Apple releases Security Update 2011-003 (Snow Leopard); blocks and removes MACDefender trojan

Apple today released Security Update 2011-003 (Snow Leopard) which is recommended for all users and improves the security of Mac OS X.

Previous security updates have been incorporated into this security update.

Security Update 2011-003 addresses the following issues:

File Quarantine
Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7
Impact: Definition added
Description: The OSX.MacDefender.A definition has been added to the malware check within File Quarantine. Information on File Quarantine is available in this Knowledge Base article: http://support.apple.com/kb/HT3662

File Quarantine
Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7
Impact: Automatically update the known malware definitions
Description: The system will check daily for updates to the File Quarantine malware definition list. An opt-out capability is provided via the “Automatically update safe downloads list” checkbox in Security Preferences. Additional information is available in this Knowledge Base article: http://support.apple.com/kb/HT4651

Malware removal
Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7
Impact: Remove the MacDefender malware if detected
Description: The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed. Additional information is available in this Knowledge Base article: http://support.apple.com/kb/HT4651

Security Update 2011-003 (Snow Leopard) is available via Software Update and also as a standalone installer.

More info and download link (2.36MB) here.

[Thanks to MacDailyNews Reader “ChrissyOne” for the heads up.]

Related articles:
Apple: How to avoid or remove MACDefender malware (permanent fix coming in Mac OS X update) – May 24, 2011
MACDefender trojan protection and removal guide – May 20, 2011
Apple investigating ‘MACDefender’ trojan – May 19, 2011
Apple malware: 6 years of crying wolf – May 6, 2011
Is Mac under a virus attack? No. – May 4, 2011
Intego: MACDefender rogue anti-malware program attacks Macs via SEO poisoning – May 2, 2011

28 Comments

  1. I’mguessing the “safe downloads list” is actually a blacklist of sorts. Checking against it would constitutes a form of malware definition.
    Tell the Fanbois that Apple has built a limited form of AV SW into OSX. I’m sure hair splitters will contest this, bit the effect is the same.
    Of course those of us running Intego X6 didn’t have the problem in the 1st place.

      1. I’ve read that this option does not apply to executables, only data files. But OS X does warn users when programs downloaded from the internet try to open for the first time.

      2. Last week I made that comment and was attacked as not knowing what I was talking about. I mentioned the fact that an Apple Store employee was shocked when I showed him the default setup on SL had the app firewall off and “open safe files after downloading” on.
        I agree with your posit. However, many post here slamming the makers of AV SW and I disagree. My employer, among many, require the use of AV SW as a condition to access their network. My options are use AV SW or use their Windows boxes.
        As to Intego, they ID’d it & added it to the SW before anyone mentioned it publicly. Their SW does not drag on the system and is reasonably priced. They do not deserve the snarky comments many post here.
        If you wish not to use AV SW- I wish you well.

        1. Really… really?
          You sound like a windows user who dosen’t understand the differences between the win port firewalling and OSC (just like those who don’t understand the differences between windows & OS X “admin” users.

          While it is impossible to refute an anecdotal story (which is why trolls use them so much) I find it hard to believe that any apple store employee didn’t know boo about the default config of the SL firewall (and was SHOCKED!!!) and/or explain it to you, or at least refer you to someone who could.
          Sorry I ‘aint completely buying the story and I still maintain that:
          1) Installing antivirus software on OSX is premature because there are no viruses (to date) on OS X
          2) There is NO AV protection software on windows that can protect you because of the “gag order” that MS has all AV software developers & “security researchers” sign that prevents them from announcing viruses & exploits (even those found in the wild) till MS authorizes it (and presumably has a Patch ready.)

          SO…. AV software is, basically unnecessary on the mac and not completely effective on windows.

    1. First of all, Tiger is 10.4.x, Leopard is 10.5.x

      Tiger is considered past support. Leopard is supposedly still supported.

      Can anyone tell if there was a Leopard update?

      1. No update for Leopard. You must be running 10.6.7 for this update to apply. Having said that, if you uncheck “automatically open safe downloaded files” or don’t sign in with an administrator account, you can’t “catch” this problem anyway.

  2. call it what you like, Apple just provided us with a relative safe OS, and made it a bit safer today.

    Now it time to educate the group of new mac users, but this education is applicable for all OSes.

    Install your OS with a user and an administrator account. Use the user account unless when you do your administration. (you’ll do more admin on windows than on OSX or Linux).
    Don’t just install something you did not ask to be installed.
    be prepared to wait with an update until others tried it out. When there is a problem with an update, the first messages usually appear within a few minutes to a few days after the update is released.
    Keep your firewall up, both the system firewall and your human firewall (keep paying attention to what your system is doing).

    1. An article posted today claims that user accounts are sufficient to exploit the OS. Don’t know if it’s BS, but it is something worth looking into.

        1. It means that the exploit will run without requiring administrative rights, since it only installs the new variant for the local user in a non-system location.
          In other words, you can be infected without involving admin rights or an admin account.

