Network News

X My Profile
View More Activity

Patches for Macs, and Advice for Mac Users

Apple last week released Mac OS X 10.6.1, the first security update for Snow Leopard users. Cupertino also issued a bundle of updates to fix more than 30 security flaws in its 10.4 and 10.5 OS X and OS X Server systems.

Snow Leopard shipped with an outdated and insecure version of the Adobe Flash Player. The 10.6.1 update fixes that, patching at least nine vulnerabilities in Flash, and bringing the Snow Leopard Flash plug-in up to date with the current version.

The Tiger and Leopard security bundles also include the Flash update, along with security fixes for components like ColorSync and CoreGraphics.

The updates are available through Software Update or via Apple Downloads.

One final note: Over the weekend, a number of Security Fix readers who are also Mac users wrote in to ask for advice after being peppered with rogue anti-virus pop-ups. The readers complained they received the bogus alerts while browsing The New York Times' Web site.

The Times published a brief acknowledgment of this problem today, saying the company believes this was generated by an unauthorized advertisement, and that it is working to prevent the problem from recurring." According to the dozens of posts about this on Apple's support forum, it seems that many Mac users believe these rogue anti-virus attacks pose some kind of threat to them. The short answer is that at this point, they do not.

Not long ago, I wrote a column called What To Do When Scareware Strikes. The basic advice in that column applies to both Windows and Mac users.

In short, if you're a Mac user and you see one of these rogue anti-virus pop-ups, remain calm, close out your browser, and restart it. If the attacking site manages to download a ".exe" file to your Mac, just toss it in the trash.

Most Mac users probably are savvy enough to know that Windows executable files (those ending in ".exe") cannot run or be launched in Mac OS X systems. So far, none of the rogue anti-virus threats that I have seen try to drop the equivalent ".dmg" installer files when users merely browse the site. There are, however, threats like DNSChanger, that disguise themselves as legitimate video plug-ins for the browser and try to download ".dmg" files. But even then the user will know something is awry because the installer will prompt the user to enter her password before installing.

By Brian Krebs  |  September 13, 2009; 10:25 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: apple, flash, mac, rogue anti-virus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Clamping Down on the 'Clampi' Trojan
Next: Cyber Crooks Target Public & Private Schools


I picked up this scareware at the NYT early Saturday morning. After quickly closing down my Opera browser (I recalled your earlier suggestions), I ran SuperAntiSpyware and my PC immediately re-booted. Running SAS again found nothing, and since then I have seen nothing odd.

The bad site appeared to be

I did not see the NYT warnings until late on Sunday.

Posted by: Bartolo1 | September 14, 2009 7:17 AM | Report abuse

I started getting the Personal Antivirus pop-up window shortly after installing Snow Leopard and twice, even though clicking Cancel, it downloaded a pre-install .exe file a couple of times each time it came up. Talked to Apple Care tech about slow mouse when Time Machine backs up via bluetooth on Time Capsule and noted the mouse is even slower at backup than in Leopard. No fix was available so I asked about the virus scam that had Windows colors and got the recommended Intego X5. Now Adobe flash is disabled and when on the NYTimes site I get constant orange notices that the program has stopped an attempt to use flash. So far no response from Intego, although I just sent my request last night.

When I try to play a Quick Time movie I am alerted that it needs to be installed even though the icon is in the dock, it doesn't respond. How do I get Quick Time and Adobe Flash back?

Posted by: clathey | September 14, 2009 7:44 AM | Report abuse

P.S.: I had already downloaded 10.6.1. Can I just reinstall and re-update?

Posted by: clathey | September 14, 2009 7:46 AM | Report abuse

Good to see I'm not alone... I had a simultaneous crash of my home PC and work MacBook Pro. The Mac video card fizzled when I downloaded the last OS 10.5.8 security update. Fortunately it's under warranty but I had to get a new motherboard. I think I'll wait before loading Snow Leopard.

On my PC I got inundated with fake anti-spyware and eventually just reinstalled Windows XP. Ugh.

Posted by: ElrodinTennessee | September 14, 2009 9:00 AM | Report abuse

I had a massive infestation in the last week and couldn't open any executable file. Here was my workaround, and it fixed a colleague's computer too:

1) Right-click on Firefox, select Run As, and then unclick the box that says Protect My Computer From Unauthorized Activity. This will allow you to open the browser again.
2) Go the Malwarebytes site above and download the program.
3) Re-name the mbam setup.exe to This will allow you to install the program without running it as an executable.
4) Run the Malwarebytes program. It should uncover and remove the problem.
5) Run executable files again.

