Mac Flashback Attack Shows Apple's Security Weaknesses
Mac Flashback Attack Shows Apple's Security Weaknesses
The number of Macs infected with the Flashback malware might be abating, but the damage to Apples reputation within the security community could take longer to fix.
The company was criticized for being slow to offer the patch to fix the flaws in Java that made the Macs vulnerable, and even slower to offer a tool to detect and remove the Flashback malware once it was learned that the exploit had compromised as many as 600,000 Macs worldwide. In addition, Apple was seen as being uncooperative with experts in the security community, including the small Russian antivirus vendor that first detected the extent of the Flashback infections.
The incident also shook the reputation of Apple products being relatively invulnerable to malware and other malicious code. And security experts warned that, as the popularity of Apple Internet-connected devicesnot only Macs, but also iPads, iPhones and iPodscontinues to grow, so will interest from scammers.
"This latest wave of infections is a wake-up call to Mac users that their system is not immune to threats," Mike Geide, senior security researcher at Zscaler ThreatLabZ, said in an email after Apple released a patch to fix the flaw in Java April 3. "And the need to follow best security practices, such as remaining current with patches, is ubiquitousit doesn't matter if you're using Windows, Mac or even [a] mobile phone."
But it was the large number of Mac infections by the Flashback malware that made it stand out. The 600,000-plus didnt look like much when compared with the millions of Windows PCs that have been hit by malware in the past, but it also came out of a much smaller pool, and represented more than 1 percent of Macs in use worldwide.
So one in 100 Macs is infected, researchers at Apple security software vendor Intego wrote in April 7 blog post. Its clear that we are faced with an unprecedented attack of Mac malware.
The Number of Macs Infected Dropped Precipitously
In an April 11 blog post, officials with security software maker Symantec said that the number of infections worldwide had dropped to 270,000.
It also illustrated perceived shortcomings in Apples response. The flaw itself was not in the Mac hardware, but in Java that users had downloaded onto their Macs. Oracle had patched Windows PCs weeks ago, but Applewhich doesnt let third-parties update Apple systemsdidnt sent out the patch until April 3, about the same time Doctor Web and, soon after, Kaspersky Lab found that more than 600,000 Macs had become infected.
Flashback was first detected last year, running as a classic Trojan by masquerading as an update to Adobe Flash. However, new variants discovered in March showed it had evolved into a drive-by exploit, infecting the systems of Mac users who surfed to a compromised or malicious Website.
Within days, a host of security software vendors, including Kaspersky, Intego and F-Secure, began rolling out free tools designed to detect and remove the Flashback malware. Meanwhile, Apple officials on April 10 broke their silence, saying their engineers were working on a similar tool, which was released two days later. When F-Secure released its own tool April 11, Chief Research Officer Mikko Hypponen criticized Apples slow response to Flashback as inadequate.
Apple has announced that it's working on a fix for the malware, but has given no schedule for it, Hypponen wrote in a post on the companys blog April 11. Quite surprisingly, Apple hasn't added detection for Flashbackby far the most widespread OS X malware everto the built-in Xprotect OS X antivirus tool. Also note that Apple has not provided a patch for the Java vulnerability used by Flashback for OS X v10.5 (or earlier).
Security Professionals Continue to Be Critical of Apple
Other security professionals took issue with Apple. In an April 13 post on Sophos NakedSecurity blog, Paul Ducklin, the companys head of technology for the Asia-Pacific region, took issue with the lack of information from Apple around its removal tool.
I'd love to tell you more about the Flashback remover supplied by Apple, but I'm afraid I don't know how, Ducklin wrote. There's no documentation about it; there's no information about how to run it by hand in the future, or how it works, or what variants of the malware it finds; andat least on my uninfected 10.6 computerit didn't give any visual indication that it had run at all. (Three words for Apple about security bulletins: promptness, clarity and openness.)
Some also suggested Apple needs to learn how to work better with the security community, particularly given that the number of attacks on Apple products are expected to increase. Boris Sharov, Dr. Webs CEO, told Forbes.com that not only did Apple never contact him after he gave them the information he had about the Flashback malware, but that at one point Apple asked a Russian registrar to shut down a domain that Dr. Web had set up and was using in a sinkhole operation to monitor the malware and lessen its impact. Sharov said he thought it was an honest mistake, but that it illustrated how Apple needs to improve how it relates to outside security experts.
They told the registrar this [domain] is involved in a malicious scheme. Which would be true if we werent the ones controlling it and not doing any harm to users, Sharov told Forbes. This seems to mean that Apple is not considering our work as a help. Its just annoying them.
If the security experts are correct, Apple will have plenty of chances in the future to interact with the security community. In an April 9 post on Kasperskys SecureList blog, security expert Costin Raiu said cyber-criminals will continue to target Apple systems.
At the beginning of 2012, we predicted an increase in the number of attacks on Mac OS X which take advantage of zero-day or unpatched vulnerabilities, Raiu wrote. This is a normal development, which happens on any other platform with enough market share to guarantee a return on investment for virus writers, so Mac OS X fans shouldnt be disappointed because of this. During the next few months, we are probably going to see more attacks of this kind, which focus on exploiting two main things: outdated software and the users lack of awareness.