

Snow Leopard contains hidden antivirus application - e1ven
http://blog.intego.com/2009/08/25/snow-leopard-contains-an-antivirus/

======
pohl
The observation is that there is an anti-malware facility.

Then there's a leap to the conclusion that it is an anti-virus facility.

Did I miss some important detail here? I thought a virus was a very specific
type of malware, and there's not enough detail to conclude that it is "anti-
virus".

~~~
tptacek
Meh. There's no meaningful difference. Malware's the general term. A virus is
malware that spreads passively. A worm is malware that spreads actively.
"Trojan" is a bad term for the malware trait (which worms and viruses can
have) of allowing unauthorized users access to the infected host.

It's probably better not to dignify the "science" of malware by enforcing
proper usage of terminology.

~~~
pohl
The distinction becomes relevant when comparing operating systems and their
relative susceptibilities to viruses.

That a given operating system is vulnerable to malware in general is not
notable, because users will be duped by dancing babies, porn, and infected
stolen software.

That a given operating system ever allowed unaided self-replication take place
is, and this is where Apple's marketing message has been placed.

~~~
tptacek
Huh? There is no feature in OS X that makes it any harder to write self-
replicating code ("worms"). Code running in almost any OS X process has full
access to all the xnu system calls, and (invariably) to at least one user's
home directory and Library/ folder.

There's no operating system in common use for which malware distinctions are
meaningful. They're all equally vulnerable.

~~~
tvon
* A worm is self-replicating across a network, typically _without any interaction from a user_.

* A trojan requires a user to grant the malware privileges, or just to install it or at least to run it with their own privileges.

I don't see how that's not an important distinction.

~~~
tptacek
Neither OS X nor Windows has been free of remote code execution
vulnerabilities.

Neither OS X nor Windows has any current published unpatched remote code
execution vulnerabilities.

Nothing in the architecture of OS X or Windows prevents remote code execution
vulnerabilities.

About the best thing you can say for OS X with respect to this problem is the
fact that most of the "interesting" services are disabled by default, which
did not used to be the case on Windows. I don't disagree that this was a win,
but it was hardly an architectural difference.

~~~
tvon
I should have indicated what I was responding to:

> Huh? There is no feature in OS X that makes it any harder to write self-
> replicating code ("worms"). Code running in almost any OS X process has full
> access to all the xnu system calls, and (invariably) to at least one user's
> home directory and Library/ folder.

That's not what a worm is, and you keep mixing up terms in this thread.

* _Malware_ is code that does bad things to your computer.

* A _virus_ is self-replicating code that probably does bad things (harmless, proof-of-concept code is sometimes let loose). A virus is a kind of malware.

* It's a _worm_ when it's delivered and spreads over the network by a remote exploit.

* It's a _trojan_ when it's delivered by tricking the user into installing it.

The difference between malware and a virus, okay that's fairly minor, but a
virus vs a worm vs a trojan is significant. This isn't some lingo the kids use
on IRC either, these are all terms you can find int he OED (at least the one
that comes with OSX).

~~~
tptacek
Like I said upthread: I disagree with your definitions, but debating malware
terminology is silly; the terms mean whatever the antivirus companies and
"researchers" say they do. You win.

The meaningful topic you can debate is whether OS X is more or less resistent
to _any form of_ malware than Windows is. I'll argue that there's simply no
significant difference, and, respectfully, I think you'll lose with the
opposing argument, but I'm happy to hear you out.

~~~
pohl
I'm surprised that anyone would think that rejecting widely accepted
nomenclature is even a valid rhetorical option. I can understand why the sight
of a lovely lady is going to make you want to convince her that your herpes is
no worse than a goiter, but I don't think that telling her that the doctor's
taxonomy of maladies is superfluous is going to make her sleep with you.

~~~
tptacek
The idea that you would compare actual professional medical terminology to
stuff that AV company employees made up is why I'm not having this argument.
For the third time: you win.

Now, what does this have to do with OS X security?

~~~
pohl
I'm not sure what it means for you to "not have this argument" while you
continue to argue. I get that you're exasperated, but take a deep breath: this
is just a conversation.

For the record, 'virus' was first used by Fred Cohen in his 1988 PhD thesis.
The word "worm" was used as early as the early 80s at Xerox PARC, when they
were researching the possibility that they might be beneficial to networks.
Those were the only two that I bothered to track down, but it's clear that the
taxonomy of malware predates the modern anti-malware industry, so you can't
rationalize dismissing the nomenclature that way.

I think throw_away's post adequately answers what it has to do with the
security question, with an excellent example of stabbing yourself with a found
needle versus the mere act of breathing.

~~~
tptacek
Fred Cohen is part of the whole "Virus Bulletin" dead ender scene; see Pete
Szor's book for a more modern example of the same CS backwater.

My problem with malware "research" isn't the patent medicine industry it's
spawned, but rather the very poor CS work done in it. Look at the last 5 years
of vulnerability research and where it's taken distributed systems research,
compiler-theoretic research, and just basic systems research; compare to
"virologists".

I'm arguing that no matter what you opinion about what the difference between
a "virus" and a "worm" is, this whole tangent has nothing to do with OS X.

I'm happy to converse about either the shallowness of Fred Cohen-brand virus
research or about OS X security, but what you're seeing is me trying to tack
us back to OS X.

