[Alert] Apple Mac / OSX Security Preferences Bug May Leave System Exposed

One of the steps Apple is taking to thwart MacDefender and other viruses and malware on their systems, is a new item in the 'System Preferences / Security' Preferences pane.

This option, "Automatically update safe downloads list" was one of the key components of the last Apple security update, which was covered in a prior blog on MacDefender Removal.

What does it do?

OSX 10.6.7 Security Preference Pane (General Tab) This checkbox tells your Mac to checkin with Apple's servers daily (and when you reboot) and look for new malware definitions. (Sounds a bit like Apple is building its own antivirus software into OSX, doesn't it?)

(Un)fortunately, the folks at Mac Antivirus maker Intego have discovered a bug in this setting, and although it sounds minor, it could leave your system exposed. Here's the scoop according to Intego and their discussion of the Security Preferences Pane Bug:

...if you open the Security preference pane, unlock it, and wait for more than 30 seconds, any changes you make to this setting will not stick.

"Do the above, quit System Preferences, then open the Security preference pane and you will see that the setting will be as it had before your last change.

I did exactly as described on one of our test PCs and personally confirmed this bug exists.

This isn't great, especially given the recent battle Apple and the MacDefender creators have been having, but at least it's easy to check on and easy to fix.

Now, given that we're all solutions-oriented geeks here, the first two questions I had, as with any antivirus software / definitions update mechanism, were:

  1. How can I tell when the last time was that OSX updated its malware detection signatures?
  2. How can I force it to manually update if the signatures are old and out-of-date?

Turns out, it's a piece of cake...

Here's how to tell when your OSX malware definitions were updated:

  1. Open Terminal (Finder > Applications > Utilities > Terminal)
  2. type this:
    more /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

Here's what I saw when I ran it:

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>LastModification</key> <string>Thu, 26 May 2011 02:24:41 GMT</string> <key>Version</key> <integer>1</integer> </dict> </plist>

Looking closely at the text above, you can see:

<key>LastModification</key><string>Thu, 26 May 2011 02:24:41 GMT</string>

This is the key to everything here, as it shows how current your definitions are.

As of the writing of this piece, this is the most current update available. (Hat tip to Lex Friedman and Macworld for being one of the first of many places to cover, Checking & forcing OSX to update malware definitions.)

So now, how do you force it to run if the definitions aren't current?

  1. Click: Apple > System Preferences > Security
  2. Uncheck then re-check "Automatically update safe downloads list"

Just be sure you close the Preferences Pane in under 30 seconds, or as Intego discovered, the settings aren't saved.

What controls the OSX anti-malware updates?

In case you're curious, the new Mac anti-malware updater is, as I just learned from a blog on XProtectUpdater is ...controlled by an executable by the name of XProtectUpdater.' It’s located in /usr/libexec/XProtectUpdater.

So, the bottom line is, there's a bug in the Security Preferences. If you follow the steps above, it's easy to check if you're current or not, and if you're not, it's easy to fix.

Just make sure your settings are correct and that your Mac antimalware definitions are current.


Mac Defender 2.0... Malware Creator Responds to Apple Update

Apple may've taken a lot longer than anyone would have liked to respond to the Mac Defender fake antivirus malware, but he/she/they haven't.

In fact, on the heels of Apple's announcement, the Mac Defender creator has already fired another salvo back across Apple's bow.

The latest?

According to Intego, a Mac-centric antivirus firm, the latest version, dubbed "Mac Guard," that has upped the ante and made stopping it all the harder.

For starters Intego says in their blog post on Mac Defender,

Intego today discovered a new variant of this malware that functions slightly differently. It comes in two parts.

"The first part is a downloader, a tool that, after installation, downloads a payload from a web server.

"As with the Mac Defender malware variants, this installation package, called avSetup.pkg, is downloaded automatically when a user visits a specially crafted web site.


Yikes. Auto-download? That sounds a lot like Windows malware to me.

And, here's where it gets really ugly.

Apple, in their infinite wisdom, has Safari, the default browser on the Mac, in its default configuration, automatically open so-called "safe" files after downloading.

Translation, it downloads on its open and even opens itself for you... all on its own! Yay! Before you know it, and without your asking for it, the standard, friendly looking Mac installer is in front of you. All on its own.

What next? All you have to do is click 'Continue' and so on as you normally would, and poof! your machine is infected.

