Flashback malware exposes big gaps in Apple security response

Flashback malware exposes big gaps in Apple security response

Summary: A pair of high-profile malware attacks have given Apple a crash course in security response. Based on recent actions, 70 million current Mac owners have a right to expect much more from Apple than they’re getting today.


<-- Previous page

2. Apple offers no automatic update option

Even when updates are available, they’re only effective if they're applied. And every security researcher knows that a nontrivial percentage of users simply ignore updates.

As Mac expert Glenn Fleishman noted the other day (via Twitter), “Legions of children manage updates for parents and grandparents.” That's because they know that, left to their own devices, many unsophisticated users will simply postpone those updates by clicking the “Not Now” or "Install Later" button. They see updates as an annoyance that will mean they can’t use their Mac for 10 minutes to a half-hour.

So how bad is the problem? Based on data collected by Dr. Web, roughly 1 out of every 4 Snow Leopard users are at least six months behind in terms of applying major software updates. Nearly 15% are more than a year behind, meaning they have skipped at least two major OS X updates and are easy prey for any exploit that targets security holes that were fixed in those updates.

User education only goes so far. When you go home for the holidays, you can configure Software Update so that it downloads new updates automatically. But you can’t set up OS X to install those updates automatically, as you can with Windows.

Automatic updates would not, of course, bring the percentage of up-to-date installations anywhere near 100%. But it could make a difference for a few percent. And in a user base of 70 million (and growing), even a 3% improvement means 2 million Macs that are better protected than they are today.

3. Apple is too quick to abandon its customers

Although Apple has never said so publicly, it’s common knowledge among Mac experts that Apple provides updates (security and otherwise) only for the current OS X version and the most recent.

That means Macs that are between three and five years old are left unprotected unless their owners pay for an upgrade to a new version of OS X. (Apple charges $29 to upgrade from Leopard to Snow Leopard and another $30 to upgrade from Snow Leopard to Lion.)

According to Dr. Web’s data, 25% of all Flashback-infected Macs are running Mac OS X 10.5 Leopard. Net Market Share statistics suggest that at least 17% of all Macs in use today are running Leopard (or an earlier version of OS X).

Leopard shipped August 25, 2007. It was sold on new Macs for two full years. Customers purchased 5.7 million computers with Leopard installed in the first half of 2009. Those computers are all roughly three years old today, and most can expect to have at least two or three more years of useful life. Apple does not provide updates to these computers unless the customer purchases and installs a new version of OS X.

Snow Leopard (Mac OS X 10.6) shipped August 28, 2009, and was on sale for almost two years, until Lion shipped on July 20, 2011. It is still the most popular version of OS X today, according to these March 2012 Net Market Share figures:

If Apple maintains its current policy, then as soon as OS X Mountain Lion goes on sale, probably in July or August, Apple will drop support for the Macs it sold with Snow Leopard installed. Every one of those unsupported Macs will be three years old or less.

Or, to put it another way:

Apple sold about 27 million Macs in 2009 and 2010. By the end of this summer, in September 2012, every one of those Macs will be unsupported in its original, as-purchased configuration.

Microsoft has a support lifecycle of 10 years for each version of Windows. While that may be too much to expect of Apple, it’s clear that there’s a radical disconnect between the useful life of Apple hardware and the company’s support for the combination of hardware and software that it sells.

Users have many reasons besides cost to avoid the headaches of upgrades. I’ve yet to read an enthusiastic review of OS X Lion, and I’ve heard many people compare Lion to Windows Vista.

But the point is, Apple offers its customers the choice of whether to upgrade to a new OS. The company shouldn’t be allowed to refuse to deliver essential security updates to Macs that are three to five years old. That’s gross negligence.

4. Apple doesn’t communicate well

Apple’s first public statement that mentioned the Flashback malware outbreak came on April 14, with a support bulletin titled “About Flashback malware.” That was more than a week after security researchers and news sites like ZDNet had sounded the alarm. In its Java updates on April 3, Apple did not communicate any sense of urgency, even though they had to have known by that time that exploits were in the wild and wreaking havoc on Mac owners.

