Apple releases update to protect against MacDefender

Apple has released security update 2011-003 to address the recent increase in malware targeting Mac OS X.

Mac update 2011-003

It updates the included XProtect program to detect scareware variants we have seen attacking Mac users, including MacDefender, Mac Guard and Mac Security. It seems to still have the restriction of only working through the LSQuarantine library.

Once installed it will now check for updates to the XProtect list on a daily basis. This can be disabled in the Security preferences pane by unchecking the box “Automatically update safe downloads list”.

Security preferences pane

Upon installation this update will check for existing infections of known malware and remove it from the system if present. Additional checks are performed when an administrative user logs into the system.

I did some testing this afternoon and was able to confirm that it works. Using Safari, I visited the infected site Graham mentioned from the link spreading on Facebook.

I immediately received a warning that OS X had detected OSX.MacDefender.B, and yet it prompted to allow me to open the file. This is one of the limitations of LSQuarantine, but it is a very bad behavior. If you know something is malicious, don’t let people continue on infecting themselves…

XProtect detection dialog

To test the cleanup functionality I infected a system that had not applied the update. I proceeded to apply 2011-003 and nothing happened. I’m not sure how it is supposed to work, but it didn’t alert me nor remove Mac Guard.

I rebooted my Mac and logged in as an administrative user and within a moment or two the new removal functionality kicked in. A dialog box popped up stating:

“Malware was found and removed from your computer. The ‘MacGuard’ malware was found and removed.”

Mac malware removed

My impressions? A good reaction from Apple in a short amount of time. They are making the best of what is available in the OS X platform at this time. Unfortunately it falls short in many respects.

The biggest problem is the lack of an on-access scanning component. While LSQuarantine works to protect against downloads in most browsers, it doesn’t prevent infections through USB drives, BitTorrent downloads and other applications.

Daily updates are a good start, but it remains to be seen how frequently the criminals may release new variants. If they start moving in a polymorphic direction similar to the one the Windows malware writers have gone, XProtect will have issues.

Of course this update only applies to OS X 10.6 “Snow Leopard,” so older Mac users are left unprotected.

OS X 10.6 users should apply this update as soon as possible, and I recommend installing a more fully featured anti-virus solution like our free Sophos Anti-Virus for Mac Home Edition. It’s totally free; we don’t even ask you for your name or email.