Attacks/Breaches
4/18/2012
02:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Mac Trojan Fallout: Apple Security Glory Days Gone?

Apple's reputation as an unattractive target for malware writers changed when the Flashback trojan hit more than 600,000 Macs. But Windows security still looks worse.

Has the Mac's relative immunity to malware finally ended?

Alan Paller, director of research for the SANS Institute, wrote in the group's information security newsletter Tuesday that it was time "to memorialize Apple's arrival as a prime target of cybercrime, following its recent ascent into a trusted platform for enterprise computing."

As Paller notes, Macs now have business cred, due in no small part to Apple hitting a home run with both the smartphone and tablet form factors. Market researchers said the company's success with the iPhone and the iPad has driven more demand than ever for Apple's laptops, not least by business users, even if it means "bringing your own device" (BYOD). Another selling point of Macs is that they've been almost completely unscathed by the last decade's boom in malware.

The Apple-targeting apparently got serious, however, at the end of March 2012, when a version of Mac malware known as Flashback began exploiting a Java vulnerability via drive-by attacks. Perhaps owing to the general consensus that few hackers bother to target Macs, it also took a week or two for anyone to notice.

[ Mozilla is bolstering Firefox's security by requiring permission for plug-ins. Read more at Firefox To Require Permission For Plug-Ins. ]

Interestingly, the attackers behind the Flashback malware that infected approximately 600,000 Macs, or 1% to 2% of the active Apple OS X population, reverse-engineered a bug in Java that Oracle patched about six weeks ago. In other words, whoever crafted Flashback appeared to be already conversant in the intricacies of weaponizing Windows bugs.

The fact that Apple OS X can be exploited by attackers--for example, via advanced persistent threats--shouldn't come as a surprise. For years, researchers have been saying that the reason Macs weren't being hammered by viruses wasn't because they were inherently more secure. Instead, it appeared to be because attackers got a lot more "bang for their buck" by writing Windows viruses, Trojans, worms, keystroke loggers, and other malware. The vast majority of PCs in the world run Windows, and most virus writers have already amassed plenty of experience with Windows. Also, why target a lesser-used operating system when there are still so many unpatched PCs still running Windows XP?

Antivirus vendors have been reminding consumers that Macs have never been inherently virus-free, and that Flashback--and its apparent spawn, SabPub--isn't the only badware in circulation. "According to SophosLabs, more than three-quarters of last week's malware reports from Sophos Anti-Virus for Mac were for other families of badware, including a lot of year-or-more-old stuff," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, in a blog post on Tuesday.

Antivirus vendors have been using the Flashback episode to urge people to use their Mac antivirus scanners, which are typically free. Accordingly, adopting anti-malware tools for Macs shouldn't be a hard sell.

How vulnerable are Mac users? Apple began targeting the Flashback-related botnet's command and control servers and issuing patches to block the malware, at least for users of the latest two versions of its operating system. Furthermore, attackers were able to exploit a vulnerability not in OS X itself, but a Java plug-in, which was then targeted by malware known as SabPub. While a second version of SabPub also appeared that didn't target the Java bug, it used an Office for Mac vulnerability that Microsoft patched back in 2009. Accordingly, anyone who's updated their Word software since then is already protected. (If you're not sure, hit "Check for updates" from the Help menu.)

Flashback aside, expect concerns over Apple security to blow over, at least as long as Windows is around. In his spring 2012 laptop buying guide, issued Wednesday, Wall Street Journal review guru Walt Mossberg notes that "Mac users have only the rare virus to contend with, while Windows users must worry about hundreds of thousands of potential attacks." Even after Flashback, that observation so far remains true.

[Editor's note: Changes made 4/20/12 to correct the month Flashback began targeting Macs and the percentage of Macs affected.]