Apple doesn’t communicate well with security researchers, either. Boris Sharov, chief executive of the Moscow-based security firm Dr. Web, told Andy Greenberg of Forbes that his researchers were ignored when they tried to contact Apple with their findings: “We’ve given them all the data we have. We’ve heard nothing from them…” The only contact from Apple, in fact, was a demand to take down the “sinkhole” domain that Dr. Web researchers were using to study the distribution and behavior of the Flashback botnet.

To this day, in fact, Apple has not issued any statement aimed at the general public or the mainstream news media. Apple’s dilemma is a painful one here: If they talk to the press in an effort to reach owners of Macs who aren’t aware they’ve been infected, they risk puncturing the “Macs don’t get viruses” image they’ve cultivated through the years. So the company has chosen to remain silent, which is shameful.

Apple’s legendary secrecy is an asset when it comes to product development and launch-day hype. Somehow, the company has to overcome that desire for secrecy when it comes to security.

For its customers' sake, it desperately needs to think different.

Topics: Security, Apple, Hardware, Malware, Open Source

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • In other news, Microsoft to bundle productivity apps into "Office" suite

    Not to contradict your points, but Apple has had these deficiencies for many, many years. For instance, they have a history of releasing patches to vulnerabilities a year or two after they were disclosed and patched in other vendors' products. They also don't coordinate the updates of their Webkit-based browsers leaving some of the products vulnerable after others are patched.

    It's an old story in the security community. And Apple really does have good people who work on this stuff; I can only imagine that they don't have enough and they don't give them adequate resources.
    • And what's different now...

      Yes, this has always been a problem. They could get away with it when the platform wasn't being targeted. Now it is. And thus a sense of urgency about longstanding issues that can no longer be avoided.

      And while the security community might think this is old news, for many Mac users it's an eye-opener. That's especially true for Macs used in business.
      Ed Bott
      • Apple does good job on their *own* software recently, but they fail on ...

        ... third-party software. Apple decided to drop Java from the OS and support 1.5 years ago, and they were even more sloppy with compiling updated versions of Java since then.

        Now Oracle finally took Java for OS X in its care, so Apple will avoid being drawn in issues of third-party software.

        As people said above, Apple was slow even in its *own* software for a long time, but recently they fix vulnerabilities quite fast.

        So the problem will be resolved; lets see.
      • Apple needs to put their OS X sandboxing technology to work

        DeRSSS wrote:
        [i]Apple will avoid being drawn in issues of third-party software.[/i]

        Apple needs to sandbox their Safari web browser along with plug-ins such as Java, Flash and Quicktime. It would also be a good idea to sandbox Java WebStart and the default PDF reader for OS X as well.

        Apple also needs to partner with Adobe regarding sandboxing the Flash plug-in for Safari as well as Adobe Reader on OS X. Assuming that Apple and Adobe are still talking to each other. :/

        P.S. Apple's sandboxing technology is sourced from TrustedBSD. There is a sandbox.kext kernel extension available for both OS X app developers and end users to sandbox apps. [Note: OS X kernel extensions are equivalent to Linux kernel modules.]
        Rabid Howler Monkey
      • Linux-based?

        @ aplevine

        WTH are you talking about? In NO way, shape or form is OSX "Linux-based". If you don't know the difference between BSD and SysV Unix, you really should not be posting without supervision.
    • Apple great at marketing, not very good at managing real-world problems

      It seems that any time there is a negative issue that affects Apple hardware or software, Cupertino goes silent. There's no admission of a problem unless they're forced to come forward by unmanageable waves of negative publicity. And even then, the situations are usually downplayed as isolated instances or user error -- remember the "you're holding the phone wrong" explanation for iPhone 4's "antenna-gate.

