Has Apple done enough to fight malware on Macs?

Has Apple done enough to fight malware on Macs?

Summary: Apple was caught flat-footed by Mac Defender and took nearly a month to respond. What exactly has Apple done? Is that response good enough for customers? And will Cupertino's newly minted malware strike force be ready for the next big attack?

SHARE:
178

Apple was caught flat-footed by the sudden appearance of Mac Defender in late April and early May. Its initial response was straight out of the Cupertino PR playbook: batten down the hatches, impose a companywide gag rule, and try to figure out a response.

That response arrived on the last day of May, in the form of a first-ever security update specifically designed to remove a malware infection from an Apple device.

It’s been nearly three weeks since that initial response. So what exactly has Apple done? Is that response good enough for customers? And will Cupertino’s newly minted malware strike force be ready for the next big attack?

Gallery: How Apple has responded to Mac malware

Gallery: How Apple has responded to Mac Defender

Gallery: How Apple has responded to Mac malware

Let’s start by looking at what Apple did. Here’s what I wrote when Apple went public with its security update:

Security Update 2011-003 includes changes to the File Quarantine feature, which beginning with Snow Leopard also includes antimalware checks for files downloaded through web browsers, e-mail, and other common paths. This update includes definitions for Mac Defender and its known variants, as well as an automated removal tool. It works only with the most recent version of Snow Leopard, 10.6.7. Earlier versions of OS X are apparently not included.

This update enhanced an anti-malware function that had been included with the release of OS X 10.6, Snow Leopard, in 2009. It hadn’t been used much until Mac Defender appeared on the scene.

The feature, which has no official name, is aimed at intercepting, inspecting, and if necessary quarantining files received by way of supported programs (see Intego’s thorough explainer if you want the nuts and bolts).

Files you download through a web browser are checked against the definitions; if there’s a match, you’re strongly urged to move the file to the trash instead of opening it.

The bulletin for Security Update 2011-003 noted a key change in how updates reach a Mac. Previously, new signatures were delivered via Apple Software Update. Now, unless you opt out, the system will “check daily for updates to the File Quarantine malware definition list.”

The signature list is an unencrypted text file, so it’s easy to examine its contents and note exactly what’s changed. In the ongoing game of cat and mouse, the bad guys have produced at least 15 separate variants, each of which gets its own letter of the alphabet in Apple. So far, Apple has been updating the signature file, called XProtect.plist, at an equally brisk schedule. After 19 days, the list is up to revision 20.

These anti-malware features are only available in OS X 10.6, Snow Leopard, and not in the 10.5 release, Leopard, which is still supported and still used . The file quarantine checks are limited to files that arrive by way of supported apps, including virtually all web browsers and popular e-mail programs. And a given Mac will only check for updates once a day, so it’s possible that you could be using an outdated signature file for a full day without being aware of it.

One extremely significant piece was missing in Apple’s Security Update. There was no mention of a setting in Safari that makes potential targets more vulnerable by allowing the malware to begin the installation process on its own.

The Open “Safe” Files After Downloading check box is selected by default. Because Safari considers installer packages as “safe,” the installer begins running as soon as Safari finishes the download. And from there it’s a matter of fine-tuning the social engineering to convince as many targets as possible to OK the installation.

It’s worth noting that the latest version of Mac Defender calls itself a “Start page installer” rather than a security program. That sounds harmless enough, especially if it appears automatically. The goal no doubt is to reel in unsophisticated Mac users who don’t realize what this really is.

And Mac Defender is still finding victims, as a quick survey of Apple’s user forums shows. This guy got hit on Friday and managed to completely trash his Mac trying to clean up.

The anti-malware feature in Security Update 2011-003 is clearly a stopgap solution designed to disrupt a single threat—Mac Defender. Until Apple addresses the glaring insecurity in Safari, it’s hard to take their response seriously.

I still believe the Mac Defender attack was a successful proof of concept for the bad guys. The social engineering was excellent, and I am certain it brought in enough ill-gotten gains to bankroll the next phase of development.

Remember, this was done via a malware toolkit—the first one ever released for the Mac platform. The next version of this toolkit is being written with full knowledge of how Security Update 2011-003 works. The bad guys are counting on Apple taking weeks to work up its response. That could make Mac Defender version 2.0 very nasty indeed.

