As promised, Apple has released a security update to protect users from the Mac Defender 'scareware' targeting Mac OS X since last month. The patch, available for download as Security Update 2011-003, will update the File Quarantine feature in Mac OS X 10.5 and 10.6 to block the offending malware and upon installation it will also scan systems for previous infections. If known malware is found, users will get a warning message advising to delete the file:
The File Quarantine feature has been available for a while but it only gets new definitions occasionally through OS updates and security updates whenever a virus threat is detected. With this latest update, however, Apple is introducing a background process that will check daily for updates to the File Quarantine malware definition list.
This new feature is enabled by default but is only available for users of Mac OSX 10.6.7. Users of OS X 10.5 "Leopard" or 10.4 "Tiger" will not get the automatic updates, as the feature uses a software framework called XProtect that is only implemented in Snow Leopard. Furthermore, those who would rather opt out from running this background process can do so by unchecking the "Automatically update safe downloads list" option in Security Preferences.
The scam in question targets Mac users via SEO poisoning attacks linked to a phony online antivirus scanner, which dupes users into thinking their machine is infected and automatically starts downloading an antivirus 'solution.' The design and content of Mac Defender made it seem like a genuine antivirus program but it was still up to users to download and install it, then entering their credit card number to "clean" their computers.
Apple faced some criticism recently for the way it allegedly handled support calls from customers duped into installing the fake-antivirus. The company later acknowledged the issue and posted details on how to identify and remove Mac Defender, and with the latest update it seems they're taking a more proactive approach going forward.