Vulnerabilities / Threats
12:23 PM

Apple Changes Security Playbook With Flashback Response

Responding to malware spread by the huge Flashback botnet, Apple has for the first time come clean about a threat before it's readied a fix. Is it a new security day in Cupertino?

Stunned by the revelation that 1% of all OS X Macs may have been hijacked by a Java botnet named Flashback, in the largest Apple malware outbreak in history? For Mac security watchers, that's nothing compared with the first-time revelation from Apple--wait for it--that it's still coding a fix for a security issue.

"Apple has--apparently for the very first time!--talked about a security problem before it had all its threat response ducks in a row," blogged Paul Ducklin, head of technology for Sophos in the Asia Pacific region.

Indeed, in a security bulletin titled "About Flashback malware" released Tuesday, Apple said that it's taking direct aim at the malware in two ways: "Apple is developing software that will detect and remove the Flashback malware. In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network."

[ Apple rejects iOS apps that use unique identifier numbers over privacy concerns. Read more at Apple Rejects Apps Over Privacy Concerns. ]

Apple has historically downplayed any security issues affecting Mac OS X, detailing them only in the release notes for operating system updates. Exceptions--such as last year's outbreak involving fake security software known as MacDefender--are rare. In that case, Apple offered detailed guidance for avoiding the malware, while also acknowledging that it was hard-coding blocking tools into Apple OS X.

So what's behind the more recent security information disclosure shift? For starters, there's the scale of the outbreak. Kaspersky Lab said that last week it saw 670,000 active machines infected with Flashback (aka Flashfake). While that number had dropped to 237,103 by Sunday, the company warned that the botnet remains active. "The decrease in infected bots does not mean the botnet is rapidly shrinking. The statistics represent the number of active bots connected to Flashfake during the past few days--it is not the equivalent of the exact number of infected machines," read a statement released by Kapersky.

But the Flashback eradication campaign was also personal: at least 274 infected Macs were located in Cupertino.

Here's where the fixes stand: Last week, Apple pushed an update for Mac OS X v10.6 and 10.7, fixing the bug in the Oracle Java software. (Mac OS X automatically checks for updates weekly, but users can trigger updating by running Software Update.)

Users of older Mac operating systems, meanwhile, are still waiting for a permanent fix. Apple said that until that happens, they can disable Java, but is that really feasible? "Suggestions to ditch Java are unhelpful and unlikely for the average user. It is far too ubiquitous," said Adrian Sanabria, a security engineer at Sword & Shield Enterprise Security who's been tracking the outbreak.

Furthermore, quitting Java is hard to do, especially since some software--such as Adobe's CS5 suite, which includes Photoshop and Dreamweaver--requires a Java runtime environment to be installed. Otherwise, they won't run.

Another option is to take direct aim at the malware by using free Flashback detection and removal tools released by Russian antivirus firm Dr. Web. Kaspersky Lab likewise released its own Flashback detection and removal tool.

If the Flashback Trojan infects a Mac, it redirects the computer to a Website that pushes JavaScript that loads a malicious Java applet containing the exploit. But it's interesting to see what will make the malware not install itself. Namely, the malware first scans the hard drive, looking for the Little Snitch firewall, Packet Peeper network protocol analysis software, Apple's Xcode development tools, or one of a number of different antivirus products for Mac OS X, all of which would help detect the threat. For unknown reasons, the application also looks for Skype or Microsoft Office. If it finds any of those applications installed on the Mac, it deletes itself without executing the malicious payload. In other words, using Mac security software, at least in the case of this malware, pays off in more ways than one.

On the outbreak scale, how does Flashback rank compared to malware seen on Windows? What's notable is that Apple has been pushing operating system updates to nuke the threat, meaning that users of current versions of Mac OS X are seeing fixes get automatically installed. By comparison, Windows users must still rely on antivirus add-ons to help them spot and block such threats.

InformationWeek is conducting a survey to determine what's important to you when you're choosing vendors of security information and event management (SIEM) products as well as how the vendors are actually doing against those criteria. Upon completion of our survey, you will be eligible to enter a drawing to receive an 16-GB Apple iPad. Take our Security Information And Event Management Vendor Evaluation Survey now. Survey ends April 27.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/24/2012 | 12:58:01 AM
re: Apple Changes Security Playbook With Flashback Response
"By comparison, Windows users must still rely on antivirus add-ons to help them spot and block such threats. " are you serious? Microssoft updates its OS more often than Apple does, the flashback update was already published for Windows much before than OS X, and thats why the infections, something that you dont want to amit is the fact that OS X really needs an anti malware programme, because by the time that Flashback was found on several computers there where also other two infections.

Windows based computers are far more secure than OS X, the built in firewall (Windows 7) is enabled by default and is a variant of ISA Server, while in OS X it is disabled by default.
User Rank: Ninja
4/14/2012 | 10:16:46 PM
re: Apple Changes Security Playbook With Flashback Response
Apple was smart to show the flag on this one. Intego is also among the companies that has a free tool for Flashback
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I've seen worse.  Last week Tim had a dragon."
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.