~~~
pohl
The headline is about a mechanism in OS X, and that's the only connection you
need. It makes an incorrect leap from the general to the specific. That, and
my curiosity about the mechanism, is what moved me to ask my original
question.

I'm a "tools man", and I think that tools should be judged by their merits.
Words are tools we use to communicate. Names are tools we use to identify.
Taxonomies are tools we use to classify. How classification ties into
understanding and addressing problems should be self-evident.

I don't care if the progenitor of a term is from the wrong "scene". If he ran
over your dog, seduced your wife, and stole your grant money, I feel for you -
but even if his crowning achievement is just one lowly but useful addition to
the lexicon, then kudos for him. No amount of argumentum ad hominem on your
part is going to divorce that tool from its intrinsic utility.

Yes, fluffy social & political stuff has its value too, I just didn't expect
it rear its head here at HN. Now that I realize what's going on, I'll duck
out.

It was fun.

------
Readmore
I don't think this invalidates any of Apple's marketing speak because it still
"just works."

The fact that this is built into the OS and doesn't have to be separately
installed, upgraded, or managed fits in perfectly with what makes OS X a great
and easy to use OS.

~~~
daeken
Except that antivirus software is, by definition, always playing catchup. When
you hit the point that you need antivirus software, you've already lost.

~~~
tptacek
OS X is nowhere near needing antivirus software, regardless of what features
the OS X security team has managed to get added to the release.

Just another example of the difference between "safety" and "security". Houses
in Kennilworth, IL need _less_ security than houses in Rogers Park --- there
are something like 192 police officers per Kennilworth township block --- and
yet Kennilworth houses can be counted on to have state-of-the-art security,
because they can, and state-of-the-art security is a selling point.

~~~
daeken
OS X doesn't need antivirus software, and I didn't say that it did. Not
needing it is a selling point, saying "you know, we don't need it, but we
threw it in there anyway despite that it's worthless" isn't.

~~~
tptacek
Not needing and having are two different selling points, both in evidence
here.

~~~
daeken
Having it negates the "not needing it" selling point IMO. In addition, it
being worthless and taking up space and CPU cycles (however passive it is) is
a negative in my book. I don't see how it's a selling point at all.

~~~
tptacek
Most users will see any security feature as a net positive. Note the positive
publicity (amongst normal users) for Leopard ASLR, a feature that adds no real
security. Adding basic anti-malware features to the OS will not negate any of
the security value prop in Snow Leopard.

I share your take on antivirus software, but do note that preventing a user
from installing something with a known virus on it does not have _negative_
utility.

~~~
arebop
presumably details on why Leopard ASLR "adds no real security" are discussed
in [http://www.matasano.com/log/986/what-weve-since-learned-
abou...](http://www.matasano.com/log/986/what-weve-since-learned-about-
leopard-security-features/), which will eventually be reachable again?

~~~
tptacek
Yep. Short answer: Leopard didn't randomize important core libraries.

~~~
bvttf
Is there any confirmation that Snow Leopard has fixed this?

------
doctorosdeck
Apple including antivirus is probably a smart move for the future, but in the
short term I hope more mac users start to realize that their computers are
still capable of being infected, albeit a lot less likely.

------
e1ven
There is independent confirmation of this at the MacRumors forums.

<http://forums.macrumors.com/showthread.php?t=768932>

~~~
potatolicious
That thread actually brings up a really good point: we need to train users to
update apps only via the official OS-sanctioned update method (Windows
Updater, OSX Update, etc), or via the app's built-in update mechanism.

The sort of "oh hey, QuickTime needs to update, run this file" should
automatically set up alarm bells in everyone's heads.

OSX is lucky in this respect - it has Sparkle, which for a large part has
become the de facto software updater for OSX. It has a simple UI that users
recognize and approaches universal adoption.

~~~
blasdel
Except that Sparkle is _ridiculously terrible_ for doing security updates.
Since it doesn't ship with the OS or even provide a means to have a
centralized second-party updater, every app has its own copy in its bundle,
and it only gets run when the app is running (and by default only on launch).

Vulnerabilities in need of patching for desktop apps generally take the form
of accidentally executing malicious input -- with Sparkle in a document-based
Cocoa app, that input is already being parsed before Sparkle is loaded.

It's even worse for plugins -- if you use ClickToFlash you know exactly what I
mean -- as a plugin to a Webkit plugin, Sparkle runs roughshod over the
address spaces of _every Webkit app_. If said Webkit app itself uses Sparkle,
you're fucked, especially if it's a different version of Sparkle, or one of
it's many forks.

~~~
wmf
Sparkle seems pretty good to me compared to the Windows world where apps
either don't self-update at all or each app has its own updater daemon.
Perhaps a single Sparkle daemon would be better, but it's hardly terrible as
it is now.

