Apple was caught flat-footed by the sudden appearance of Mac Defender in late April and early May. Its initial response was straight out of the Cupertino PR playbook: batten down the hatches, impose a companywide gag rule, and try to figure out a response.
That response arrived on the last day of May, in the form of a first-ever security update specifically designed to remove a malware infection from an Apple device.
It’s been nearly three weeks since that initial response. So what exactly has Apple done? Is that response good enough for customers? And will Cupertino’s newly minted malware strike force be ready for the next big attack?
Let’s start by looking at what Apple did. Here’s what I wrote when Apple went public with its security update:
Security Update 2011-003 includes changes to the File Quarantine feature, which beginning with Snow Leopard also includes antimalware checks for files downloaded through web browsers, e-mail, and other common paths. This update includes definitions for Mac Defender and its known variants, as well as an automated removal tool. It works only with the most recent version of Snow Leopard, 10.6.7. Earlier versions of OS X are apparently not included.
This update enhanced an anti-malware function that had been included with the release of OS X 10.6, Snow Leopard, in 2009. It hadn’t been used much until Mac Defender appeared on the scene.
The feature, which has no official name, is aimed at intercepting, inspecting, and if necessary quarantining files received by way of supported programs (see Intego’s thorough explainer if you want the nuts and bolts).
Files you download through a web browser are checked against the definitions; if there’s a match, you’re strongly urged to move the file to the trash instead of opening it.
The bulletin for Security Update 2011-003 noted a key change in how updates reach a Mac. Previously, new signatures were delivered via Apple Software Update. Now, unless you opt out, the system will “check daily for updates to the File Quarantine malware definition list.”
The signature list is an unencrypted text file, so it’s easy to examine its contents and note exactly what’s changed. In the ongoing game of cat and mouse, the bad guys have produced at least 15 separate variants, each of which gets its own letter of the alphabet in Apple. So far, Apple has been updating the signature file, called XProtect.plist, at an equally brisk schedule. After 19 days, the list is up to revision 20.
These anti-malware features are only available in OS X 10.6, Snow Leopard, and not in the 10.5 release, Leopard, which is still supported and still used . The file quarantine checks are limited to files that arrive by way of supported apps, including virtually all web browsers and popular e-mail programs. And a given Mac will only check for updates once a day, so it’s possible that you could be using an outdated signature file for a full day without being aware of it.
One extremely significant piece was missing in Apple’s Security Update. There was no mention of a setting in Safari that makes potential targets more vulnerable by allowing the malware to begin the installation process on its own.
The Open “Safe” Files After Downloading check box is selected by default. Because Safari considers installer packages as “safe,” the installer begins running as soon as Safari finishes the download. And from there it’s a matter of fine-tuning the social engineering to convince as many targets as possible to OK the installation.
It’s worth noting that the latest version of Mac Defender calls itself a “Start page installer” rather than a security program. That sounds harmless enough, especially if it appears automatically. The goal no doubt is to reel in unsophisticated Mac users who don’t realize what this really is.
The anti-malware feature in Security Update 2011-003 is clearly a stopgap solution designed to disrupt a single threat—Mac Defender. Until Apple addresses the glaring insecurity in Safari, it’s hard to take their response seriously.
I still believe the Mac Defender attack was a successful proof of concept for the bad guys. The social engineering was excellent, and I am certain it brought in enough ill-gotten gains to bankroll the next phase of development.
Remember, this was done via a malware toolkit—the first one ever released for the Mac platform. The next version of this toolkit is being written with full knowledge of how Security Update 2011-003 works. The bad guys are counting on Apple taking weeks to work up its response. That could make Mac Defender version 2.0 very nasty indeed.
- What a Mac malware attack looks like (May 6)
- Apple to support reps: "Do not attempt to remove malware" (May 19)
- Mac malware authors release a new, more dangerous version (May 25)
- New Apple antivirus signatures bypassed within hours by malware authors [Update] (May 31)
- Why Windows users should care about malware on Macs (June 6)