Read more:

Topics: Malware, Apple, Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

178 comments
Log in or register to join the discussion
  • RE: Has Apple done enough to fight malware on Macs?

    I can't help but picture the MIB coming by to flashy thingy all of us.

    "The "malware" you saw was nothing more than a figment of your imagination combined with the light of Venus reflecting off swamp gas. Your Mac is 100% secure, and cannot get viruses. Have a good day."

    All kidding aside, I think the best thing Mac users can do is use another browser besides Safari. Safari now is like IE6 on Windows XP circa 2004: Featureless, and complete with gaping holes. I don't think Apple's response is the correct way about going about security. I think the time has come to be open with your customers about what is being done to further enhance the security of not just the browser, but the whole platform as well. Until that happens the ball is in the bad guy's court.
    The one and only, Cylon Centurion
    • Ah, right. The malware that would only trick people

      who were "enlightened" enough to think Macs could get viruses. The ignorant hoi polloi mac users convinced they were immune to viruses were totally unaffected. Ah, the irony of it all.
      fr_gough
      • Do not tell this here: whole Edward's card house just fell apart -- and ...

        @fr_gough: ... that is so rare for "Microsoft Report" theories about Apple.<br><br>I especially like this false "The social engineering was excellent" statement from Edward about how ridiculous and nonsensical notion that a Macintosh computer could get a virus is all of sudden "excellent" social engineering.

        In reality, the statement is true only for <b>religious zombies</b> who read articles such as this since early 2000s (or totally clueless PC users who occasionally use Macs) and thus believe that catching a virus in a wild on Mac is possible (which is not even to this day). Obviously, there are can not be really many of such people, and Edward's scarce findings on Apple support board prove that.
        DDERSSS
      • RE: Has Apple done enough to fight malware on Macs?

        @DeRSSS

        "In reality, the statement is true only for religious zombies who read articles such as this since early 2000s (or totally clueless PC users who occasionally use Macs) and thus believe that catching a virus in a wild on Mac is possible (which is not even to this day)."

        Right. Because sticking your head in the sand and going "na na na na I don't believe in bad things" means they're not true?

        Oh gee, let's think... If Ed was just out to scare people then please explain the "security update" from Apple?

        The social engineering was great. And I don't mean that in a sarcastic way. In much the same way that on XP websites would flash up windows designed to look like part of the OS that would install malware, on a Mac it's the same. Add to that the bizarre design choice to have Safari run certain file types by default and you have a recipe for...

        ...oh I'm sorry, it doesn't happen does it? Ever. Apparently. That security update must have just been put out to make Ed feel better...
        Ben_E
      • RE: Has Apple done enough to fight malware on Macs?

        @DeRSSS

        If I was you, I'd pull my head out of the sand before it's too late. Like it or not, what happened here was real, and if Apple doesn't shape up, could happen again. People switched over to the Mac with their bad habits thinking they were impervious. Now the malware authors are exploiting those same bad habits, and guess what, it's working. ;)
        The one and only, Cylon Centurion
      • MacDefender is not a virus, it is social engineered malware.

        @fr_gough
        There is much difference between virus, trojans, social engineering. Ignorance can be fixed, seldom can stupidity.
        BubbaJones_
      • RE: Has Apple done enough to fight malware on Macs?

        @fr_gough This wasn't a virus. It was an app that did nothing except try to trick you to send your credit card information to them. A web site could do the same thing. This is called a phishing attack. In fact blacklisting these sites is a big new browser feature. How do they combat the issue? Exactly the same way Apple did. The bigger target for phishing attacks is the web browser, not the operating system. I think the web browser (all of them) deserves to be criticized before the Mac. The open safe files Safari bug is significant, but I'm sure it will be fixed shortly. The new application sandbox features of Lion will also help to prevent malware related issues.
        esummers78
      • RE: Has Apple done enough to fight malware on Macs?

        @Ben_E
        You're the one with your head in the sand. The only way anyone could be fooled by MacDefender is if they listened to people like you and Ed Bott. Anyone who didn't believe they needed to run AV software ignored it.
        cwt001
      • RE: Has Apple done enough to fight malware on Macs?