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RSL
50%
50%
RSL,
User Rank: Apprentice
4/19/2012 | 3:13:33 PM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
I am becoming very disillusioned with Information Week and the integrity of its articles. What relevance is there in an article about security issues with Macs, does the text "windows security still looks worse" have to appear right after the headline? Besides irrelevance, the author obviously misuses, the word "worse". There have been issues with the speed and results with regard to the response to this threat on Apple's part. Microsoft has a proven ability, experience, and an effective distribution mechanism to handle updates to their OSes. Worse? Of course Windows has a much greater field to attack, but that is not "worse". Users who do not patch their machines will exist across all platforms, not just Windows - again, "worse"? Furthermore, the article itself, does not elaborate on how and why Windows is purportedly "worse"...

On the flipside, an up to date Windows machine is "better".

As a professional, I would appreciate newsworthy articles that span the full scope of the issue at hand versus constant sensationalism style headlines and content.
veggiedude
50%
50%
veggiedude,
User Rank: Apprentice
4/19/2012 | 3:36:29 PM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
What is wrong with the article is saying 600,000 infected Macs constitutes 3% of Mac users, when it is actually 1%.

And yes, that is far less than the normal exposure rate that infects Windows.
RSL
50%
50%
RSL,
User Rank: Apprentice
4/19/2012 | 3:55:14 PM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
My point is that there was no need to even mention Windows in this article. None of this constant comparing is necessary G㢠this is a genuine issue with Apple/Macs, period. This article should simply address what is going on relative to the topic. Percentages and numbers can be argued, interpreted, and skewed to the point that they are totally inaccurate.
jgeiss4p
50%
50%
jgeiss4p,
User Rank: Apprentice
4/19/2012 | 7:51:53 PM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
There are a large number of anti-Apple people gloating over this. Yes, Apple could have (and, likely, should have) released this patch faster. However, it is important to note that the number of infected systems has reportedly dropped in the last few days from 600,000 to 140,000. That is a very substantial drop, especially considering that most Mac users have had no previous experience in dealing with such an attack.
In addition, the 600,000 infected machines is a very small number of users (alas, they are those clients who were 'stupid' enough to trust an unsolicited pop-up window instructing them to 'upgrade' their flash! Come on, people!). I have three MacOS X machines at home, and NONE of them were infected (and that's with my children using two of them, clicking on EVERYTHING that they can find!)
Apple has a long way to go before they get to the point where they have to deal with the problems that the Windows systems have been taking for granted for the last decade.
jbelkin
50%
50%
jbelkin,
User Rank: Apprentice
4/19/2012 | 8:48:55 PM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
So far, it seems more people swear they've been abducted by aliens than people who actually have this Mac malware ... Well, unless you believe everything on a Russian website s real and Symantec who of course has no ulterior motive to convince u there's malware ... Has anyone on earth outside of labs admit they found this on their machine? Anyone? Anyone? It seems more people emit to see Bigfoot r the loch ness monster ...
ANON1237837896902
50%
50%
ANON1237837896902,
User Rank: Apprentice
4/19/2012 | 11:06:47 PM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
The discussion is still relevant as it concerns people's choices about what computer platform to purchase. This has been a deciding factor for many people so one of the questions posed is should people still purchase Mac's to be safe and yes this is debatable, but it is no pointless.

What is important is that facts are used in these discussions. Facts like 600k systems represents about 1% of active Mac's. Facts like the first known occurrence of the Java exploit was at the beginning of this month, not early February.

Apple was a couple days late delivering the patch but followed it up with removal code and a hardening of the way the Java plugin is treated. Apple shut down Command and control servers with in days and infection rates are thought to be less than 100k today.

Your concern with the assertion that things are "worse" on windows is no more grounded in fact than the authors. Statements that Microsoft has "proven ability" or "effective distribution" sound hollow when the last major windows attack held on to over 5-9 Million systems for the better part of a year. There was no automated patch that removed conficker or any other virus or trojan I know of by Microsoft. The core OS has no built in quarantine system that I know of. Now I know that Microsoft distributes a free tool, but you have to choose to load it. That tool may be much more robust than Apple's current system, but that is because it has to be. Apple has shown a willingness to deliver exactly what it needs to, to keep ahead of the malware writers.