      When iCloud first came out last year, I decided I would try it for syncing contacts with Outlook 2010. Apple's software kept telling me that Outlook was not installed, although it clearly was. I posted my issue on the Apple support forum and was literally joined by tens of thousands of others who were having the same problem. For months, there was no response from anyone at Apple -- just frustration. Then, out of nowhere, Apple released a revised version of the software, and the issue was addressed. The release came without any admission that there ever was a problem, much less that it was now fixed.

      Look at Siri -- as often as not it is unusable and has apparently attained permanent beta status. Apple's answer? Run two new TV ads for Siri featuring celebrities and showing highly sped-up sequences of successful interactions with the product.

      Apple may be able to be successful at keeping consumers at bay with a two-pronged strategy of clever marketing and selective silence, but any hope they have of cracking the business market in a significant way will hopelessly fail in the face of such actions.
      • Siri Needs a working Network

        The Siri commercials are in WiFi serviced spaces. The problem with Siri, is that Apple is using the internet to talk to their servers to process your Siri questions and log and document what is asked so that they can extend the product to support the types of queries users are asking and not getting valid answers for.

        The Cellular networks in large cities have little ability to provide latency free communications. So, things that require the internet are not going to work well. If everyone got TDMA slots for their network services so that there was a guaranteed bandwidth/latency, then Siri, and other internet anchored services would be much more dependable.

        Back in 2006 or so, Sun demonstrated running a web server in a realtime version of Solaris, and showed that with the same hardware, and effective scheduling and resource allocation that a realtime OS can do, they could guarantee the time to process web requests. The times dropped from the order of 10s of seconds to less than a second.

        The Cellular networks are still using pretty inefficient technologies and cells are too big in many places because the cellular companies can not get access to space where they need to deploy smaller cells.

        The WiFi networks are going to be the next technology savior for mobile devices. Someone is going to wake up, and start deploying WiFi with QOS and sell the bandwidth to the cellular companies.
      • Siri is a cute gimmick

        But more just a gimmick. A copy of the T-mo 'Find' button. Apple paid a lot to buy Siri (yup, they bought it, not developed by them) and they'll push it as a huge feature to try to make their investment back.
  • Why not better Oracle-Apple Security Coordination?

    I'm assuming that the Apple Java distribution is fully-qualified as a Java implementation. I don't understand why there is not better coordination between Oracle and Apple on the handling of mutual security vulnerabilities and exposures. Apple should know well enough in advance, via communication between the security teams. Apple should known when an advisory is coming from Oracle in time to prepare their own update well before public disclosure.

    If TDF LibreOffice and Apache OpenOffice can manage concurrent advisories on mutual vulnerabilities, even though different patches/updates are required, it is mind-boggling that Apple and Oracle can't manage what should be a more-closely coupled arrangement.

    (Now I'm wondering what the lag was before any necessary update in the IBM Java implementation. Is there a broader disfunction with regard to Java as it becomes a multi-platform exploit target of choice?)
    • Why not better Orical-Apple Security Coordination-Java

      Instead of Apple controlling the Java Updates. (I am a Mac User.) Why not have setup like Widows It up to Oracle let people using Java know there is an update. And it up to the User to go to oracle's site and download install it. What so different about Java, than Javscript, or eve Flash, That apple has to be the intermediary.
      • Apple's Doing That

        Apple's doing just that:


        They're handing the reigns back to Oracle.
      • Still, we don't know the truth

        Ed has written a lot about the Flashback malware and how Apple reacted "slow" to Java vulnerability.. but one question, the primary question remains unanswered:

        When did Apple receive the Java source code update with the fixed vulnerabilities?

        I believe, Oracle first released the fixes for their "supported" platforms, then weeks after that, perhaps by demand of Apple, provided the fixed code to Apple.

        This all is bad news for Oracle, and for Java in particular. Now, Java will be threaded as "foreign" code to OS X, with all the consequences, including lack of optimization etc.
      • Apple's delay belongs to Apple...