Posted by: ElrodinTennessee | September 14, 2009 9:11 AM | Report abuse

I wonder how these virus es interact with VMWare/Parallels on the Mac?

Posted by: wiredog | September 14, 2009 9:47 AM | Report abuse

Saturday, running IE on my PC, when I tried to open a story in NYTimes, I got both an AVG virus alert and an IE "cannot display this page" message. Closed IE, ran AVG scan that showed no viruses on computer. Despite all the complaints here about AVG, it apparently is doing its job.

Thanks to you, Brian, I know now what was happening.

Posted by: JBV1 | September 14, 2009 4:26 PM | Report abuse

I tripped over those scareware warnings a couple of times running Firefox on WinXP. When the scareware prompt came up (and after I got over the shock that this was coming from a NYTimes page), I closed Firefox and ran a malwarebytes scan. Nothing detected, so hopefully all is well. But I'm still waiting for a detailed explanation from the NYTimes. More importantly, I'd like them to offer a convincing explanation of how this will never happen again.

Posted by: jimdouglas | September 14, 2009 6:42 PM | Report abuse

@ jimdouglas: The NYTimes did try to explain, but angry posters would not listen. Expecting them to promise that it will never happen again sounds a bit unrealistic:

Posted by: JBV1 | September 14, 2009 7:02 PM | Report abuse

I'm not sure that "we [...] have taken steps" constitutes a convincing argument. Yes, I understand that describing those steps in detail can help the next bad guy devise a plan for circumventing them. But still, their explanation at this point amounts to "trust us."

Posted by: jimdouglas | September 14, 2009 7:20 PM | Report abuse

Interestingly, I got the fake anti-virus message while viewing the NYT with Chromium on Kubuntu linux. The amusing part was that the invader displayed a fake Windows XP-style page in a new tab -- with the claim that I was watching the nastyware "fix" my system. Oops. Maybe next time they'll use a graphic that actually matches their intended victim's OS (along with a file that will open on that user's computer). At any rate, I just clicked off the browser and restarted it--no more problem.

Posted by: idealist61 | September 14, 2009 9:46 PM | Report abuse

My only complaint with Snow Leopard is now I can't sync my iTunes to my iPod, and can't seem to work around it, even after taking out the iTunes and reinstalling it, and resetting the iPod. It's somewhat annoying, because I have to now take it to the Apple store where I live and get it fixed. What happened here? If someone has any insight as to what may have happened, please let me know; I would greatly appreciate it.

Posted by: jsdoodlerex | September 15, 2009 8:36 AM | Report abuse

Here I am on an old G4 MAC running the up to date TIGER OS. Leopard would not install on this old timer even though the G4 microprocessor has been upgraded.

So we buy online 2 tickets to Cape Cod on Peter Pan bus line out of NYC and download what is supposed to be a PDF file with the e tickets, one for me one for my wife.

The file name ended in the following: ".pdf.exe"

Noticing only the expected ".pdf" portion, I double clicked the icon. Up came Virtual PC 6!!!

I've been using this to run Lotus 123 (version 9.8 now) cause I have all these old Lotus 123 spreadsheets developed years ago.

So inside Virtual PC, up came Windows XP (also up to date current version), and, in this, up came an old version of Adobe Acrobat Reader. Nothing else though. That was it.

To satisfy my curiosity, I did try to copy / paste the downloaded ".pdf.exe" file into Windows XP from TIGER, but this did not take.

So back to TIGER and the downloaded ".pdf.exe" file: I renamed this file simply stripping off the ".exe"

When double clicked, Adobe Acrobat came up, displaying the pdf with the tickets. These were printed, given to the bus driver the next day and we we were off to Providence RI, then on to Barnstable MA. My sister-in-law met the bus and drove to her place in Dennis.

The following day we visited the Marconi Site where only one of four great towers has left any trace. This relic should be seen by all before the sea washes it away. Not far is another relic of transatlantic communication: The French Cable Company station in Orleans.

The Museum of Natural History in Brewster and the Edward Gorey House in Yarmouth Port were special treats as well.

Best to all,


Posted by: tomwentom | September 17, 2009 2:42 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company