Apple too slow to act on Flashback malware

Apple too slow to act on Flashback malware

Summary: If Apple doesn't act swiftly and decisively on Flashback its squeakily clean image as the malware-free computer platform will quickly become tarnished.


On April 4 Russian antivirus company Dr. Web revealed that over 600,000 Macintosh computers are infected with Flashback trojan and Apple reacted somewhat slowly, waiting until April 10 to published a support knowledge base article HT5244 ("About Flashback malware") which states that it is developing software that will detect and remove the Flashback malware.

A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs.

Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. By default, your Mac automatically checks for software updates every week, but you can change that setting in Software Update preferences. You can also run Software Update at any time to manually check for the latest updates.

Apple is developing software that will detect and remove the Flashback malware.

In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.

The knowledgebase article goes on to say that Macs running Mac OS X v10.5 or earlier can be protected from the malware by disabling Java in your web browser(s) preferences.

Apple doesn't provide a timetable for the release of the disinfectant software but presumably it will come in the form of a Security Update in the coming days or weeks.

The problem is that this is simply too long. Apple should have acknowledged the problem within a day or two, then released a patch within a week. Today marks one full week since the announcement of the Flashback malware and Apple still hasn't released the patch -- which is unacceptable.

Sure, you can update your Java or disable it outright, but non-technical users are unlikely to do this. I know several users that have their Software Update frequency set to "weekly" and many that wait or never install innocuous and generic sounding updates like "Java for Mac OS X 10.6 Update 7."

The problem is that Apple sugarcoats the issue and goes out of its way to hide the fact that "Java Update 7" fixes a serious malware vulnerability that steals user names and passwords to popular websites by monitoring your browsing habits.

The days of Apple's "security by obscurity" model are over. The company's profile has been raised to the point that it has officially arrived on hacker's radar. Apple's reputation hangs in the balance on how quickly it handles the Flashback (and other) malware and there's a lot at stake.

If Apple doesn't act swiftly and decisively on Flashback its squeaky-clean image as the malware-free computer platform will quickly become tarnished and Macs will be viewed in the same light as the virus-riddled Windows machines that it mocked in its sixth "I'm a Mac" television commercial (circa May 2006, below) -- which would be a shame.

An aside: A total of 66 "I'm a Mac" television commercials were created and run from May 2006 to October 2009. All were directed by Phil Morrison of Epoch Films for TBWA Media Arts Lab.

Update 2012-0413: Apple has released "Java for OS X 2012-003" today which "removes the most common variants of the Flashback malware."

Java for OS X 2012-003 Released - Jason O'Grady

Topics: Security, Apple, Browser, Malware, Telcos

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "virus/trojan/malware cesspool"

    Oh no you didn't.

    Can we PLEASE get to the end of the article without bias? Windows is not a cesspool. Install a proper antivirus for god's sake.
    • Why

      Antivirus is after the fact for most cases.
      • Antivirus

        would not have stopped flashback. The security firms didn't even know it was out there until over 600,000 machines had already been infected.

    This is a Mac blog for heaven's sake! (But yes, I toned down the vitriol -- before your comment was posted).

    - Jason
    Jason D. O'Grady
    • And it's the vitriol which weakens your credibility.

      [i]But yes, I toned down the vitriol...[/i]

      I can't take someone seriously if they engage in it.
      • Irony

        <i>"I can't take someone seriously if they engage in it."<i>

        Look in the mirror much?
  • This is only the beginning...

    Do you think the hackers will stop after exploiting one zero-day vulnerability? No they will move on to vulnerabilities in Safari, iphoto, quicktime etc.

    The genie is out of the bottle and hackers know there is money to be made in OSX hacking. The game is afoot and only vigilence and education of the user base will help to protect them.
    • Really?

      So, the Macintosh has existed for how many years? OS X is over a decade old..

      You claim, that those hackers just woke up to discover they can break into Macs?

      In reality, any hacker would love to break into Macs, if they could. This hasn't been easy, ever. It will become more difficult when Apple turn yet more knobs that already exist in OS X (for years) to make the hacker's job more difficult.

      So yes, hackers will never stop trying. Sometimes they will succeed. The ethereal weapon and armor dilemma.
      • They're gonna lock it down even more

        Eventually OSX (or it's replacement) will use package repositories the way Linux has been using for years.
      • I remember things....

        Those of us with a memory longer than a goldfish know that the first big outbreak of computer viruses was in the late 80's, and most of the viruses were for the Mac, in 1990 it was estimated that there were more than 3,000 active Mac viruses, including the infamous 'Stoned' (which would brick a computer and display a picture of a pot leaf and the message 'Your Computer is Stoned') virus and the trumped up 'Michaelangelo' virus. Attacks on the Mac slowed down only after Windows 3.0 when the MS platform became the 'standard' computer used by most people.

