Flashback malware exposes big gaps in Apple security response

Summary:A pair of high-profile malware attacks have given Apple a crash course in security response. Based on recent actions, 70 million current Mac owners have a right to expect much more from Apple than they’re getting today.

In one of those great ironies of technology, an increased incidence of malware is a sign that your product has been a success in the market.

Apple’s been astonishingly successful with its Mac hardware in recent years. The dark side of that success is the attention they’ve begun to attract from online criminals.

Apple and its customers got a hint of what was in store with last year’s Mac Defender outbreak. This year, a much larger and more disturbing outbreak has infected more than 600,000 Macs with a piece of malware called Flashback.The entire Flashback episode has in fact exposed Apple’s security weak spots.

Eugene Kaspersky last week argued that Apple is “ten years behind Microsoft in terms of security.”

Those aren’t just self-serving statements from a company that sells security software. Kaspersky’s argument didn't even mention antivirus solutions. Instead, he said, Apple’s security efforts have been slow, reactive, and generally ineffective:

We now expect to see more and more because cyber criminals learn from success and this was the first successful one. [Apple] will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software. That’s what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time. They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it’s time for Apple [to do that].

Let’s be clear: Both Microsoft and Apple are victims of organized crime in all of these attacks, and they’re in the unenviable position of having to fight legal battles and make substantial engineering investments on behalf of their customers. It is, unfortunately, a cost of doing business.

See also:

All complex software has vulnerabilities, even when it’s written with the most disciplined processes. Bad guys make a lucrative business out of finding those vulnerabilities and writing exploits for them. Eliminating malware completely is a pipe dream, especially on relatively open platforms like Windows and OS X. No one seriously believes it’s possible to eliminate street crime, either, but effective policing and attention to the underlying causes of crime can significantly reduce rates.

A lot of what Apple is learning about security today will show up in future editions of OS X and iOS, as the company presumably gets smarter about writing code. But what about the 60 or 70 million current Mac owners?

They have a right to expect much more of a security response from Apple than they’re getting now. As an Apple customer myself, I believe Apple deserves four key criticisms of its current approach to security.

1. Apple is too slow to deliver updates

When the size of this incident first became apparent, I wrote:

What makes this outbreak especially chilling is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do something stupid. … The Flashback malware in its current incarnation does not use an installer. It does not require that the user enter a password or click OK in a dialog box. It is a drive-by download that installs itself silently and with absolutely no user action required, and it is triggered by the simple act of viewing a website using a Mac on which Java is installed.

Apple brags that it is quick to respond to security issues. Here, for example, is what you see if you visit Apple's "Why you'll love a Mac" page:

Unfortunately, that bold statement is contradicted by the facts.

Apple's update that fixed the Java security hole was released April 3, 2012. That’s 49 days after Oracle released Java SE 6 Update 31 for all other platforms. During that seven-week period, every Apple customer who had Java installed (and that includes every Mac owner running Leopard and Snow Leopard)  was vulnerable to a silent installation of malware. Ultimately, Apple had to release an update that fixed the security hole and removed the malware already installed on its customers' Macs.

That long gap in Apple's response is not unusual, as independent security expert Brian Krebs has pointed out:

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun.

Apple’s performance in recent years has been much better in terms of Java updates, but still slow. Oracle has released six security-related updates to Java SE 6 in the past two years. In five of those six updates, it took Apple at least three additional weeks to release its version of the update. Two of Apple's updates arrived more than 30 days later than those available to other platforms.

So what happens when the next Java vulnerability is discovered and patched by Oracle? How long will Mac users have to wait for their updates? Or, to put it another way, how much of a window of opportunity will malware authors have to attack Macs?

Page 2: Update hassles and abandoned Macs -->

Topics: Security, Apple, Hardware, Open Source


Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He has served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the a... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.