The thing is, a lot of people won't know any different. All they see is the friendly-looking installer (that can't be harmful, right??), and a 'Continue' button.

What do they do? Click 'Continue,' of course!

What's more, according to Intego, is Unlike the previous variants of this fake antivirus, no administrator’s password is required to install this program. [Editor's note: emphasis theirs.]

This whole Mac Defender/Protector/Security/Guard trojan malware is causing more than a little buzz, including a piece on Mac Guard on ZDNet.

In the article, author Ed Bott's [Editor's Note: Botts... an apropos name for someone in Internet security], says,

Apple appears to be treating this outbreak as if it were a single incident that won’t be repeated. They seriously underestimate the bad guys, who are not idiots.

"Peter James, an Intego spokeperson, told me his company’s analysts were 'impressed by the quality of the original version.'

"The quick response to Apple’s move suggests they are capable of churning out new releases at Internet speeds, adapting their software and their tactics as their target—Apple—tries to put up new roadblocks.


That about sums up our take on things here, too. Seriously, Apple, these were a couple of real missteps on your part. First the long delay.

Then the craptastic response. C'mon. How 'bout disabling the inane Automatically open "Safe" files. That's not really a default, is it?

That's the best the company that makes innovative products like the iMacs, iPhones, iTunes, iPods, and iPads can do?

Maybe this is going to be a long road after all.

[N.B. The original Apple announcement on Removing Mac Defender, which we discussed in an earlier blog about Mac Defender, mentioned two steps Apple was taking to combat Mac Defender. They were going to be:

  1. releasing a Mac Defender remover as part of their next update and
  2. having OSX do some sort of realtime intervention if you tried to install the malware.]


Antivirus Software: What's Real? What's Fake?

One of the growing concerns for many security and antivirus professionals is the dramatic growth of fake antivirus software.

The idea behind fake A/V software is to trick unsuspecting consumers into downloading and installing their fake software in an effort to get trojans, viruses, spyware, and other malware installed onto PCs in the process.

There's nothing real about the fake software, except the threat it poses.

The process works like this:

  1. Trick consumer with a real looking, real sounding ad on an (often unsuspecting) legitimate website
  2. Get consumer to install the phony (but very real looking) antivirus application
  3. Stuff any number of trojans, keyloggers, spyware, and other evil applications into the fake antivirus program
  4. Use the newly infected computer to do their bidding, including (among other things):
    1. identity theft
    2. credit card fraud
    3. bank theft
    4. infecting other computers
    5. spamming

Solution to the Fake Antivirus Software Problem

Word is filtering out today about a way to tell fake antivirus software from legitimate ones.

A new site from security and SSL vendor Comodo of a project they're backing called, "Common Computing Security Standards Forum," aims to help consumers figure out what's real and what's not.

In their list of all known legitimate antivirus software vendors, they hope to help put an end to the dummy antivirus programs out there and to help consumers stay clear of the crap.

In addition to thanking them for their efforts, here is a complete list of current antivirus vendors known to Comodo to be the real deal:

Legitimate Antivirus Software Vendors
  • AhnLab
  • Aladdin
  • Antiy
  • Authentium
  • AVG Technologies
  • Avira GmBH
  • BitDefender (BitDefender Antivirus & Internet Security)
  • BullGuard
  • CA Inc (CA Anti-Virus)
  • Checkpoint
  • Cisco
  • ClamAV
  • Comodo
  • CSIS Security Group
  • Drive Sentry
  • Dr.Web
  • Emsi software
  • ESET
  • F-Secure
  • Fortinet
  • Frisk Software
  • G Data Software
  • GFI/Sunbelt Software (VIPRE Antivirus & Internet Security)
  • Ikarus Software
  • Intego
  • iolo
  • IObit.com
  • Kaspersky Lab (Kaspersky Anti-Virus & Internet Security)
  • Kingsoft
  • Malwarebytes
  • McAfee McAfee VirusScan Plus & Internet Security)
  • Norman
  • Panda (Panda Antivirus Pro & Internet Security)
  • PC Tools
  • Prevx
  • Rising
  • Sophos
  • SuperAntispyware
  • Symantec (Norton AntiVirus & Internet Security)
  • Trend Micro (Trend Micro AntiVirus & Internet Security)

  • You'll note, every one of the programs (reviews linked above) are included in our antivirus reviews since day one of our site are included on the list.

    If you know of other legitimate A/V software not on the list, please contact us so that we can share your insight with the folks at Comodo.