[Alert] Apple Mac / OSX Security Preferences Bug May Leave System Exposed


« Apple's MacDefender Tool: Quickly Circumvented, Now Regains Upper Hand | Main | SonyPictures.com Breached... How Does That Affect You? »

06/03/2011



[Alert] Apple Mac / OSX Security Preferences Bug May Leave System Exposed

Kevin R. Smith
Co-Editor


One of the steps Apple is taking to thwart MacDefender and other viruses and malware on their systems, is a new item in the 'System Preferences / Security' Preferences pane.

This option, "Automatically update safe downloads list" was one of the key components of the last Apple security update, which was covered in a prior blog on MacDefender Removal.

What does it do?

OSX 10.6.7 Security Preference Pane (General Tab) This checkbox tells your Mac to checkin with Apple's servers daily (and when you reboot) and look for new malware definitions. (Sounds a bit like Apple is building its own antivirus software into OSX, doesn't it?)

(Un)fortunately, the folks at Mac Antivirus maker Intego have discovered a bug in this setting, and although it sounds minor, it could leave your system exposed. Here's the scoop according to Intego and their discussion of the Security Preferences Pane Bug:

...if you open the Security preference pane, unlock it, and wait for more than 30 seconds, any changes you make to this setting will not stick.

"Do the above, quit System Preferences, then open the Security preference pane and you will see that the setting will be as it had before your last change.

I did exactly as described on one of our test PCs and personally confirmed this bug exists.

This isn't great, especially given the recent battle Apple and the MacDefender creators have been having, but at least it's easy to check on and easy to fix.

Now, given that we're all solutions-oriented geeks here, the first two questions I had, as with any antivirus software / definitions update mechanism, were:

  1. How can I tell when the last time was that OSX updated its malware detection signatures?
  2. How can I force it to manually update if the signatures are old and out-of-date?

Turns out, it's a piece of cake...

Here's how to tell when your OSX malware definitions were updated:

  1. Open Terminal (Finder > Applications > Utilities > Terminal)
  2. type this:
    more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

Here's what I saw when I ran it:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>LastModification</key> <string>Thu, 26 May 2011 02:24:41 GMT</string> <key>Version</key> <integer>1</integer> </dict> </plist>

Looking closely at the text above, you can see:

<key>LastModification</key><string>Thu, 26 May 2011 02:24:41 GMT</string>

This is the key to everything here, as it shows how current your definitions are.

As of the writing of this piece, this is the most current update available. (Hat tip to Lex Friedman and Macworld for being one of the first of many places to cover, Checking & forcing OSX to update malware definitions.)

So now, how do you force it to run if the definitions aren't current?

  1. Click: Apple > System Preferences > Security
  2. Uncheck then re-check "Automatically update safe downloads list"

Just be sure you close the Preferences Pane in under 30 seconds, or as Intego discovered, the settings aren't saved.

What controls the OSX anti-malware updates?

In case you're curious, the new Mac anti-malware updater is, as I just learned from a blog on XProtectUpdater is ...controlled by an executable by the name of XProtectUpdater.' It’s located in /usr/libexec/XProtectUpdater.

So, the bottom line is, there's a bug in the Security Preferences. If you follow the steps above, it's easy to check if you're current or not, and if you're not, it's easy to fix.

Just make sure your settings are correct and that your Mac antimalware definitions are current.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

If it is not current cycling the Security Prefs works, or you can just use Terminal again.. as admin, to get it to update. Many are finding that their laptops are not automatically updating.. a bug I guess. Here's what to type:

sudo /usr/libexec/XProtectUpdater

Thanks for the great follow-up, Fred.

Much appreciated!

The comments to this entry are closed.