In April more than 600,000 Macs were reported to have been infected with a Flashback Trojan horse that was being installed on people's computers with the help of Java exploits. The Flashback Trojan is considered to be the largest Mac malware threat to date. As security venders and Apple made tools available to detect and remove Flashback (also known as Flashfake) another threat emerged known as SabPub. Like Flashback, SabPub uses vulnerabilities in Java Virtual Machine, but Kaspersky Lab’s researchers also found six Microsoft Word documents relating to Tibet, all of them containing the exploit.
Kaspersky Lab chief security expert Alexander Gostev said: “The SabPub backdoor once again reveals that not a single software environment is safe from attack. The relatively low number of malware for Mac OS X does not mean better protection. The most recent incidents like Flashfake and SabPub indicate that the personal data of unprotected Mac users is also at risk, either because cybercriminals understand the rising market share of such machines, or because they are hired for the direct task of attacking Apple computers.”
While these cases, Flashback in particular, have stolen the headlines, they are still minor in comparison to the security breaches regularly experienced in the PC world. However, these highly publicised Mac malware examples have raised the question of whether Macs are as safe from attack as many Mac users believe, and whether Apple can maintain its reputation for security.
Perhaps the biggest criticism directed at Apple was the way it handled the situation. First, Apple made the unfortunate choice of trying to shut down the domain used by the Dr. Web researchers who were the first to reveal the size of the MacBot. According to Dr. Web CEO Boris Sharov, the domain was being used as a spoofed command and control server, also known as a “sinkhole”, designed to monitor the hijacked machines in order to understand their behaviour. It was through this research that the security firm was able to report the size of Apple’s botnet to be more than 600,000 Macs. Apparently Apple had reported the domain, claiming it was being used as a “command and control” server for the infected computers. Perhaps this was an honest mistake. Or a sceptic might suggest Apple was trying to minimise information about the extent of Flashback infections.
Apple was also criticised for not reacting quickly enough. On 2 April F-Secure published a blog claiming: “A new Flashback variant (Mac malware) has been spotted exploiting CVE-2012-0507 (a Java vulnerability). We've been anticipating something like this for a while now. Oracle released an update that patched this vulnerability back in February… for Windows. But – Apple hasn't released the update for OS X (yet).”
Some argue that if Apple were more transparent about security issues – and if it had promptly released a Flashback fix – the extent of the damage could have been smaller. It wasn’t until 4 April that Apple released updates to Java for OS X Lion 2012-001 and Java for Mac OS X 10.6. Apple released a further update to the Lion version of the update later that same week. The same security holes in question were patched for Windows users back in February. Incidentally, back in February Mac security vender Intego revealed that a variant of the Flashback malware was using exploits vulnerabilities in Java to steal usernames and passwords for online payment, banking and credit card websites. At the time Intego claimed Flashback.G was exploiting a pair of Java bugs, one harking back to 2008, the other discovered in 2011.
Flashback goes back even further than February. Intego’s Mac security blog notes that it was aware Flashback was targeting Macs in the September 2011. Initially it masqueraded as a Flash Player installation package for OS X Lion. It was the change of tactics, when Flashback began taking advantage of a weakness in Java so that it could infect a Mac with little more than a visit to a website, that was spotted in April. Intego claims it began offering protection before the malware became a news story.
What is telling is that, other than Intego, almost none of the security and antivirus vendors offered up a solution much quicker than Apple did. F-Secure, which provided instructions for detecting the malware early on, was the first major security vendor to offer a quarantine and removal tool. Kaspersky and Symantec followed in quick succession. Apple's offering followed them. Unsurprisingly the Flashback case saw Mac security software sales jump
That said, Apple released a fix on as soon as its engineers could create the patch, made needed corrections immediately after that, and ultimately released tools on 16 April that would protect uninfected Macs and remove any infections. Apple did this by leveraging its software update infrastructure so that users who regularly agree to accept Apple's Software Update notices were protected – even if they had never heard of the threat.
The Flashback MacBot is on the decline. Symantec reported that the MacBot was down to 142,000 Macs by 16 April, and potentially less than 99,000 by 17 April. However, with the Sabpab Trojan also targeting Macs, there are concerns that Mac users think that they are protected because they have updated Java with Apple's latest security update. In fact they are not safe from the latest vulnerability. Sophos’ Graham Cluley warned: "Unlike the earlier sightings of Sabpab, there is nothing about this attack which relates to the Java vulnerability exploited by the Flashback botnet. Any Mac users who believe that they have protected themselves because they don't use Java probably needs to realise that that's not an effective defence".
This entire saga is a wakeup call that Macs are just as vulnerable as PCs to malware. One can quibble about specific security technologies employed by Apple, Microsoft, and other players – and there is merit to such discussions – but the days where Mac users could ignore security concerns and shrug off the possibility of infections is gone. Apple's efforts with the Mac App Store, OS X Mountain Lion, and the upcoming Apple Developer ID program are good security moves, but they can't turn back time to the state of comfort many Mac users enjoyed a month ago.