[Alert] Apple Mac / OSX Security Preferences Bug May Leave System Exposed

One of the steps Apple is taking to thwart MacDefender and other viruses and malware on their systems, is a new item in the 'System Preferences / Security' Preferences pane.

This option, "Automatically update safe downloads list" was one of the key components of the last Apple security update, which was covered in a prior blog on MacDefender Removal.

What does it do?

OSX 10.6.7 Security Preference Pane (General Tab) This checkbox tells your Mac to checkin with Apple's servers daily (and when you reboot) and look for new malware definitions. (Sounds a bit like Apple is building its own antivirus software into OSX, doesn't it?)

(Un)fortunately, the folks at Mac Antivirus maker Intego have discovered a bug in this setting, and although it sounds minor, it could leave your system exposed. Here's the scoop according to Intego and their discussion of the Security Preferences Pane Bug:

...if you open the Security preference pane, unlock it, and wait for more than 30 seconds, any changes you make to this setting will not stick.

"Do the above, quit System Preferences, then open the Security preference pane and you will see that the setting will be as it had before your last change.

I did exactly as described on one of our test PCs and personally confirmed this bug exists.

This isn't great, especially given the recent battle Apple and the MacDefender creators have been having, but at least it's easy to check on and easy to fix.

Now, given that we're all solutions-oriented geeks here, the first two questions I had, as with any antivirus software / definitions update mechanism, were:

  1. How can I tell when the last time was that OSX updated its malware detection signatures?
  2. How can I force it to manually update if the signatures are old and out-of-date?

Turns out, it's a piece of cake...

Here's how to tell when your OSX malware definitions were updated:

  1. Open Terminal (Finder > Applications > Utilities > Terminal)
  2. type this:
    more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

Here's what I saw when I ran it:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>LastModification</key> <string>Thu, 26 May 2011 02:24:41 GMT</string> <key>Version</key> <integer>1</integer> </dict> </plist>

Looking closely at the text above, you can see:

<key>LastModification</key><string>Thu, 26 May 2011 02:24:41 GMT</string>

This is the key to everything here, as it shows how current your definitions are.

As of the writing of this piece, this is the most current update available. (Hat tip to Lex Friedman and Macworld for being one of the first of many places to cover, Checking & forcing OSX to update malware definitions.)

So now, how do you force it to run if the definitions aren't current?

  1. Click: Apple > System Preferences > Security
  2. Uncheck then re-check "Automatically update safe downloads list"

Just be sure you close the Preferences Pane in under 30 seconds, or as Intego discovered, the settings aren't saved.

What controls the OSX anti-malware updates?

In case you're curious, the new Mac anti-malware updater is, as I just learned from a blog on XProtectUpdater is ...controlled by an executable by the name of XProtectUpdater.' It’s located in /usr/libexec/XProtectUpdater.

So, the bottom line is, there's a bug in the Security Preferences. If you follow the steps above, it's easy to check if you're current or not, and if you're not, it's easy to fix.

Just make sure your settings are correct and that your Mac antimalware definitions are current.


Apple's MacDefender Tool: Quickly Circumvented, Now Regains Upper Hand

The ongoing battle between the OSX anti-malware team and the MacDefender malware creators has taken some interesting turns this week.

Apparently about eight hours after the anti-MacDefender update (which I talked about it yesterday's blog on MacDefender removal) was released, the bad guys regained the upper hand.

CNet has some great coverage by Topher Kessler who says,

Let the cat and mouse games commence.

"Less than a day after Apple tackled the malware threats in OS X with an updated implementation of its malware detection technologies, the MacDefender malware developers have issued another variant that bypasses Apple's definitions to root out and remove the malware.


Then, earlier today (June 6, 2010), there was this update from cnet:

The cat is back in the lead.

"Apple has updated Snow Leopard's XProtect yet again to tackle the new variant, and did so in less than a day after the original update was circumvented.

"Apple is taking a very active approach to prevent this malware from being a problem for people.

Apple definitely took a bit of a pounding publicly after having taken so long to respond to the MacDefender threat initially. Now though, it looks like they're showing their willingness to take on the Mac malware creators head-on.

Regardless of how effective this strategy is long term, every step they take now will make things more secure and close more and more holes in their operating system.

And, for that Mac owners should be grateful.

Does it eliminate the need for mac antivirus software?

I don't believe so.

It's clear Windows malware is lucrative--very lucrative--or else the malware Windows malware writers would've given up long ago.

And, what the MacDefender creators appear to've shown is that the Apple OS X system, while good, does have holes. How hard they are to find, how far the bad guys are to find them, and how lucrative it is for them to do so all remain to be seen.

The question is: Will Apple's virus situation become as bad as Windows?

Apple Releases MacDefender Removal & Prevention Tools

Although it took longer than most Mac users would like, Apple finally released a security update designed to remove (and thwart installation of) MacDefender and its similarly named brethren.

Getting the update is a cinch, even if you're unfamiliar with OSX. Here's how:

  1. Click the Apple logo and choose "Software Update"

    You'll then see a window pop-up identical to this one:

  2. Click "Show Details" (alternately, you can skip ahead and just choose "Install" as shown here)

  3. If you choose "Show Details", you'll want to look for "Security Update 2011-003" as shown here:

    After which you'll want to click "Install [number] item(s)"
    Once you have, you'll see:

    Followed by a confirmation that the update was installed...

    Followed by one last check to ensure there aren't any more updates...
    And finally, you'll get a confirmation that your software is up-to-date.

Now what?

OK, so you've installed the MacDefender Removal & Prevention tool.

How do you know if you've got the malware? And, how do you know if it was removed?

Here are some more screenshots to help you see what OSX is supposed to do now that the MacDefender Removal/Prevention tool is installed.

First of all, let's talk about what you'll see if your Mac has been infected with MacDefender.

Let's be honest, if you see that error message appear, there shouldn't be any confusion, right?

You'll notice the only option here is to hit "OK." There's no other option to get tricked into clicking, and you'll also note that the OS detected and removed the malware on its own.

In other words, there was nothing to buy and nothing to run. It just worked. Great.

MacDefender Prevention

The next thing to be on the lookout for whether or not you've been infected is what to look for so that you don't get hit with this thing.

If you do accidentally download the file, you should expect to see this warning:

Interestingly, Apple choose to leave "Open" as one of the possible options. This is great for those of us in the antivirus field, and as crazy as it may seem, some people will click "Open" instead of "Move to Trash."

Sometimes it's accidental. Sometimes it's intimidation about doing the wrong thing. Sometimes it's just clicking away at things hoping to make boxes like this go away. And, sometimes it's outright stupidity.

It happens. We're only human.

So, the last tidbit of insight I can shed on things here is this: Make sure your "Automatically update safe downloads list" is checked as shown here.

You can find it under "Apple > System Preferences > Security > General."

[Editor's Note: Alternately, you can also get the update to remove MacDefender to install it manually, too.]