        @fr_gough <br><br>Exactly! Do you know the difference between your a$$ and a hole in the ground, or is it just the terms "virus" and "malware" that confuse you. I used to think that Ed was more open-minded than this, but he's twisted and coloring facts to suit an agenda. There are NO Mac virii in the wild...NONE. I'm not saying it can't happen, and I don't have my head in the sand either. I run anti-virus software on my Mac just to be on the safe side. The problem with Ed's rants over the last few weeks (and the rants of a lot of MS fanboys that comment on his posts), is that it's creating a "boy who cried wolf" kind of situation. So, when a REAL threat eventually strikes Macs (if that ever happens), people might ignore it because of all this misleading garbage that Ed has been writing. Come to think of it, maybe that's the point. Hmmmm, well played Mr. Bott.
        HappyXWindowsUser
      • Headinthesanditis?

        @DeRSSSS and cwt001 You guys should be checked for that... Symptoms include ignoring the obvious and so easily verifiable FACT that macs are prone to malware and the lashing out at those who bring this message.

        [b]You're the one with your head in the sand. The only way anyone could be fooled by MacDefender is if they listened to people like you and Ed Bott. Anyone who didn't believe they needed to run AV software ignored it.[/b]

        IF there were not that many people fooled why would [i]APPLE[/i] not only release an antimalware solution for Macs BUT also keep it updated? Granted that common sense and tech/ internet savvy help but it's like I said in the beginning that most people on here running macs would not be affected - it's the people who are not so savvy who bought a mac thinking that they could never be infected... and then cue the scareware and the user interaction. Face the facts there IS an issue even Apple acknowledges the issue... why can't you?
        athynz
      • LOL, DeRSSS

        @fr_gough
        [i]Obviously, there are can not be really many of such people, and Edward's scarce findings on Apple support board prove that[/i]

        Right, like Apple never had a history of removing postings criticle of their products on their own forums.
        Will Pharaoh
      • RE: Has Apple done enough to fight malware on Macs?

        @maconvert

        What wasn't real about Mac Defender? It was Malware designed to get the user's CC info along with other personal information. Has Apple really done anything to warn it's user base until now? No. You can quibble about the various forms of Malware all you want be it Virus, Trojan, Phishing, etc, the fact is, Apple's statement is misleading to most that think that Virus is synonomus with all forms of Malware (you and I know that a Virus is a type of Malware and MacDefender is not a Virus - it's Phishing, but it is still Malware).

        And no, I would not say it was Ed or MS Fanbois that has caused the issue of the Boy who cried Wolf, but Apple themselves. Apple has misled a lot of people into think that Macs were immune to malware. They may have difficult attack vectors for Virii, but if you look at the Apple vs PC commercials, Apple very much lulled a lot of people into believing that Apples were impervious to more than just Virii, but also Malware in general (while Apple's slogan does say Virii, the ad campaign was misleading and made it seem like Apple was impervious to all forms of Malware). If anything, Apple has itself to blame for this PR debacle, not Ed and MS fanbois.
        cdigan
      • RE: Has Apple done enough to fight malware on Macs?

        [i]People switched over to the Mac with their bad habits thinking they were impervious. Now the malware authors are exploiting those same bad habits, and guess what, it's working.[/i]

        Well that's Windows fault, now isn't it...all those bad habits and all...

        lol...
        ScorpioBlue
      • RE: Has Apple done enough to fight malware on Macs?

        @ Maconvert and cdigan <br><br>Please, for the love of god, there is NO SUCH WORD as *virii.<br>The plural of virus is viruses. Period.
        DeusXMachina
      • RE: Has Apple done enough to fight malware on Macs?

        @athynz
        Prone? Prone means "likely to or liable to suffer from". In no way is this applicable in the description of Macs and malware, Mac Defender notwithstanding.
        DeusXMachina
      • RE: Has Apple done enough to fight malware on Macs?

