimer: Apple and third-party developers deserve much credit for ensuring that so many major apps work well in Snow Leopard, since it is such a major under-the-hood upgrade.

Most incompatibilities will be fixed, of course. Apple released Snow Leopard earlier than expected, and developers are scrambling to update their apps. But even some of the big developers have fallen behind the cycle here -- Microsoft's Live Mesh sync and backup product doesn't yet work, for example.

said by chachazz :

Seems trivial and hardly worth mentioning, considering what we often encounter with a new Windows release, and all the ongoing, monthly and out-of-band critical security updates, that just never seem to end

Less than two weeks after Apple launched Snow Leopard, the company today issued the new operating system's first security update. In a separate upgrade, Apple patched 33 vulnerabilities in 2007's Leopard, and about half as many in the even older Tiger.

Today's updates were the third and fourth from Apple in the last two days. Wednesday, Apple delivered security fixes for the iPhone and iPod Touch, as well as another upgrade for its QuickTime media player.

"It's another sneak attack," said Andrew Storms, director of security operations at nCircle Network Security, referring to the string of updates. "Actually, it's almost what we've come to expect from Apple," he added. Unlike rival OS maker Microsoft, which releases most of its security upgrades on a pre-set monthly schedule, Apple ships its patches whenever they're ready to go out the door.

The Snow Leopard 10.6.1 update's security content consisted solely of an upgrade for Adobe's Flash Player, which was bumped to the up-to-date version 10.0.32.18.

Users and security researchers had taken Apple to task for not only shipping Snow Leopard with an outdated and vulnerable version of Flash Player, but also for silently "downgrading" once-secure editions when Macs were updated to the new operating system.

Mac OS X 10.6.1 packaged nine patches for Flash vulnerabilities, some of which could result in "arbitrary code execution," Apple-speak of a critical flaw that attackers could exploit to grab control of a Mac. According to the corresponding Adobe security advisory, six of the nine flaws could be considered critical.

Apple released the first update for Snow Leopard less than two weeks after it debuted the operating system on Aug. 28, a slightly faster pace than in 2007, when Apple took about three weeks to issue the first security update for Mac.