Oxford University IT staff 'somewhat overwhelmed by Mac malware'

Oxford University IT staff 'somewhat overwhelmed by Mac malware'

Summary: In a pair of candid blog posts, a member of Oxford's network security staff says the Flashback malware episode is the worst they've seen since the Blaster worm of 2003. And Apple is "making minimal effort" and "putting customers at risk."


So just how bad is the recent Flashback outbreak of malware for Macs?

Getting hard data about any kind of malware outbreak is always tricky.

Security companies have to make estimates, which might be influenced by their desire to whip up enough fear to sell their software. And corporations rarely publicize details about their internal workings.

That’s why it was refreshing to see a recent blog post from the network security team (OxCERT) at the University of Oxford, which offered some insights into its experience with a large population of Macs.

“Over the past couple of weeks, OxCERT have been somewhat overwhelmed by Mac malware,” the post begins.

The group has dealt with scattered problems on Macs before, says author Robin Stevens. “But with Flashback,” Stevens says, “the game has changed forever.”

We are seeing huge numbers of attacks of the sort that Windows users have had to contend with for years. Apple users, and indeed Apple themselves, just have not been ready. We are dealing with what is probably the biggest outbreak since Blaster struck the Windows world all the way back in the summer of 2003. That time OxCERT dealt with around 1000 incidents; we have seen several hundred Flashback incidents and they keep on coming.

Oxford’s critique of Apple mirrors what I’ve been saying for a long time:

  • Apple’s contention that “Macs don’t get PC viruses” is “technically true, perhaps, but very misleading: PCs get PC viruses, Macs get Mac viruses which may be extremely similar to that common on PCs.”
  • OS X antimalware capabilities are “extremely limited and no substitute for a proper third-party antivirus system.” (Oxford supports Sophos for its users.)
  • Apple’s claim that it “responds quickly by providing software updates and security enhancements” is met with this dry retort: “As we’ve seen, this depends very much on your definition of ‘quickly’.”

And I was gratified to see independent support for an argument I made a few days ago. Apple’s support lifecycle is too short: “There is however a nasty catch with operating system updates, of which many users will be unaware: Apple security support lifetimes are much shorter than in the Windows world.”

That issue gets a full discussion in a second post:

To the best of our knowledge, Apple do not officially state their software support policy anywhere, but from what we can gather, only support the two most recent versions of OS X. Currently that is 10.6 (Snow Leopard) and 10.7 (Lion). 10.6 released in August 2009, which means that any Mac purchased prior to that date and not subsequently upgraded will be running a version which receives no security support. That’s for a system purchased under three years ago. Granted, users can upgrade – but at a cost. Users don’t like being told that they have to spend money.


Now, granted, users can upgrade to a newer OS X release than their system came with. Plenty of users are unlikely to bother unless forced – their system seems perfectly adequate, why spend money and risk breaking it? One college has reported almost 50 systems known to their student registration system running OS X 10.5 or earlier.

The conclusion neatly mirrors my post the other day about the big gaps in Apple's security response:

Apple … have been complacent in terms of their attitude to security and support, especially when compared to their chief competitor. Microsoft have learned a huge amount from past mistakes, support their products for many years, and these days I feel do an excellent job. By comparison, Apple appear to be making minimal effort, and are putting their customers at risk as a result. …

I’d like to see from Apple the following:

  • Timely security updates
  • Greater openness regarding security issues
  • Minimum hardware and software support lifetimes stated clearly up-front
  • Longer operating system security support lifetimes: at least five years
  • Hardware that runs a supported operating system version for longer: minimum of seven years perhaps?

In a separate report on Forbes, Andy Greenberg reports new data from the Russian security firm tracking the number of Flashback installations. The current number of infections is around 460,000, down from a peak of 700,000, with the botnet shrinking at a rate of about 100,000 a week.

Apple has still not issued any public statement on Flashback except for a small number of security bulletins.

Topics: Software, Apple, Hardware, Malware, Operating Systems, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Interesting analogy from 2003

    Interesting that Oxford compares the recent outbreak to problems that MS resolved almost a decade ago. Quite frankly, I cannot recall a serious issue with Blaster myself. At the time, I was responsible for about 28,000 machines worldwide. I approached 0% infection by taking reasonable precautions and good management. Apple can achieve this as well if they acknowledge that they are missing the tools for this and that their clients are at an ever-growing risk.

    Anyone who boldly states that there systems are 100% safe or there is a 0% chance of infection is a fool, a liar or both.
    Your Non Advocate
    • Interesting point of view on Slammer...

      Microsoft itself was hit by Slammer. I guess they weren't taking reasonable precautions and using good management.
      • More interestingly, how those people at Oxford still have their jobs if ...

        ... they could not even arrange Java autoupdate or at least set up firewall that would not allow clueless users go to some weird sites with fake Flash update pages?
      • You seem to miss the point, @DeRSSS

        Java AutoUpdate WON'T WORK IF THERE IS NO UPDATE.

