Apple releases security update for MacDefender
Published May 31st, 2011 at 7:22 PM EDT , modified May 31st, 2011 at 7:22 PM EDT
Apple released Security Update 2011-003 today, addressing the MacDefender issue. According to Apple’s documentation on this update, there are three basic additions to assist in dealing with the MacDefender outbreak. Before reading further, it may be worthwhile to read my Mac Virus Guide, to understand some of the fundamental ideas involved, and Apple’s own document on quarantine.
The first change is to add a definition for MacDefender to the malware definitions used by quarantine to identify potentially malicious programs. According to Apple, one single definition, for OSX.MacDefender.A, was added. However, unlike some AV vendors’ definitions, which identify some of the variants under different names, I can verify that this definition works for all known variants that I am in possession of. Note, however, that any MacDefender variant installer packages already on your machine will not have been quarantined previously, so they will still open without any warning from quarantine. If you have a zipped installer lying around unnoticed, however, opening it and then opening the newly-expanded installer will trigger a quarantine warning.
The second change is the addition of a daily check for updated malware definitions. This should allow Apple to respond more quickly in the future to new variants that are not covered by Apple’s OSX.MacDefender.A definition. Those who wish to can turn this option off by visiting the Security pane of System Preferences, selecting the General tab and unchecking the “Automatically update safe downloads list” item. I’m not sure why anyone would wish to disable this feature, but nobody can criticize Apple for not providing the option!
The final item actually works only at the time of installing the update, and does not involve a change to the system. If you happened to have a copy of one of the MacDefender variants installed at the time the security update is installed, it will remove the malware for you. Note that this only applies to installed trojans! I had every known variant of MacDefender on my hard drive at the time that I ran the update, in two forms: .zip archives and installer packages. None of these items were touched by the update.
Because I found that MacDefender trojans that are on your machine but not installed may not be affected by this update, you should still be cautious with downloaded files. I would advise cleaning out your download folder, deleting anything you can’t identify. Then keep it cleaned out for good. After downloading something, remove it from the downloads folder, so that you can easily spot strange items downloaded without your knowledge.
It will be interesting to see what response the malware authors will have to this update. It’s possible this will put an end to the MacDefender series of trojans, or they may simply modify the next variant enough to slip past. Only time will tell!