Flashback malware exposes big gaps in Apple security response

Flashback malware exposes big gaps in Apple security response

Summary: A pair of high-profile malware attacks have given Apple a crash course in security response. Based on recent actions, 70 million current Mac owners have a right to expect much more from Apple than they’re getting today.

SHARE:

In one of those great ironies of technology, an increased incidence of malware is a sign that your product has been a success in the market.

Apple’s been astonishingly successful with its Mac hardware in recent years. The dark side of that success is the attention they’ve begun to attract from online criminals.

Apple and its customers got a hint of what was in store with last year’s Mac Defender outbreak. This year, a much larger and more disturbing outbreak has infected more than 600,000 Macs with a piece of malware called Flashback.The entire Flashback episode has in fact exposed Apple’s security weak spots.

Eugene Kaspersky last week argued that Apple is “ten years behind Microsoft in terms of security.”

Those aren’t just self-serving statements from a company that sells security software. Kaspersky’s argument didn't even mention antivirus solutions. Instead, he said, Apple’s security efforts have been slow, reactive, and generally ineffective:

We now expect to see more and more because cyber criminals learn from success and this was the first successful one. [Apple] will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software. That’s what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time. They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it’s time for Apple [to do that].

Let’s be clear: Both Microsoft and Apple are victims of organized crime in all of these attacks, and they’re in the unenviable position of having to fight legal battles and make substantial engineering investments on behalf of their customers. It is, unfortunately, a cost of doing business.

See also:

All complex software has vulnerabilities, even when it’s written with the most disciplined processes. Bad guys make a lucrative business out of finding those vulnerabilities and writing exploits for them. Eliminating malware completely is a pipe dream, especially on relatively open platforms like Windows and OS X. No one seriously believes it’s possible to eliminate street crime, either, but effective policing and attention to the underlying causes of crime can significantly reduce rates.

A lot of what Apple is learning about security today will show up in future editions of OS X and iOS, as the company presumably gets smarter about writing code. But what about the 60 or 70 million current Mac owners?

They have a right to expect much more of a security response from Apple than they’re getting now. As an Apple customer myself, I believe Apple deserves four key criticisms of its current approach to security.

1. Apple is too slow to deliver updates

When the size of this incident first became apparent, I wrote:

What makes this outbreak especially chilling is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do something stupid. … The Flashback malware in its current incarnation does not use an installer. It does not require that the user enter a password or click OK in a dialog box. It is a drive-by download that installs itself silently and with absolutely no user action required, and it is triggered by the simple act of viewing a website using a Mac on which Java is installed.

Apple brags that it is quick to respond to security issues. Here, for example, is what you see if you visit Apple's "Why you'll love a Mac" page:

Unfortunately, that bold statement is contradicted by the facts.

Apple's update that fixed the Java security hole was released April 3, 2012. That’s 49 days after Oracle released Java SE 6 Update 31 for all other platforms. During that seven-week period, every Apple customer who had Java installed (and that includes every Mac owner running Leopard and Snow Leopard)  was vulnerable to a silent installation of malware. Ultimately, Apple had to release an update that fixed the security hole and removed the malware already installed on its customers' Macs.

That long gap in Apple's response is not unusual, as independent security expert Brian Krebs has pointed out:

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun.

Apple’s performance in recent years has been much better in terms of Java updates, but still slow. Oracle has released six security-related updates to Java SE 6 in the past two years. In five of those six updates, it took Apple at least three additional weeks to release its version of the update. Two of Apple's updates arrived more than 30 days later than those available to other platforms.

So what happens when the next Java vulnerability is discovered and patched by Oracle? How long will Mac users have to wait for their updates? Or, to put it another way, how much of a window of opportunity will malware authors have to attack Macs?

Page 2: Update hassles and abandoned Macs -->

Topics: Security, Apple, Hardware, Malware, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

118 comments
Log in or register to join the discussion
  • In other news, Microsoft to bundle productivity apps into "Office" suite

    Not to contradict your points, but Apple has had these deficiencies for many, many years. For instance, they have a history of releasing patches to vulnerabilities a year or two after they were disclosed and patched in other vendors' products. They also don't coordinate the updates of their Webkit-based browsers leaving some of the products vulnerable after others are patched.

    It's an old story in the security community. And Apple really does have good people who work on this stuff; I can only imagine that they don't have enough and they don't give them adequate resources.
    Larry Seltzer
    • And what's different now...

      Yes, this has always been a problem. They could get away with it when the platform wasn't being targeted. Now it is. And thus a sense of urgency about longstanding issues that can no longer be avoided.

      And while the security community might think this is old news, for many Mac users it's an eye-opener. That's especially true for Macs used in business.
      Ed Bott
      • Apple does good job on their *own* software recently, but they fail on ...

        ... third-party software. Apple decided to drop Java from the OS and support 1.5 years ago, and they were even more sloppy with compiling updated versions of Java since then.

        Now Oracle finally took Java for OS X in its care, so Apple will avoid being drawn in issues of third-party software.

