New MacDefender Defeats Apple Security Update
|Image composite by SecurityNewsDaily|
Apple released a security update yesterday (May 31) designed to rid Macs of the menacing MacDefender malware that has plagued users for nearly a month. But mere hours after the update, cybercriminals released a new variant of the malware that easily defeated Apple's belated security efforts.
Security Update 2011-003, available for Mac OS X 10.6.7 and Mac OS X Server 10.6.7, includes a malware removal tool that searches for and removes "known variants of the MacDefender malware," as Apple wrote on its support page.
These known variants include MacProtector and MacSecurity; both Trojans have been infecting Mac users since early May, trying to convince them to buy bogus antivirus software and often hijacking their Web sessions until they comply.
"Files downloaded via applications such as Safari, iChat, and Mail are checked for safety at the time that they are opened," Apple wrote. "If a file is identified as containing known malware, the system will display a dialog that alerts you to move it to the Trash. You should empty the Trash to finalize the removal of the file."
Apple's official security update came the same day that researchers spotted MacDefender spreading under the guise of a fake Facebook video of the scandal-ridden former IMF Dominique Strauss-Kahn.
Yet it appears Apple's fix isn't going to hold, at least not permanently.
Just hours after Apple's update, ZDNet security researcher Ed Bott found a MacDefender variant capable of bypassing Apple's defenses.
The malware, called Mdinstall.pkg, is "specifically formulated to skate past Apple's malware-blocking code," Bott wrote.
Bott tested Mdinstall.pkg on a Mac running Safari, and the malware installed itself without a password.
Apple's new malware removal tool does allow for periodic updating of "definitions," malware profiles that let the software identify individual Trojans and viruses. That's exactly how commercial anti-virus software for Windows-based PCs works, and one would expect Apple to update the definitions to include this new variant very soon.
It's not clear how Apple will keep ahead in what may become a drawn-out game of digital whack-a-mole. Hopefully the new definitions will be incorporated into the malware removal tool without requiring that a Mac reboot itself.