        @cdigan<br><br>To a point, I agree with you about this Mac ads. Although technically they were correct (Macs don't get viruses), the general public likely doesn't see the distinction.<br><br>However, in regards to the threat of "MacDefender" and the other variants, I think it's overblown. If this piece of malware was able to get into your keychain, or extract credit card information directly from your computer, or install a keylogger, then I'd be a lot more worried. However, this program simply asks the user for their credit card information and requires the user to then voluntarily enter in that information for this to work. It reminds me more of one of those Nigerian phone scams than a trojan. That's why they call it "phishing" by the way (PHone fISHING = phishing). No operating system can protect against stupid. In that respect, this piece of malware is not a lot different than the email scams that are constantly filling up my junkmail folder. My main problem is not that Ed is writing about malware that's been designed to run on the Mac. I DO want to know about that. The problem I have is that he's using this "technically" harmless piece of malware to basically say "the sky is falling" when it's not. That's harmful. That's what's going to result in a "boy who cried wolf" situation. In this case, Macs aren't the target, Mac users are. That's a subtle but important difference. Ed is basically maligning the Mac platform when he should really be maligning the small minority of Mac users who've fallen for this scam. These people have been tricked, but their Macs have not been compromised, at least not in terms of damage or their data.<br><br>At the end of the day though, I do run antivirus on all of my Macs, but I never underestimate the power of ingenuity and innovation. That's Microsoft's job.<br><br><img border="0" src="http://www.cnet.com/i/mb/emoticons/wink.gif" alt="wink">
        HappyXWindowsUser
    • RE: Has Apple done enough to fight malware on Macs?

      @Cylon Centurion Err... No. Safari isn't at all like IE6. If one is really concerned then stitching off 'Open "Safe" files after downloading' does the trick.

      Of course, you could always quit the installer if it pops up when you'd not asked for it...

      Like so many modern exploits on Windows this needs the user to believe what the webpage is telling them and act on it. The OS doesn't just "do it". The reasons are much the same in either camp. Apple's security choices were the same ones that Microsoft adopted for Windows Vista/7 (though to be fair to Microsoft they had plenty of their own unique security enhancements - ASLR for example, and Microsoft's implementation is still superior to that found in Mac OS X). This isn't IE6.

      It would appear that this exploit is far less common now than it was, so the question is better - why has it gone away? My guess is Google have stepped up to the task. Before it was VERY easy to find. If you investigated by changing the Safari user agent to be "Safari on Windows" you get a Windows version of the malware (same MO, but the graphics matched those of XP, and the download was a ".exe"). Now I can't find ANY, regardless of the user agent.

      But you're falling into the same trap a lot of Mac users fall into - you suppose the security of what you don't use is really bad, it isn't. The security in Mac OS X closely resembles that of Windows 7 (which is pretty good - as long as the component between the keyboard and the chair holds up).
      jeremychappell
      • &quot;Problem exists between keyboard and chair. Replace user.&quot;

        @jeremychappell That quote is from a joke trouble shooting flow chart I saw about 10 years ago that circulated among the IT staff where I was working at the time. I don't know where it originally came from but I used the quotes to show I didn't make it up myself.

        It was true in 2001 and its still true today that you can't really stop a user with admin privileges from doing stupid things no matter how many "are you sure dummy?" prompts you put in front of them. If they say "yes" or "ok" or whatever, then no OS is going to protect them.

        "Malware" is just software that you didn't really want but if you have permission to install it and you allow it to install - it does what it does.
        cornpie
      • RE: Has Apple done enough to fight malware on Macs?

        @jeremychappell I do enjoy how Apple users try to pass the blame onto Google. "It is Google's fault for sending me to a page with the exploit". I also enjoy the self-reassurance of the Mac elite "It is a social engineering exploit. When the reality is, the Mac isnt immune to being exploited; computer security is important even to those who might not be normally targeted. It is also the responsibility of the software vendors to continue to update and secure their systems, something Microsoft is now doing, time for Apple to step up to the plate.
        clcrockett
      • RE: Has Apple done enough to fight malware on Macs?

        @ccrockett

        Oh. My. God.
        This "malware" doesn't mess with the system...at all.
        It relies on a dumb ex-windows user to (a) install it and (b) enter their credit card information. What operating system or antivirus software could protect against that?
        It acts EXACTLY like any trial software that I've ever downloaded.
        You install it, you try it, and then you enter your credit card number if you'd like to buy it.
        I've been reading Ed's "Mac Malware Terror Column" for a few weeks now and, although I agree that Apple's response sucked, the amount of BS comments and misinformation that's flying around here is idiotic. Before you start typing, try knowing what you're talking about.
        HappyXWindowsUser