        As people said above, Apple was slow even in its *own* software for a long time, but recently they fix vulnerabilities quite fast.

        So the problem will be resolved; lets see.
        DDERSSS
      • Apple needs to put their OS X sandboxing technology to work

        DeRSSS wrote:
        [i]Apple will avoid being drawn in issues of third-party software.[/i]

        Apple needs to sandbox their Safari web browser along with plug-ins such as Java, Flash and Quicktime. It would also be a good idea to sandbox Java WebStart and the default PDF reader for OS X as well.

        Apple also needs to partner with Adobe regarding sandboxing the Flash plug-in for Safari as well as Adobe Reader on OS X. Assuming that Apple and Adobe are still talking to each other. :/

        P.S. Apple's sandboxing technology is sourced from TrustedBSD. There is a sandbox.kext kernel extension available for both OS X app developers and end users to sandbox apps. [Note: OS X kernel extensions are equivalent to Linux kernel modules.]
        Rabid Howler Monkey
      • Linux-based?

        @ aplevine

        WTH are you talking about? In NO way, shape or form is OSX "Linux-based". If you don't know the difference between BSD and SysV Unix, you really should not be posting without supervision.
        .DeusExMachina.
    • Apple great at marketing, not very good at managing real-world problems

      It seems that any time there is a negative issue that affects Apple hardware or software, Cupertino goes silent. There's no admission of a problem unless they're forced to come forward by unmanageable waves of negative publicity. And even then, the situations are usually downplayed as isolated instances or user error -- remember the "you're holding the phone wrong" explanation for iPhone 4's "antenna-gate.

      When iCloud first came out last year, I decided I would try it for syncing contacts with Outlook 2010. Apple's software kept telling me that Outlook was not installed, although it clearly was. I posted my issue on the Apple support forum and was literally joined by tens of thousands of others who were having the same problem. For months, there was no response from anyone at Apple -- just frustration. Then, out of nowhere, Apple released a revised version of the software, and the issue was addressed. The release came without any admission that there ever was a problem, much less that it was now fixed.

      Look at Siri -- as often as not it is unusable and has apparently attained permanent beta status. Apple's answer? Run two new TV ads for Siri featuring celebrities and showing highly sped-up sequences of successful interactions with the product.

      Apple may be able to be successful at keeping consumers at bay with a two-pronged strategy of clever marketing and selective silence, but any hope they have of cracking the business market in a significant way will hopelessly fail in the face of such actions.
      NameRedacted
      • Siri Needs a working Network

        The Siri commercials are in WiFi serviced spaces. The problem with Siri, is that Apple is using the internet to talk to their servers to process your Siri questions and log and document what is asked so that they can extend the product to support the types of queries users are asking and not getting valid answers for.

        The Cellular networks in large cities have little ability to provide latency free communications. So, things that require the internet are not going to work well. If everyone got TDMA slots for their network services so that there was a guaranteed bandwidth/latency, then Siri, and other internet anchored services would be much more dependable.

        Back in 2006 or so, Sun demonstrated running a web server in a realtime version of Solaris, and showed that with the same hardware, and effective scheduling and resource allocation that a realtime OS can do, they could guarantee the time to process web requests. The times dropped from the order of 10s of seconds to less than a second.

        The Cellular networks are still using pretty inefficient technologies and cells are too big in many places because the cellular companies can not get access to space where they need to deploy smaller cells.

        The WiFi networks are going to be the next technology savior for mobile devices. Someone is going to wake up, and start deploying WiFi with QOS and sell the bandwidth to the cellular companies.
        greggwon
      • Siri is a cute gimmick

        But more just a gimmick. A copy of the T-mo 'Find' button. Apple paid a lot to buy Siri (yup, they bought it, not developed by them) and they'll push it as a huge feature to try to make their investment back.
        NotMSUser
  • Why not better Oracle-Apple Security Coordination?

    I'm assuming that the Apple Java distribution is fully-qualified as a Java implementation. I don't understand why there is not better coordination between Oracle and Apple on the handling of mutual security vulnerabilities and exposures. Apple should know well enough in advance, via communication between the security teams. Apple should known when an advisory is coming from Oracle in time to prepare their own update well before public disclosure.

    If TDF LibreOffice and Apache OpenOffice can manage concurrent advisories on mutual vulnerabilities, even though different patches/updates are required, it is mind-boggling that Apple and Oracle can't manage what should be a more-closely coupled arrangement.

