Apple's Mac Anti-Scareware Update Is Insufficient

Apple has released a security update for Mac OS X 10.6 which removes and blocks the recent scareware programs that have plagued its customers.

Known as Security Update 2011-003, it updates the platform's XProtect component with definitions for the known fake antivirus variants, including Mac Defender, Mac Guard and Mac Security.

One of the most important changes it brings is the introduction of daily updates for the XProtect list, which will allow the company to respond to new variants more quickly.

As far as proactive measures go, the system leverages LSQuarantine, the component normally responsible for asking people what they want to do with files downloaded from the Internet (an untrusted source).

If LSQuarantine is enabled — and it should be by default — after downloading a Mac Defender variant, users will be alerted that it will damage their computer and will be advised to move it to Trash.

But, there's one problem. Because of the way LSQuarantine was designed, the "Open" option is still available to users. Obviously, it makes no sense to offer people the option to infect themselves.

"My impressions? A good reaction from Apple in a short amount of time. They are making the best of what is available in the OS X platform at this time. Unfortunately it falls short in many respects," says Chester Wisniewski, a senior security advisor at Sophos.

For one, LSQuarantine only kicks in for programs that integrate with it, mainly the web browsers. If a scareware program is downloaded via BitTorrent or opened from a network share, an USB drive or other storage medium, it will be allowed to run.

Mr. Wisinewski also found problems with the scareware removal procedure. The update is supposed to clean systems that are already infected, but that doesn't happen until the user logs in with an administrative account.

Finally, there are concerns that, depending on how this malware family evoluates, daily signature updates might be insufficient to deal with it.

When responding to scareware schemes, the speed is critical, because the whole point of these attacks are to trick users into buying licenses and that can happen in a matter of minutes.

A few hours is all the cyber criminals need to monetize a new variant, so an update delivered a day later will be of little consequence to their goal. Mac users are strongly advised to install an antivirus program that has on-access scanning functionality and is capable of heuristic detection.