Mac Trojan horses, beware: There’s a new sheriff in town, and its name is Security Update 2011-003. Not a very catchy name, to be sure, but it gets the job done—and that job is protecting Mac users from the nefarious Mac Defender Trojan horse, as well as laying the groundwork to keep them safe from future malware as well.
In a knowledge base document posted last week, Apple published details of how to manually remove the Mac Defender Trojan horse, as well as promising to roll out a security update that would deal with the malware in a more automatic fashion.
Security Update 2011-003 is that update. Weighing in at 2.36MB, it requires Mac OS X 10.6.7 and it tackles Mac Defender from three angles.
The first is an addendum to the malware definitions contained in Snow Leopard’s built-in File Quarantine malware protection, which specifically identifies the
OSX.MacDefender.A variant of the Trojan horse. (My investigation of the definitions file post-update showed that it will also detect the
OSX.MacDefender.B variant as well.) While Snow Leopard has contained this anti-malware protection since it shipped in 2009, it contained only two definitions at launch, and has since been updated with just four further pieces of malware (three of which were variants of the same
The second tine of Apple’s Trojan-skewering fork aims to beef up Snow Leopard’s malware protection by adding support for daily definition updates. This gives Apple the ability to add new definitions in the background, without requiring users to manually download a Security Update. Not only does that avoid users’ workflows, but it also makes sure that potentially critical updates don’t linger, uninstalled, in Software Update. Users who would rather opt out of the downloads, for whatever reason, can do that: Security Update 2011-003 adds a “Automatically update safe downloads list” item to OS X’s Security preference pane; just uncheck that box, and your definitions will remain untouched.
Thirdly, Snow Leopard can now remove the Mac Defender Trojan horse if it’s detected on your system. According to Apple, the OS will now check for the malware; if it’s found, Snow Leopard will force it to cease and desist, remove any persistent files, and fix any configuration changes the program has made. Once all the damage is repaired, you’ll be notified that the malware has been removed.
It’s unclear, however, whether those removal abilities will extend to the previous malware included in Snow Leopard’s definition list or to future malware. There’s also the issue of Mac Defender variants that have already begun to spring up around the Internet, including a particularly nasty version that doesn’t require the user to enter an administrative password.
While seeing Apple actively combatting malware is a step in the right direction, its future handling of potential malware outbreaks will bear far more weight. Apple now has the means to quickly and efficiently deliver malware protection to its users, but it remains up to them to make sure that they use it.