    (Now I'm wondering what the lag was before any necessary update in the IBM Java implementation. Is there a broader disfunction with regard to Java as it becomes a multi-platform exploit target of choice?)
    orcmid
    • Why not better Orical-Apple Security Coordination-Java

      Instead of Apple controlling the Java Updates. (I am a Mac User.) Why not have setup like Widows It up to Oracle let people using Java know there is an update. And it up to the User to go to oracle's site and download install it. What so different about Java, than Javscript, or eve Flash, That apple has to be the intermediary.
      pjones
      • Apple's Doing That

        Apple's doing just that:

        http://www.infoworld.com/t/mac-os-x/apples-tim-cook-wins-where-steve-jobs-failed-java-192003

        They're handing the reigns back to Oracle.
        WarhavenSC
      • Still, we don't know the truth

        Ed has written a lot about the Flashback malware and how Apple reacted "slow" to Java vulnerability.. but one question, the primary question remains unanswered:

        When did Apple receive the Java source code update with the fixed vulnerabilities?

        I believe, Oracle first released the fixes for their "supported" platforms, then weeks after that, perhaps by demand of Apple, provided the fixed code to Apple.

        This all is bad news for Oracle, and for Java in particular. Now, Java will be threaded as "foreign" code to OS X, with all the consequences, including lack of optimization etc.
        danbi
      • Apple's delay belongs to Apple...

        danbi...

        Apple maintains its own version of Java and is 100% responsible for incorporating the security fixes.

        From this article:

        "Apple???s update that fixed the Java security hole was released April 3, 2012. That???s 49 days after Oracle released Java SE 6 Update 31..."

        "Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple???s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made..."
        NameRedacted
      • @ NameRedacted

        Ok, you quoted text from Ed's article. Something Ed is saying over and over again "the delay is Apple's fault".

        But, do you or Ed know any real facts to support such statements? This is what I ask. No answer from Ed so far... so probably the truth is, that Ed simply does not know! Basing your journalism on things that you simply do not know is not very... professional, at least.

        If you haven't noticed, Apple has stopped bundling Java with OS X with the release of Lion. This is one indicator, that Apple is not interested in maintaining "their own version of Java". They have recently went further to tell Oracle, that if they want Java on Apple's computers, they will have to handle it themselves.
        danbi
      • I've answered this over and over again

        From a November 2010 press release issued jointly by Apple and Oracle:

        Oracle and Apple Announce OpenJDK Project for Mac OS X
        REDWOOD SHORES and CUPERTINO, California???November 12, 2010???Oracle and Apple?? today announced the OpenJDK project for Mac OS?? X. Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X, including a 32-bit and 64-bit HotSpot-based Java virtual machine, class libraries, a networking stack and the foundation for a new graphical client. OpenJDK will make Apple???s Java technology available to open source developers so they can access and contribute to the effort.

        [snip]

        Apple also confirmed that Java SE 6 will continue to be available from Apple for Mac OS X Snow Leopard?? and the upcoming release of Mac OS X Lion. Java SE 7 and future versions of Java for Mac OS X will be available from Oracle.

        http://www.apple.com/pr/library/2010/11/12Oracle-and-Apple-Announce-OpenJDK-Project-for-Mac-OS-X.html
        Ed Bott
      • Apple to make OpenJDK open source

        Ok, Ed. This is good news for everyone and on the UNIX platforms I use software dependent on Java has already switched to using OpenJDK instead of Oracles JDK, because Oracle just doesn't care (for anything but Windows). If Oracle's JDK is ever available, you need to manually go to their site, sign in there and download the code in order to build it on your own system... Which makes upgrading a pain.

        Anyway, none of this is relevant to the "Apple was slow with Java" issue. The vulnerable code is not in OpenJDK. It is in Oracle's JDK. And the source core for Oracle's JDK comes from Oracle. So, in order for Apple to rebuild and release the fixed JDK they have to obtain it from Oracle.

        You again avoided answering the question: do you know when Oracle provided Apple with the fixed Java source code? It is this information, that is missing from your articles, that solely determines if the delay is caused by Apple, or Oracle.
        danbi
      • @danbi

        The flaw(s) were not in the JDK (the development kit), they were in the JRE (the runtime). Most machines will never have the JDK installed on them only the runtimes which is what held the vulnerable code on the machines.
        ultimitloozer
    • The issue is about what was happening before

      Sun, didn't understand how Java could be successful on the desktop, and was not supporting Apple in a way that allowed all the hard work of Apple Engineering to come back into the mix.

      Now that is happening with Java-7 and Java-8. There is a very busy mailing list with all kinds of work going on to fix all the things, again, that Apple had to "fix" to make it possible for Java to work well in the Mac Desktop environment.

      There was a lot of Apple APIs which had been exposed via Java delegation through JNI. I am not sure what is happening with those.
      greggwon
  • Great article

    Your fourth point is the most salient point. Apple does not communicate well at all on multiple fronts. In addition to not being proactive with the security industry, Apple does a poor job of communicating risks to its clients and educating its clients. Apple values marketing and brand reputation at the expense of having an informed customer base.
    Your Non Advocate
    • Informed customers are dangerous to marketing

      Informed customers make decisions based on technology and fact. Uninformed customers make decisions based on emotion and popular trends, Apple's bread and butter. Why would they want informed customers? And providing security updates for older software does nothing for the bottom line. Let them upgrade or replace, they'll think it 'wore out' or they broke it.
      NotMSUser