Quick protection for older Macs from the Flashback trojan

Quick protection for older Macs from the Flashback trojan

Summary: Most modern Macs have Java installed, so they could be vulnerable to the Flashback. While Apple posted a security fix for Mac OS X Lion and Mac OS X Snow Leopard, there are many millions of Macs running older software. Still there's an easy way to prevent a Java drive-by attack, besides pulling the plug.

SHARE:

Most modern Macs have Java installed, so they could be vulnerable to the Flashback. While Apple posted a security fix for Mac OS X Lion and Mac OS X Snow Leopard, there are many millions of Macs running older software. Still there's an easy way to prevent a Java drive-by attack, besides pulling the plug.

Apple last week sent out the Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7 fixes in Software Update for the Flashback trojan.

There are reports that some 600K Macs have been infected, perhaps by some estimates 1 percent of the installed base of Macs. As I mentioned in a post last week, Mac OS X Lion and Snow Leopard are running on the majority of Macs. Still, Mac OS X Leopard and Tiger may be running on a quarter of Macs in the world.

See also: Installing antivirus on your Mac?New malware epidemic exploits weaknesses in Apple ecosystemMacs infected (a dream, dashed)Lion OS making gains in Mac installed base

Likely, your machines are not infected. Before I installed the Apple updates, I checked my machines using the Terminal checking routine offered by the F-Secure website. It's the first part of the Manual Removal process.

For older machines running pre-Snow Leopard OSes that haven't been updated by Apple, there may or may not be a problem of infection. Still, to make sure, you can either disable Java in your web browser (in Safari it's a Security preference), or turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications. I understand that the Mac client for CrashPlan Pro requires Java.

In his excellent rundown on the Flashback trojan at Macworld, analyst Rich Mogull of TidBits and Securosis offered this analysis.

Drive-by attacks rely on vulnerabilities in Web browsers and other software—such as email and RSS readers—that view webpages. It’s not enough to run vulnerable software; that software needs to be exploitable, meaning it allows an attack to extend its tendrils into your system. Apple has been introducing a series of technologies—tools like Address Space Layout Randomization (ASLR), sandboxing, and DEP—to reduce the chances of exploitation even when a Mac is vulnerable and to limit the potential damage of an attack. But these technologies aren’t perfect, especially when complex programs that run Web content like Java or Adobe Flash are involved.

Apple clearly needs to start patching software that’s known to be vulnerable more quickly. After the success of Flashback, we can only assume the bad guys will move more quickly the next time they are given this window of opportunity. Cupertino should consider further sandboxing Safari. It should also explore the possibility of sandboxing Flash and Java independently; if the latter isn’t technically feasible, the company should work more directly with the vendors of those technologies to develop sandboxed Mac versions. Adobe recently added more-extensive sandboxing to Acrobat on Windows, and that has reduced the effectiveness of attacks.

The primary reason that there have been few malware attacks on the Mac platform is because most computers in the world run Windows. Sadly, that shield is weakening. However, I also believe that most casual hackers who use the Mac haven't wanted to hurt their platform of choice. People like the Mac, even virus writers. And the number of infected Macs is low compared with Windows.

Still, Flashback is a piece of commercial malware written by organized crime. For enough money, it appears now that even a Mac developer will write a trojan. Sigh.

Topics: Open Source, Apple, Hardware, Operating Systems, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

34 comments
Log in or register to join the discussion
  • Quick protection

    Kudos to Apple for getting patches out to third party software.
    daikon
    • Especially long time after Apple said they sould not compile and patch it,

      ... and yet they still do it since Sun/Oracle is not taking responsibility yet.

      One of the best ways of protection is to know that Flash autoupdates itself, so when you are offered an "Flash update" while browsing, this is obviously fake. And even you somehow do not know that Flash autoupdates itself, you just need to know that updates should be placed on the sites of software producer -- like, this time, on Adobe's site, not on any weird site.
      DDERSSS
      • Adobe?

        What does Flash or Adobe have to do with anything? Totally different company and totally different platform.
        cougarrat
    • quick?

      RDF much?
      They were sitting on this security exploit for 6 months. It was and has always been Apple themselves to distribute the Java so it was Apple's problem.

      I know they said they don't support Java anymore but the fact that they sat on this exploit that could compromise system for so long shows how they don't care about security.
      Samic
      • I see the truth upsets people

        After all what Samic said is true - Apple distributes their own Java. Don't believe me? Don't take my word for it, go to www.java.com, click on downloads, click on manual downloads, and look for the Mac section. It says something to the effect that the Mac version is available from Apple. Java.com has NO links for a mac version of Java.
        NonFanboy
      • Try knowing what you are talking about before posting

        @Samic and the FanBoy
        Seriously, quit posting if you don't know what you are babbling about. Apple DID release their own Java, because their version was far more complicated and interconnected. They have however, shelved this effort, and given control back to Sun/Oracle, as of Jan, 2011. But Oracle has sat on it (not Apple) so Apple has been forced to continue development efforts while Oracle gets their act together.

        This is common knowledge people.
        .DeusExMachina.
    • Hardly...

      They were amazingly slow - hence the infections. Oh, fast once there was a problem? Okay, this is a new definition of "Quick protection" I wasn't previously aware of. [sarkmark]
      jeremychappell
  • The Mac User...

    has to install and enable Java in Lion....it is not supplied with that OS version.
    Brich
    • If you upgraded from a previous version of OS X it's installed.

      You must have done a clean install or purchased a new Mac with Lion pre-installed.
      ye
  • We need to rethink punishment for malware authors...

    I'd recommend the death penalty, but America can't seem to enforce that ultimate penalty with sufficient accuracy. Most of the rest of the world now believes that penalty too barbaric, never mind the millions they butchered in the past because offenders didn't believe in Allah or Christ.

