Apple patches potential malware 'outbreak'

Apple patches potential malware 'outbreak'

Summary: Apple has quietly released Java patches for OS X after users were left vulnerable to Flashback malware that had security experts so worried they recommended ditching Java.


Apple has quietly released Java patches for OS X after users were left vulnerable to Flashback malware that had security experts so worried they recommended ditching Java.

(The End of an Old Mac image by Michael Coghlan, CC BY-SA 2.0)

Flashback uses a vulnerability in Java to infect computers, but although this vulnerability was known and patched for Windows users in February, Apple has only now released an update for OS X 10.6 and 10.7. While Java is owned by Oracle, which issued the earlier Windows patch, Apple has taken it upon itself to first vet any updates before they are rolled out to Macs, introducing significant delays between when a vulnerability is patched by Oracle and when that same patch is available to OS X users.

The malware authors turned their attention to Macs in early March, with Intego discovering that Mac users visiting certain infected websites were automatically infected. Intego also claims that Flashback was created by the same authors of the MacDefender Trojan.

F-Secure, which has been following the variants of Flashback and performing an analysis on them, urged users earlier this week prior to the patch, to disable their Java clients "before this thing really become an outbreak". Yesterday, the Internet Storm Centre advised users that the vulnerability had been rolled into the Blackhole Exploit Kit. Blackhole is an automated tool that finds vulnerabilities in websites and leverages these to attack users that visit the now compromised site.

Rapid7 security researcher and self-confessed Apple "fanboy" Marcus Carey, who works on the exploit tool and database Metasploit, wrote that Mac users were "wide open to exploitation if they are running the Java plug-in in their browsers", because it is so easy to use penetration testing tools like Metasploit to take advantage of the vulnerability.

Carey said that Mac users needed to realise that the notion that Apple products are hacker proof was a myth.

"Ladies and gentlemen, now is the time to pay attention because this myth is being busticated in a major way at the moment".

According to Carey, Apple users account for about 15 per cent of all internet traffic.

While Apple's patch should address Flashback's current method of attack, the ordeal may not yet be over.

Security blogger Brian Krebs said that he had already seen hackers on underground forums exchanging money for exploit code for a yet-to-be-reported critical flaw in Java. If this has not been addressed in the most recent patch and it works its way into the hands of Flashback's authors, it may be a matter of time before history repeats itself.

Mozilla recently released a patch to block older versions of Java from Firefox, however this has not yet reached OS X users and only provides a workaround for Windows users at the moment. Contributor Kev Needham wrote on Mozilla's Add-Ons Blog that blocking older versions of Java for OS X may be added at a later date.

Topics: Apple, Open Source, Oracle, Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "Cary said that Mac users needed to realise that the notion that Apple products are hacker proof was a myth."

    What Cary said... And it's only going to go down hill from here.

    Apple really need to stop advertising their machines as "Highly secure by design", because they are not.

    And the claim that "Apple responds quickly to online threats and automatically delivers security updates" is laughable. MS released a Windows patch in February for the problem and Apple have only just released a patch now in April. If Apple thinks that is quick then I would hate to see what they think is slow.
  • love it, great bait, Jingles. I'll bite....

    Apple doesn't say they are "hacker-proof", as for the highly secure by design tag, it also does not say it is impervious, it does state that protection is switched on by default and it considers security important. And as for debunking myths, well, it's obvious that myths are, well, myths.

    Nothing's impervious and Apple is aware it would be stupid to say so. It does offer excellent and detailed guidance to anyone who wants to increase security on their device and the methods to do so are generally easier for non-technical uses to try than previously on Windows and *nix.
    • You're not that bright are you Einstein? I never said that Apple claimed to be hacker proof, it was Carey that (if were taking things out of context) said "Apple products are hacker proof", I was quoting someone else.

      Cary was making a generalisation because the general Mac user isn't that intelligent (I know because I talk to enough of them as a computer technician) and they do think that their machines are "hack proof". Thats why they buy a Mac, because they think that they don't have to worry about security, viruses, malware, or getting hacked.

      So go back to school and learn how to read, and a bit of context wouldn't go astray either.