Is Apple ready to play cat and mouse with malware developers?
The Security Update 2011-003 that Apple released on Tuesday directly addressed the Mac Defender malware threat in two ways: it changed the way malware files are detected by enabling automatic daily updates, and included code to remove at least two of its variants. Despite this, malware developers had a version available that skirts past Apple's protections within about eight hours. Apple's patch suggests it plans on being more active in addressing possible malware threats, but is Apple ready to take on the role formerly limited to vendors like Norton, Intego, and Sophos?
We'll try to answer that question by first detailing what specific malware protections exist in Mac OS X, and what changes Apple implemented in the latest security update. Then we'll consider how Apple may plan to take over malware protection for its platform.
Apple first introduced the File Quarantine system in Mac OS X 10.5 Leopard. That system would tag files that were downloaded from the Internet and not known to be safe with a small bit of "quarantine" metadata, including a flag that it might not be a "safe" file, where it was downloaded from, and the time it was downloaded. When a user attempted to open a file with quarantine metadata, the system would warn the user to make sure the file was safe before opening.