Flashback malware exposes big gaps in Apple security response
Summary: A pair of high-profile malware attacks have given Apple a crash course in security response. Based on recent actions, 70 million current Mac owners have a right to expect much more from Apple than they’re getting today.
In one of those great ironies of technology, an increased incidence of malware is a sign that your product has been a success in the market.
Apple’s been astonishingly successful with its Mac hardware in recent years. The dark side of that success is the attention they’ve begun to attract from online criminals.
Apple and its customers got a hint of what was in store with last year’s Mac Defender outbreak. This year, a much larger and more disturbing outbreak has infected more than 600,000 Macs with a piece of malware called Flashback.The entire Flashback episode has in fact exposed Apple’s security weak spots.
Eugene Kaspersky last week argued that Apple is “ten years behind Microsoft in terms of security.”
Those aren’t just self-serving statements from a company that sells security software. Kaspersky’s argument didn't even mention antivirus solutions. Instead, he said, Apple’s security efforts have been slow, reactive, and generally ineffective:
We now expect to see more and more because cyber criminals learn from success and this was the first successful one. [Apple] will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software. That’s what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time. They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it’s time for Apple [to do that].
Let’s be clear: Both Microsoft and Apple are victims of organized crime in all of these attacks, and they’re in the unenviable position of having to fight legal battles and make substantial engineering investments on behalf of their customers. It is, unfortunately, a cost of doing business.
See also:
- New Mac malware epidemic exploits weaknesses in Apple ecosystem
- Second source confirms: 1 in 100 Macs are infected by Flashback
- New data shows older OS X versions more susceptible to malware
- Apple releases Flashback removal tool, infections drop to 270,000
- How big a security risk is Java? Can you really quit using it?
All complex software has vulnerabilities, even when it’s written with the most disciplined processes. Bad guys make a lucrative business out of finding those vulnerabilities and writing exploits for them. Eliminating malware completely is a pipe dream, especially on relatively open platforms like Windows and OS X. No one seriously believes it’s possible to eliminate street crime, either, but effective policing and attention to the underlying causes of crime can significantly reduce rates.
A lot of what Apple is learning about security today will show up in future editions of OS X and iOS, as the company presumably gets smarter about writing code. But what about the 60 or 70 million current Mac owners?
They have a right to expect much more of a security response from Apple than they’re getting now. As an Apple customer myself, I believe Apple deserves four key criticisms of its current approach to security.
1. Apple is too slow to deliver updates
When the size of this incident first became apparent, I wrote:
What makes this outbreak especially chilling is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do something stupid. … The Flashback malware in its current incarnation does not use an installer. It does not require that the user enter a password or click OK in a dialog box. It is a drive-by download that installs itself silently and with absolutely no user action required, and it is triggered by the simple act of viewing a website using a Mac on which Java is installed.
Apple brags that it is quick to respond to security issues. Here, for example, is what you see if you visit Apple's "Why you'll love a Mac" page:
Unfortunately, that bold statement is contradicted by the facts.
Apple's update that fixed the Java security hole was released April 3, 2012. That’s 49 days after Oracle released Java SE 6 Update 31 for all other platforms. During that seven-week period, every Apple customer who had Java installed (and that includes every Mac owner running Leopard and Snow Leopard) was vulnerable to a silent installation of malware. Ultimately, Apple had to release an update that fixed the security hole and removed the malware already installed on its customers' Macs.
That long gap in Apple's response is not unusual, as independent security expert Brian Krebs has pointed out:
Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun.
Apple’s performance in recent years has been much better in terms of Java updates, but still slow. Oracle has released six security-related updates to Java SE 6 in the past two years. In five of those six updates, it took Apple at least three additional weeks to release its version of the update. Two of Apple's updates arrived more than 30 days later than those available to other platforms.
So what happens when the next Java vulnerability is discovered and patched by Oracle? How long will Mac users have to wait for their updates? Or, to put it another way, how much of a window of opportunity will malware authors have to attack Macs?
Page 2: Update hassles and abandoned Macs -->
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
In other news, Microsoft to bundle productivity apps into "Office" suite
It's an old story in the security community. And Apple really does have good people who work on this stuff; I can only imagine that they don't have enough and they don't give them adequate resources.
And what's different now...
And while the security community might think this is old news, for many Mac users it's an eye-opener. That's especially true for Macs used in business.
Apple does good job on their *own* software recently, but they fail on ...
Now Oracle finally took Java for OS X in its care, so Apple will avoid being drawn in issues of third-party software.
As people said above, Apple was slow even in its *own* software for a long time, but recently they fix vulnerabilities quite fast.
So the problem will be resolved; lets see.
Apple needs to put their OS X sandboxing technology to work
[i]Apple will avoid being drawn in issues of third-party software.[/i]
Apple needs to sandbox their Safari web browser along with plug-ins such as Java, Flash and Quicktime. It would also be a good idea to sandbox Java WebStart and the default PDF reader for OS X as well.
Apple also needs to partner with Adobe regarding sandboxing the Flash plug-in for Safari as well as Adobe Reader on OS X. Assuming that Apple and Adobe are still talking to each other. :/
P.S. Apple's sandboxing technology is sourced from TrustedBSD. There is a sandbox.kext kernel extension available for both OS X app developers and end users to sandbox apps. [Note: OS X kernel extensions are equivalent to Linux kernel modules.]
Linux-based?
