Apple has released security update 2011-003 to address the recent increase in malware targeting Mac OS X.
It updates the included XProtect program to detect scareware variants we have seen attacking Mac users, including MacDefender, Mac Guard and Mac Security. It seems to still have the restriction of only working through the LSQuarantine library.
Once installed it will now check for updates to the XProtect list on a daily basis. This can be disabled in the Security preferences pane by unchecking the box “Automatically update safe downloads list”.
Upon installation this update will check for existing infections of known malware and remove it from the system if present. Additional checks are performed when an administrative user logs into the system.
I did some testing this afternoon and was able to confirm that it works. Using Safari, I visited the infected site Graham mentioned from the link spreading on Facebook.
I immediately received a warning that OS X had detected OSX.MacDefender.B, and yet it prompted to allow me to open the file. This is one of the limitations of LSQuarantine, but it is a very bad behavior. If you know something is malicious, don’t let people continue on infecting themselves…
To test the cleanup functionality I infected a system that had not applied the update. I proceeded to apply 2011-003 and nothing happened. I’m not sure how it is supposed to work, but it didn’t alert me nor remove Mac Guard.
I rebooted my Mac and logged in as an administrative user and within a moment or two the new removal functionality kicked in. A dialog box popped up stating:
“Malware was found and removed from your computer. The ‘MacGuard’ malware was found and removed.”
My impressions? A good reaction from Apple in a short amount of time. They are making the best of what is available in the OS X platform at this time. Unfortunately it falls short in many respects.
The biggest problem is the lack of an on-access scanning component. While LSQuarantine works to protect against downloads in most browsers, it doesn’t prevent infections through USB drives, BitTorrent downloads and other applications.
Daily updates are a good start, but it remains to be seen how frequently the criminals may release new variants. If they start moving in a polymorphic direction similar to the one the Windows malware writers have gone, XProtect will have issues.
Of course this update only applies to OS X 10.6 “Snow Leopard,” so older Mac users are left unprotected.
OS X 10.6 users should apply this update as soon as possible, and I recommend installing a more fully featured anti-virus solution like our free Sophos Anti-Virus for Mac Home Edition. It’s totally free; we don’t even ask you for your name or email.
6 comments on “Apple releases update to protect against MacDefender”
One question you did not make clear in your post is that is the removal only occurs when an admin logs in?
It’s another card of too little too late. As with other antimalware actions that Apple have taken, it arrives too late and ultimately falls shorts. Also what if the malware blocks internet traffic to prevent updates? And does the security update use heuristic methods or just plain definition?
Another reason while I've used an antivirus on my Mac from day one. Sophos is still my favorite free AV for Mac and is what I use. Thanks for the product!
I'm using anti-virus a long time, I was a windows user so I get used to. Anyways, Sophos is one of my favorites to keep my Mac safe, pay more attention before download and make sure what you are doing is a good start.
This is B.S.! As a Windows user I'm appalled that your company gives away a completely free anti-virus solution to Mac users, and not the users that enabled you to even exist! In a competitive market with many other respectable companies giving away free anti-virus solutions, you forget about the users that made you and give a gift to Mac users. I love Avira for their free offerings, but I hate the annoying update pop-up. I also love Comodo's solution, but only use it for the firewall and defense plus (HIPS+) functionality. Though, one annoying thing about Comodo is the fact that it totally breaks my airport express music streaming capability.
The Sophos product found a Windows virus in an e-mail backup, which is the only time I've noticed it running. These social engineering malware issues – where the user is presented with an alert screen that seems authentic – happen all the time on Windows machines and it's almost impossible to get rid of them. It takes a lot of work. So it sounds like Apple's solution is better.
How is Apple's solution better? Apple does not have heuristic to detect new viruses without definitions. How many people would go undefended while Apple writes the virus definition. They certainly could use with a heuristic to detect "suspecious behavior" and delete or block all detected threats.