Apple has released Security Update 2011-003, which updates the File Quarantine feature in Mac OS X 10.6.7 Snow Leopard to block the recent MacDefender malware. (See “Apple Responds to Increasingly Serious MacDefender Situation,” 25 May 2011.) In the process of applying the update, Software Update searches for known variants of the malware and removes them. The update also adds a new option, enabled by default, to the Security preference pane: “Automatically update safe downloads list.” According to Apple, Mac OS X now checks for updates to that list daily. The update is 2.1 MB and does not require a restart.
It’s worth pointing out that Security Update 2011-003 applies only to Mac OS X 10.6.7, and not earlier versions of 10.6 Snow Leopard or earlier versions of Mac OS X (as an early draft of this article said). It’s a little unclear how “compatible” MacDefender and its variants are with earlier versions of Mac OS X, but if you’re still running Leopard or Tiger, we recommend being particularly cautious.
File Quarantine -- For those that haven’t heard the term, File Quarantine is the Mac OS X feature, introduced in 10.5 Leopard, that produces the by-now familiar dialog: “file name is an application downloaded from the Internet. Are you sure you want to open it?” Mac OS X displays the dialog whenever a “potentially unsafe” file is opened via the Finder, Spotlight, or the Dock. Unfortunately, most file types that could contain executable code fall into the “potentially unsafe” category. As a consequence, users see the warning for every application they download, and they can quickly develop the dangerous habit of clicking “Open” without proper evaluation.
In 10.6 Snow Leopard, Apple added a specific check for malware, comparing downloaded files to a list of known malware. This list is stored deep within the Mac’s System folder hierarchy; you can find it in:
In Snow Leopard, when known malware is downloaded, Mac OS X displays a more useful dialog that says, “file name will damage your computer. You should move it to the Trash.” The dialog includes additional information that names the specific malware that it detected and that tells the user when it was downloaded and by which application. The dialog includes a Move to Trash button.
Security Update 2011-003 adds several features to the malware protection check:
An updated definition for what Apple calls the OSX.MacDefender.A malware, commonly known as MacDefender.
A routine that is run when the security update is first applied that searches for and removes known variants of OSX.MacDefender.A.
A feature that checks daily for updates to the list of known malware, and a checkbox in the Security preference’s General pane — “Automatically update safe downloads list” — that is checked by default. Users must authenticate to disable the automatic update of the malware list.
As always, we encourage users not to click the “Open” button in the Mac OS X File Quarantine dialog unless you’re certain you know what you’re agreeing to, and we encourage Safari users to uncheck the “Open ‘safe’ files after downloading” option in the General pane of Safari’s preferences.
Cat and Mouse -- Soon after Security Update 2011-003 appeared, a new MacDefender variant emerged. If you applied the security update on the day it was released, the quarantine list may not yet be updated to include the variant. According to Lex Friedman at Macworld, there’s an easy fix: Open the Security preference pane, turn off the “Automatically update safe downloads list” option, and then turn it back on again. (Lex’s article, “How to force your Mac to update its malware definitions,” also explains how to determine when the file was updated.)
Intego is reporting that there’s yet another version of MacDefender out now as well, though the company doesn’t say whether or not Apple’s code will find it. The list of variant names now includes MacSecurity, MacProtector, MacGuard, and MacShield. We wouldn’t be surprised to see the malware start masquerading as actual antivirus software soon, rather than relying solely on likely sounding names.