        Sorry for shouting. ;)

        Also, the sites that were poisoned were not delivering fake Flash updates. They were exploiting an unpatched vulnerability in Java. All a Mac user had to do was click on a legitimate search result, go to a legitimate web site, and get infected with no user interaction.

        Is that really so hard to underastand?
        Ed Bott
      • DeRSSS: please provide us with the firewall rules

        I've asked our server team to turn on the "weird site" outbound filter on our firewall and they looked at me like I knew nothing about firewalls. I told them that you would be providing me with the rules for this filter and that I would forward it on to them. Please DeRSSS, for the love of all our Mac users here, please provide us with the "weird site" rules so we can keep our Mac users safe.
      • Ed

        Regarding DeRSSS .... he knows fully there is a clear deifference betwenn the original fakeflash and the trogan we are talking about. I know this because it has been pointed out to him in EVERY article to which he's posted this drivel. The facts just don't find his agenda. <sigh>
      • @William Farrel... Huh?

        The guy made a comment on how his systems weren't affected by Slammer because, and I quote, "I approached 0% infection by taking reasonable precautions and good management.". My logical response, which is clearly hated by the NBMers, was pretty clear to understand...if taking reasonable precautions and good management is all that was needed to prevent being affected by Slammer, why was Microsoft themselves affected by it? Is he going on record as taking more reasonable precautions and having better management than Microsoft or is he just throwing out a strawman argument that because he wasn't affected then Slammer wasn't really a problem.
      • Misunderstood?

        @William Farrel I'm not sure that's what he means. The real point is "you can do everything right, and still get stung". I'm sure Microsoft were taking reasonable precautions but malware the exploits a previously undiscovered flaw could easily mean these "reasonable precautions" are for nought.

        Of course, this isn't the case here - this Java exploit was leveraging a (long) discovered flaw, one that Apple had rather spectacularly failed to patch.

        This isn't really a technical issue, it's more a "pull your finger out and make the patch available Apple" issue. It's not that Mac OS X is weak, it's that Apple haven't really taken patch availability seriously enough. I imagine that, despite the silence, Apple will have learned from their error.
      • partners are a liability

        many of the companies affected by SQL Slammer had taken precautions themselves & so not patched their systems but were infected by partners who had access and had neither patched nor taken precautions; know your whole security exposure
      • And more interestingly...

        Where are the complaints and all the questions from ordinary users?
        There should be a tsunami with people needing help at Macworld, Apple's discussion boards, and other Mac sites where Mac users usually go to ask questions.

        So this is most likely yet another attempt to fool Mac users to buy useless software from Symantec, Sophos and others. :(
      • Like many here they're likely clueless or in denial.


        [i]Where are the complaints and all the questions from ordinary users?
        There should be a tsunami with people needing help at Macworld, Apple's discussion boards, and other Mac sites where Mac users usually go to ask questions.[/i]

        For the fanbois it's denial. For everyone else they're unlikely to know as Apple has sold them on the idea Macs are invulnerable to malware.
    • @ye, that requires that most Mac users are fanbois...

      otherwise we'd heard at least a few complaining and asking questions about how to get rid of the annoying malware.

      So you are stating categorically that almost all Mac users are fanbois?
      • just wondering

        but how would a normal Mac user know if they have been infected?
      • @Yax_to_the_Max, Google searches may give faulty results

        "The Flashback ad-clicking component is loaded into Chrome, Firefox, and Safari where it can intercept all GET and POST requests from the browser. Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click . (Google never receives the intended ad click.)"

        This is of course assuming there are any real infections out there and not just on Symantec, Sophos or Kapersky's own Macs/PCs.
      • What is the "that" you're referring to?

      • Intimidation

        When you think or do have a problem, you tend to keep it to yourself.
        It is a normal to present an image of constant awareness, as in "I know that".
        With the pugnacious attitude of the Apple fanbois it is would not pleasant to be chastised by people who are Apple anarchists.
      • Apple anarchists? - LOL

        [i]With the pugnacious attitude of the Apple fanbois it is would not pleasant to be chastised by people who are Apple anarchists.[/i]

        Don't flatter yourself. The PC market is flat so this is nothing more than a grab by the AV companies to gain more customers.
      • scorpio black. What is a grab?

        This blog and Ed has stock in AV companies? Or is it the IT staff at Oxford, were bought and paid for by the AV mafia to write the blog Ed refers to?
        How utterly ridiculous and a lame attempt to take the attention off of the real problem. Apple products are weak on security and users are totally clueless and have been affected by the Apple RDF.
      • @xunil_z

        Maybe for as weak as you describe Apples security measures, much and I mean much more bugs should exist. Over 10 years of OSX and you equate 1 successful attack on numbers still much lower than any Windows OS attacks in the early 2000s which nearly crippled the net entirely. I still feel the I told ya sos are way to premature. I guess we'll wait and see how bad it can get.
      • I know what dumb is

        [i]This blog and Ed has stock in AV companies? Or is it the IT staff at Oxford, were bought and paid for by the AV mafia to write the blog Ed refers to?[/i]

        Do you always go around asking stupid questions like this?