      1. Yep it’s BS, the exploit has no means of achieving “root” status (and no, an “administrator” in OSX is NOT not a “root user” and is not equivalent to Admin in windows (which IS essentially equivalent to a unix “root user”)

        This is just another Apple-haterz publicity stunt, similar to the antenna-gate bull that they foisted on the public at the launch of the iPhone4

        This FUD is not aimed at existing OS X users, but is an attempt to mislead windows users that the virus threat on OSX is or soon will be equivalent to windows. this is to stem the huge wave of Windows users who are chucking their malware infested windows box in favor of the hugely more secure Mac and OS X

        Any Mac pundits who (correctly) state that macdefender is virtually toothless (and several order of magnitude less effective and virulent than the tens of thousands of viruses and worms currently on windows are painted as delusional and/or naive. (just look at the shots taken at Gruber)

        It is a stupid publicity stunt and really doesn’t affect mac users, the sad thing is all the users that they may delude into buying yet another windows crap box.

  3. While I’m not against the installation of AV SW on Mac I’m impressed by the hard work done by the AVSW companies in pushing or Mac AVSW. I believe it’s all depends on what type of users are you. For average users who’s not alert enough and mainly use their machine for checking email, surfing net, chatting, social networking, I’m strongly in for the push of antivirus for them. However, Apple has again proved that they have their users at heart and without a AVSW, they can push an update to fix our problems.

    Just a word of caution, never ever believe a pop up alert telling you your machine has been infected. As in the first place, they need your permission to install the scanning engine, secondly, they need your permission to execute the scan. If in the first place you have not installed their AVSW or any other AVSW on your machine before, there’s no reason they can tell whether you’re infected or not 😉

    Correct me if I’m wrong pals…

    1. I agree on the “always be careful and don’t ok (or give you system password to) program installers that just “pop up”,
      —actually I would go further and say be dead sure (~100%) of any application before you give it your system password You are allowing it access to the core of the OS, changes here can render your OS unstable or even unbootable—
      However I differ greatly on the antivirus software advice. It is simply (at this time) not necessary or advantageous on OS X for a normal user (really for any user). Besides consuming resources running the background they often cause problems and can even make the system unstable (NAV for example). Don’t add crap you don’t (at this time) even need, it just doesn’t make good sense.

  4. Damn, Apple does security right. It’s only 2.3 MB, it removes current malware, only scans files after a download, provides a simple mechanism for daily updates so it will work on new malware in the future, and no restart is needed to install it.

    It so simple, logical, and obvious in hindsight. Well played.

  5. Don’t be fooled into believing that you are automatically protected. A quick check in places such as sans.org will confirm that there are a lot of Mac nasties out there, some of which will install whether you like it or not.
    Macs are not attacked as often or as frequently as Windows, but the threat and virulence of the attacks are real.
    I do not agree with “the sky is falling” mentality of the AV companies, who seem to me more concerned with selling you a product. You see, no AV product is very effective. Some exploits will get blocked, but none can provide true protection. Don’t get me wrong, they are measures that help, but using AV doesn’t mean you are safe, and anyone who surfs that way will get into trouble eventually. Luckily, Mac exploits aren’t what they are for Windows.

    1. Do you have any examples of mac malware that “will install whether you like it or not.” Every one I’ve heard of in the last five years or so was trojan, that the user had to install on their own computer.

    2. Yes, I have made more than a quick check at sans.org and I cannot find any mention of OS X nasties. I did find one thing in the FAQs about how to set up OS X/Apache as a web facing server. What details did I miss?

    3. Bull…

      this is the latest attempt to equivocate OS X and windows malware and they are not.

      OS X is (and has been for a decade) completely virus free

      WIndows (including win7) is infested with literally tens of thousands of serious viruses and worms.

      (MAC defender is not a virus or worm it is trojan/phishing exploit (and a particularly toothless one)

      Viruses and worms are
      1: self propagating and self installing (without asking the user for the system password 😉
      2: They achieve “root” status via a variety of exploits and then shield themselves (blind even the kernel as to their existence (google rootkit)) which makes them virtually impossible to detect or remove even with anti virus software.
      3: Have systemwide access to any an all files (and all I/O) on the machine.
      The windows virus/worm pandemic is serious and widespread threat to user security (most legitimate surveys show >90% of windows machines are infected. Curious that 90% of windows users will tell you that never had a virus… isn’t it)

      MACDefender on the other is a publicity stunt and basically a toothless joke of a trojan.

  6. Well, according to the descriptions of the solution Apple just deployed, Mac OS X Snow Leopard now has, for all intents and purposes, a built-in anti-virus (more accurately, anti-trojan) software. If you surf using Safari, you won’t be able to catch any malware, since Apple will continuously update your malware blacklist on your Safari and check every visited page against that blacklist. Even if you DO catch a trojan (the list wasn’t updated when the trojan arrived), it seems that your Snow Leopard should be able to eventually find it in the file system and get rid of it.

    So, surf and click away! Apple has your back…

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.