I would argue that they continue to succeed in making the Mac an unattractive target and thus make Mac users safer, if not down right safe. If we continue to see large scale successful attacks against mac users, I will be proven wrong. But I'm betting that we will continue to hear about 1 or 2 of these every year and Apple will squash them like the bugs they are, and Mac and iOS users will continue to pay little to no attention to concerns of viruses.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/20/2012 | 9:55:09 AM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
@Puggsly and others, you're correct -- 600k isn't 3% of Mac users; didn't mean to imply that it was (article wasn't clear). Initial stats from some security firms had estimated that 2% to 3% of all active Macs were infected, but later stats settled on the 1% to 2% figure.
Likewise, you're correct that the Java-vulnerability-exploiting Flashback didn't make its appearance in February, but also it wasn't April; it was the end of March.
Other dates: The bug exploited by attackers was patched by Oracle in its Feb. 17th Java update for Windows. Apple then released an update patching the Java bug in OS X on April 3.
We'll update the story to correct the stats.

Thanks,
Mathew
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
4/20/2012 | 11:16:22 AM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
Why "gone"? Apple never had security glory days, they just were lucky that their desinterest and tardiness in regards to security did not get punished sooner.
Tronman
50%
50%
Tronman,
User Rank: Apprentice
4/20/2012 | 5:16:45 PM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
Another mac user in denial.
ANON1237925156805
50%
50%
ANON1237925156805,
User Rank: Apprentice
4/23/2012 | 5:36:33 PM
re: Mac Trojan Fallout: Apple Security Glory Days Gone?
I take slight issue with this article. There's no question that the "bang for the buck" has some validity. It doesn't follow that one serious malware attack proves that the Mac environment was never all it was cracked up to be.

Macs are far from invulnerable and I've never seen an Apple ad that said they were. Still there are legitimate technical reasons why Macs have been deemed more robust, especially compared to older versions of Windows. These relate to the inherently secure nature of the Unix kernel. It's hard for malware to penetrate and hard for it to remain in place undetected. All of Unix's children inherit these qualities including OS X, iOS, Linux and Android.

IW has written several articles about this in the past and there are plenty of objective descriptions on the web as well. Bill Gates certainly acknowledged this when he chose to spend his last days at Microsoft heading the effort to harden Windows/Office. (No question that Microsoft has greatly improved in this area.)

The challenge today is in our n-tiered client server world, there many layers through which malware can attack and do harm and many places for it to lodge. Even if a bad actor can't take up permanent residence in the kernel, it can do a lot of damage before it's detected. Think of how much a burglar could remove from your home in 10 minutes were you to leave the door open while running a quick errand.

That's why anyone with common sense treats all PCs and mobile devices as being at risk, whether they be Windows, Mac or Linux. We all know the steps to take, ranging from anti-virus to WEP 2 Wi-FI to hardware/software firewalls, to absolutely never ever install upgrades from pop-ups of unknown origin. Dare I say that this is especially true for Adobe software?

Microsoft, Apple and Google must take the lead in educating users about risks and solutions. So far that hasn't happened to the extent that it should, perhaps because no vendor wants to publicly admit that its products have weaknesses. So in the meantime, users have a responsibility to learn what to do and to implement it.

In terms of Apple's post-attack behavior, it's WAY too soon to say that they failed a critical test. The problem is that their defensiveness in the past makes us not give them the benefit of the doubt. Apple will have to earn our trust by being more forthcoming and responsive when problems occur and evolving proactively as threats morph over time.

Sad as Mr. Job's departure is, Apple without him is starting to show signs of change in this area. May it continue so that they retain their deserved reputation for quality and security.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4262
Published: 2014-07-28
svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the --pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-...

CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2013-7393
Published: 2014-07-28
The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the --pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions...

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.