    How about requiring malware authors to reverse engineer Microsoft Word using only FORTRAN in order to earn their release? Or maybe LISP (using 140 trillion parentheses should teach them a lesson).

    We need to think outside the box here because malware is getting extremely expensive to society -- and as our dependence on computers and smartphones increases each and every day, it is getting dangerous too.
    davidlfoster
    • You recommend the death penalty???

      Well. I really hope your kidding.

      Did you put any thought into that comment? How many people have a son, daughter niece or nephew that, for example could get caught up in a hacking scheme with some less than scrupulous individuals at some point in the future?

      I would love to see you clamoring for the death penalty then.

      Its always the same thing with the law and order types. Trust me I know.

      They always scream for the harshest of penalties when they figure they and their loved ones are only on the receiving end of crime. But alas; as soon as they or someone they care about steps over the line and the law enforcement have cuffed them up and have them in front of the court on serious charges, it all changes, and not sometimes, all the time.

      Its, "Why are they taking this so seriously???"
      Its, "Why arent the police out catching real criminals???"
      Its, "I might have well as killed someone the way they are coming after me!!"
      Its, "This whole thing has already ruined my entire life, isnt that enough for them???"

      Its always the same. Everyone wants the death penalty for everything until they or someone they love get caught up in something bad, then they figure a ticket for vehicular manslaughter should suffice. How's about that reduced charge I always hear about people getting?

      And what about the families of people who are murdered?? Do we simply say to them, hey-your loss is the same as having a pile of computers hacked? What kind of society breeds a human being that so easily bandies about the taking of another persons life where the accused hasnt even been alleged to have done anything so serious?

      Sure malware is getting expensive to cope with, and no doubt it will get more costly as time goes on. But keep one very important thing in mind, law enforcement and the courts are manned by humans and sadly humans tend to very seldom get anything just quite right. I shouldnt have to even spell that out, given the many well known historical court cases that the public clearly believe went wrong.

      Always keep in mind, the death penalty is a very permanent solution. Most penalties can be difficult to undo, the death penalty, up to this point in time has denied any possibility to reverse it once carried out. How it is that someone cannot see that once you are prepared to go as far as the death penalty there is a whole universe of options available that are far far more beneficial to society and cost a lot cheaper and more effective.

      Just look at what California has recently discovered after their long experiment with the death penalty. One should really be asking if there are better choices in any case.
      Cayble
      • Ummm ... It's called "sarcasm"

        But really, LISP would be a fate worse than death, so I'll grant you that that's a little harsh. ;-)
        imalugnut
      • Death penalty for malware authors

        In all sincerity, [b]I agree with him![/b]

        For malware authors, the [i]risk to reward ratio[/i] favors writing malware; because we all know that they `get away with it`.

        The Iranians would [u]love[/u] to know who is responsible for Stuxnet, many US TLAs (three letter agencies) would [u]love[/u] to know who is trying to exfiltrate secure information from their servers.

        A few globally public executions might just change the dynamic.
        fatman65535
    • History-challenged?

      Hate to drop knowledge on you, but atheist-Darwinist governments killed magnitudes more of their own citizens in peacetime in the 20th century - about 120 million. So ... you win!
      harvey_rabbit
      • Babble

        "atheist-Darwinist governments"?!?
        Oh really? Name one. Certainly you can't possibly mean the U.S.S.R., as they were in no way Darwinist, whatever that means.
        .DeusExMachina.
  • Unfortunately these technologies are in newer versions of the OS.

    [i]Apple has been introducing a series of technologiestools like Address Space Layout Randomization (ASLR), sandboxing, and DEPto reduce the chances of exploitation even when a Mac is vulnerable and to limit the potential damage of an attack.[/i]

    So they do nothing to help older versions of the OS which lacks one or more of them.
    ye
    • RE: Unfortunately these technologies are in newer versions of the OS.

      [i]So they do nothing to help older versions of the OS which lacks one or more of them.[/i]

      So what? This is just like Windows. There's a huge differential between the Windows Vista/7 Home editions and Windows XP Home. Windows 7 introduced AppLocker. Windows Vista introduced ASLR, Windows integrity levels and Parental Control. Windows XP Professional introduced software restriction policy, Windows Firewall (SP2) and DEP (SP2). Windows XP 64-bit introduced PatchGuard.

      And just like the Linux kernel. There's a huge differential between early versions of the 2.6 kernel and the 3.x kernel. Security features like DEP (kernel 2.6.8), ASLR (kernel 2.6.12), Tomoyo Linux Securiy Module (kernel 2.6.30) and AppArmor Linux Securiy Module (kernel 2.6.36) were all added to the 2.6 kernel after it's initial release.
      Rabid Howler Monkey
      • Well the title of this blog is

        @Rabid Howler Monkey: [i]So what?[/i]

        "Quick protection for [b]older[/b] Macs from the Flashback trojan"

        Pay particular attention to the fourth word.
        ye
      • RE: Well the title of this blog is

        [i]"Quick protection for older Macs from the Flashback trojan"[/i]

        And the advice given in the article applies to *all* OS X versions, including Lion systems where Java is present either by OS X upgrade or install:

        [i]either disable Java in your web browser (in Safari it???s a Security preference), or turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications.[/i]

        Do you have evidence that the security features added in either OS X Snow Leopard or Lion, and I mean those Lion systems with Java installed, provided any added protection for this particular exploit?
        Rabid Howler Monkey
      • What is your point?

        @Rabid Howler Monkey: I fail to see how your response addresses my point that these are technologies not found in older versions of the operating system.
        ye