/>
X

How Apple has responded to Mac malware

In May 2011, Apple issued its first-ever security update designed to remove malware on Macs. Has Apple's response to Mac Defender been good enough for its customers? And is Apple prepared for the next attack? This gallery shows what Apple has done with Security Update 2011-003.
6249221.png
1 of 7 Ed Bott/ZDNet

A month after the first customers called its support lines for help, Apple responded to the Mac Defender outbreak with a security update that attempts to block new infections and remove malware that's already been installed. But the bad guys haven't been standing still. They've renamed their hostile software (Mac Shield) and produced at least 15 new versions, forcing Apple to respond with a new set of definitions every day this month.

For more details, see "Has Apple done enough to fight malware on Macs?"

6249222.png
2 of 7 Ed Bott/ZDNet

Security Update 2011-003 arrives via Apple Software Update. It provides a new feature that updates anti-malware signatures daily.

For more details, see "Has Apple done enough to fight malware on Macs?"

6249223.png
3 of 7 Ed Bott/ZDNet

The XProtect definition file is accompanied by this metadata file, which includes a version number. Apple has been delivering a new update roughly once a day, and the size of the definition file has swelled from 5K to more than 22K in that time.

6249224.png
4 of 7 Ed Bott/ZDNet

Every variation of Mac Defender gets its own set of definitions in this XProtect file. Each signature in this XML file is specifically designed to identify a known malware variant, using file names and unique strings found within the file. This snippet is part of the definition for Mac Defender version K. 

6249225.png
5 of 7 Ed Bott/ZDNet

This version of the Mac Defender downloader was released on Friday morning, and the Friday evening signature from Apple successfully detects it. The Move To Trash option is the default. 

6249226.png
6 of 7 Ed Bott/ZDNet

It's hard to believe that Apple is serious about security when this dangerous setting remains the default for Safari. If you download an installer package using the default OS X browser, Safari, with its default settings, the Mac Defender installer opens automatically and waits for the victim to click Continue. Other browsers force you to download the file, extract it, and run it separately.

The Security Update 2011-003 bulletin does not mention this setting.   

6249227.png
7 of 7 Ed Bott/ZDNet

The check box in the middle of this preferences dialog box is new, added as part of Security Update 2011-003. If you clear the box and then click it again, OS X will automatically retrieve the latest anti-malware definition file.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Tech salaries, developer skills, cybersecurity, and more: ZDNet's research roundup
remote-working-from-home-man-employee-small-desk.jpg

Related Galleries

Tech salaries, developer skills, cybersecurity, and more: ZDNet's research roundup

8 Photos
Yubikey Security Key C NFC
Security Key C NFC

Related Galleries

Yubikey Security Key C NFC

8 Photos
First look at the YubiKey Bio
YubiKey Bio

Related Galleries

First look at the YubiKey Bio

10 Photos
iVerify (version 17)
iVerify for iOS and iPadOS

Related Galleries

iVerify (version 17)

5 Photos
OnlyKey hardware security key
OnlyKey

Related Galleries

OnlyKey hardware security key

19 Photos
SoloKeys Solo V2
Solo V2

Related Galleries

SoloKeys Solo V2

10 Photos