        Apple maintains its own version of Java and is 100% responsible for incorporating the security fixes.

        From this article:

        "Apple???s update that fixed the Java security hole was released April 3, 2012. That???s 49 days after Oracle released Java SE 6 Update 31..."

        "Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple???s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made..."
      • @ NameRedacted

        Ok, you quoted text from Ed's article. Something Ed is saying over and over again "the delay is Apple's fault".

        But, do you or Ed know any real facts to support such statements? This is what I ask. No answer from Ed so far... so probably the truth is, that Ed simply does not know! Basing your journalism on things that you simply do not know is not very... professional, at least.

        If you haven't noticed, Apple has stopped bundling Java with OS X with the release of Lion. This is one indicator, that Apple is not interested in maintaining "their own version of Java". They have recently went further to tell Oracle, that if they want Java on Apple's computers, they will have to handle it themselves.
      • I've answered this over and over again

        From a November 2010 press release issued jointly by Apple and Oracle:

        Oracle and Apple Announce OpenJDK Project for Mac OS X
        REDWOOD SHORES and CUPERTINO, California???November 12, 2010???Oracle and Apple?? today announced the OpenJDK project for Mac OS?? X. Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X, including a 32-bit and 64-bit HotSpot-based Java virtual machine, class libraries, a networking stack and the foundation for a new graphical client. OpenJDK will make Apple???s Java technology available to open source developers so they can access and contribute to the effort.


        Apple also confirmed that Java SE 6 will continue to be available from Apple for Mac OS X Snow Leopard?? and the upcoming release of Mac OS X Lion. Java SE 7 and future versions of Java for Mac OS X will be available from Oracle.

        Ed Bott
      • Apple to make OpenJDK open source

        Ok, Ed. This is good news for everyone and on the UNIX platforms I use software dependent on Java has already switched to using OpenJDK instead of Oracles JDK, because Oracle just doesn't care (for anything but Windows). If Oracle's JDK is ever available, you need to manually go to their site, sign in there and download the code in order to build it on your own system... Which makes upgrading a pain.

        Anyway, none of this is relevant to the "Apple was slow with Java" issue. The vulnerable code is not in OpenJDK. It is in Oracle's JDK. And the source core for Oracle's JDK comes from Oracle. So, in order for Apple to rebuild and release the fixed JDK they have to obtain it from Oracle.

        You again avoided answering the question: do you know when Oracle provided Apple with the fixed Java source code? It is this information, that is missing from your articles, that solely determines if the delay is caused by Apple, or Oracle.
      • @danbi

        The flaw(s) were not in the JDK (the development kit), they were in the JRE (the runtime). Most machines will never have the JDK installed on them only the runtimes which is what held the vulnerable code on the machines.
    • The issue is about what was happening before

      Sun, didn't understand how Java could be successful on the desktop, and was not supporting Apple in a way that allowed all the hard work of Apple Engineering to come back into the mix.

      Now that is happening with Java-7 and Java-8. There is a very busy mailing list with all kinds of work going on to fix all the things, again, that Apple had to "fix" to make it possible for Java to work well in the Mac Desktop environment.

      There was a lot of Apple APIs which had been exposed via Java delegation through JNI. I am not sure what is happening with those.
  • Great article

    Your fourth point is the most salient point. Apple does not communicate well at all on multiple fronts. In addition to not being proactive with the security industry, Apple does a poor job of communicating risks to its clients and educating its clients. Apple values marketing and brand reputation at the expense of having an informed customer base.
    Your Non Advocate
    • Informed customers are dangerous to marketing

      Informed customers make decisions based on technology and fact. Uninformed customers make decisions based on emotion and popular trends, Apple's bread and butter. Why would they want informed customers? And providing security updates for older software does nothing for the bottom line. Let them upgrade or replace, they'll think it 'wore out' or they broke it.