Snow Leopard: What you should know about… Malware
While viruses don’t besiege Mac OS X, and isn’t likely to any time soon, there are other types of malware which can steal your wallet and strut around your home wearing your clothes, laughing manically. Metaphorically.
Trojans are pieces of software which are offered for download (or bundled alongside another download) and simply trick a user into running them. A common tactic is that they’re claimed to be decoders for a new type of video, and are often distributed on porn sites created specifically for the purpose.
As trojans don’t actually exploit any vulnerabilities in the computer’s operating system, protection is tricky. Prevention is a primarily human affair, and centres upon educating users in good practice (obviously, an operating system can help, but there’s only so much you can do to account for sheer ignorance).
Once a trojan has been discovered by security researchers, however, things become a little easier. If you have a mechanism which automatically checks files from certain sources against a database of known signatures and flags up those which match, you can defend against previously-discovered malware fairly effectively.
Max OS X Snow Leopard does precisely this. A file named /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist contains the definitions for two known pieces of Mac OS X malware (both trojans); Apple can update this as required through its Software Update mechanism. Additionally, a file named Exceptions.plist contains a list of the programs which, although they don’t automatically “quarantine” downloaded files themselves, should be forced to by the operating system: this list currently consists of Microsoft Entourage, Microsoft Internet Explorer, Firefox, OmniWeb 5, Opera, Shiira, Mozilla, Camino, Seamonkey and Thunderbird. Just as with the malware definitions, Apple can update this list as required.
The bottom line here is that Apple has been proactive about security. Quarantining is a robust, although not foolproof, mechanism for dealing with downloads from Internet sources, and XProtect adds an extra layer of protection. Under Leopard, application developers were relied upon to invoke Quarantine in their apps themselves; with Snow Leopard, perhaps because many people don’t always update their applications as quickly as developers would like, an application can be forced to do it. Applications doing it themselves is preferred (because doing so stores the URL of the page the download came from, which the operating system can’t do on its own), but this is a good additional feature.
Does this mean Apple is expecting a slew of trojans, viruses, and other things to appear for Mac OS X? Probably not—and there’s pretty much no evidence of Mac OS X viruses out there at all—but as the number of Mac users increases steadily, so does the attraction to malware authors who will try to take advantage of uninformed users.