        I'll grant there hasn't been a problem with OS X....yet. But the reason for the lack of attacks was never that attacking OS X was difficult. In fact in many ways attacking OS X is far easier than attacking Windows 7.
        This 'Flashback' trojan is not even a particularly sophisticated attack, it is more sophisticated than the Mac Defender attack from last year, but it is still a rather pedestrian attack. If such a comparatively weak attack is able to do such damage, how much damage would a genuinely sophisticated attack do?
        Doctor Demento
      • Yes, really

        Another Mac fanboy who mistakenly believes that Mac OS is somehow more secure than others. The fact is that it's not, in every hacking competitions Macs a taken down easily.

        It's called security through obscurity, Macs weren't worth the effort to hack because the numbers were so small. But since the numbers are rising, the hackers are waking up.
      • Dream on.

        Look at things seriously from the converse.

        OSX has been around for ten years, Apple has had a decade to perfect it, knowing full well there could easily come a day when hackers would look toward Macs as a target.

        First good whack the hackers took scored 600,000 machines. A very good count for the first serious shot, although there have been some less serious in the past.

        Get into the real life. Macs just got hacked in record numbers and its not going to go away.
  • Sigh...

    ...Macs and all Unixen are immune to viruses, not Trojan Horses. No one has ever said they were immune to worms or Trojans. Then again, I just had another reload of my entire Windows operating system last night, called a patch. One Trojan isn't so bad. It got in the same way as the one UNIX worm, through a documented "we should fix this soon" hole.
    Tony Burzio
    • Semantics

      Trojans/Viruses it's just semantics. This is malware plain and simple.
      What will it take for the Mac community to wake up?
      Do they want to wait for the hackers to exploit a hole in a service such as Bonjour/File sharing etc.?
      Will they only acknowledge they are at risk when rootkits are developed?

      The hackers are working on this as I type. It's only a matter of time.
      By the way I patch all of my Win7 systems religiously. It's a cat and mouse game with the hackers.
      • Malware

        I totally agree. I think it is time that everybody stopped making the semantic distinction between what sort of malware it is. Malware is malware, if you have it, you have a problem!

        Shouting, "it isn't a virus!" Doesn't help those people who are infected or change the fact that Apple were caught napping at the wheel.
      • Interestingly enough . . .

        "Will they only acknowledge they are at risk when rootkits are developed?"

        Interestingly enough, "rootkit" refers to UNIX, as the "root" is the account with all of the privileges.

        Malware of various types have been around for a long, long time for nearly every platform. Harping on only a single type is indeed counterproductive, and won't make Flashback any less dangerous.

        Indeed, going through McAfee's list of recent malware - all of the recent viruses are labelled as "Minimal Risk." In fact, that's how they're labelling most threats these days. Symantec also shows that most risks are low right now.

        Truth be known, a fully patched PC (with fully patched software) is likely to be as invulnerable to threats as any Mac. I haven't had malware on my system for years.
      • Critical difference; it is wrong when Jason uses words like "infection",

        @jatbains: ... because this thing is not a virus and it can not spread itself among users. If someone was clueless enough to not know that Flash updates itself automatically (though it does it very visibly) [b]and[/b] clueless enough to not undestand that Adobe Flash updates should come from Adobe's site and thus follow link to some weird site with "Flash update", then such person will be get the malware.

        Under no other variant people could get the trojan, no matter if they are even patched the Java or not.

        So this distinction between viruses and trojans still quite important.
      • @CobraA1 ... you mean

        like the fully patched W7 machine, running the latest, most secure version of Google Chrome (at that point), that was hacked in short time just prior to Pwn2Own, as a demonstration by the contestants?

        [i]" ... Truth be known, a fully patched PC (with fully patched software) is likely to be as invulnerable to threats as any Mac. I haven't had malware on my system for years. "[/i]

        Whoopee for you! ... just don't fall into the trap of citing an anecdotal case as somehow being indicative of the experiences of the wider user base, in general.

        ... but i'm sure you knew that and would never do such a thing.
      • Somehow having your money stolen by a trojan is not nearly as bad... having it stolen by a virus. At least that's the inference I get from these pedantic "It's not a virus but a trojan" defenses.
      • Why are Pwn2Own results acceptable for Windows but not OS X?


        [i]like the fully patched W7 machine, running the latest, most secure version of Google Chrome (at that point), that was hacked in short time just prior to Pwn2Own[/i]

        When Windows advocates mention OS X was compromised at Pwn2Own the Mac faithfull dismiss is as "theoretical" and couldn't happen in the real world.