WTH are you talking about? In NO way, shape or form is OSX "Linux-based". If you don't know the difference between BSD and SysV Unix, you really should not be posting without supervision.
Apple great at marketing, not very good at managing real-world problems
When iCloud first came out last year, I decided I would try it for syncing contacts with Outlook 2010. Apple's software kept telling me that Outlook was not installed, although it clearly was. I posted my issue on the Apple support forum and was literally joined by tens of thousands of others who were having the same problem. For months, there was no response from anyone at Apple -- just frustration. Then, out of nowhere, Apple released a revised version of the software, and the issue was addressed. The release came without any admission that there ever was a problem, much less that it was now fixed.
Look at Siri -- as often as not it is unusable and has apparently attained permanent beta status. Apple's answer? Run two new TV ads for Siri featuring celebrities and showing highly sped-up sequences of successful interactions with the product.
Apple may be able to be successful at keeping consumers at bay with a two-pronged strategy of clever marketing and selective silence, but any hope they have of cracking the business market in a significant way will hopelessly fail in the face of such actions.
Siri Needs a working Network
The Cellular networks in large cities have little ability to provide latency free communications. So, things that require the internet are not going to work well. If everyone got TDMA slots for their network services so that there was a guaranteed bandwidth/latency, then Siri, and other internet anchored services would be much more dependable.
Back in 2006 or so, Sun demonstrated running a web server in a realtime version of Solaris, and showed that with the same hardware, and effective scheduling and resource allocation that a realtime OS can do, they could guarantee the time to process web requests. The times dropped from the order of 10s of seconds to less than a second.
The Cellular networks are still using pretty inefficient technologies and cells are too big in many places because the cellular companies can not get access to space where they need to deploy smaller cells.
The WiFi networks are going to be the next technology savior for mobile devices. Someone is going to wake up, and start deploying WiFi with QOS and sell the bandwidth to the cellular companies.
Siri is a cute gimmick
Why not better Oracle-Apple Security Coordination?
If TDF LibreOffice and Apache OpenOffice can manage concurrent advisories on mutual vulnerabilities, even though different patches/updates are required, it is mind-boggling that Apple and Oracle can't manage what should be a more-closely coupled arrangement.
(Now I'm wondering what the lag was before any necessary update in the IBM Java implementation. Is there a broader disfunction with regard to Java as it becomes a multi-platform exploit target of choice?)
Why not better Orical-Apple Security Coordination-Java
Apple's Doing That
http://www.infoworld.com/t/mac-os-x/apples-tim-cook-wins-where-steve-jobs-failed-java-192003
They're handing the reigns back to Oracle.
Still, we don't know the truth
When did Apple receive the Java source code update with the fixed vulnerabilities?
I believe, Oracle first released the fixes for their "supported" platforms, then weeks after that, perhaps by demand of Apple, provided the fixed code to Apple.
This all is bad news for Oracle, and for Java in particular. Now, Java will be threaded as "foreign" code to OS X, with all the consequences, including lack of optimization etc.
Apple's delay belongs to Apple...
Apple maintains its own version of Java and is 100% responsible for incorporating the security fixes.
From this article:
"Apple???s update that fixed the Java security hole was released April 3, 2012. That???s 49 days after Oracle released Java SE 6 Update 31..."
"Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple???s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made..."
@ NameRedacted
But, do you or Ed know any real facts to support such statements? This is what I ask. No answer from Ed so far... so probably the truth is, that Ed simply does not know! Basing your journalism on things that you simply do not know is not very... professional, at least.
If you haven't noticed, Apple has stopped bundling Java with OS X with the release of Lion. This is one indicator, that Apple is not interested in maintaining "their own version of Java". They have recently went further to tell Oracle, that if they want Java on Apple's computers, they will have to handle it themselves.
I've answered this over and over again
Oracle and Apple Announce OpenJDK Project for Mac OS X
REDWOOD SHORES and CUPERTINO, California???November 12, 2010???Oracle and Apple?? today announced the OpenJDK project for Mac OS?? X. Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X, including a 32-bit and 64-bit HotSpot-based Java virtual machine, class libraries, a networking stack and the foundation for a new graphical client. OpenJDK will make Apple???s Java technology available to open source developers so they can access and contribute to the effort.
[snip]
Apple also confirmed that Java SE 6 will continue to be available from Apple for Mac OS X Snow Leopard?? and the upcoming release of Mac OS X Lion. Java SE 7 and future versions of Java for Mac OS X will be available from Oracle.
http://www.apple.com/pr/library/2010/11/12Oracle-and-Apple-Announce-OpenJDK-Project-for-Mac-OS-X.html
Apple to make OpenJDK open source
Anyway, none of this is relevant to the "Apple was slow with Java" issue. The vulnerable code is not in OpenJDK. It is in Oracle's JDK. And the source core for Oracle's JDK comes from Oracle. So, in order for Apple to rebuild and release the fixed JDK they have to obtain it from Oracle.
You again avoided answering the question: do you know when Oracle provided Apple with the fixed Java source code? It is this information, that is missing from your articles, that solely determines if the delay is caused by Apple, or Oracle.
@danbi
The issue is about what was happening before
Now that is happening with Java-7 and Java-8. There is a very busy mailing list with all kinds of work going on to fix all the things, again, that Apple had to "fix" to make it possible for Java to work well in the Mac Desktop environment.
There was a lot of Apple APIs which had been exposed via Java delegation through JNI. I am not sure what is happening with those.
Great article
Informed customers are dangerous to marketing