Apple could be experiencing an ‘Adobe moment’ over its handling of the Flashback Trojan, with security companies and experts heaping criticism on the company for its slerotic response.
On the basis of figures from two sources, Russian companies Dr. Web and Kaspersky Lab, between 600,000 and 700,000 Mac computers have been infected by a piece of malware that uses drive-by and social engineering techniques to burrow into their systems.
The fact of infection is not apparent to the user as with most Trojans the malware is really a backdoor stub that downloads other software under the control of a remote server. In principle, this opens Mac users to a range of possible attacks, including one of the most feared, keylogging.
Apple’s response – or lack of it – has a number of layers, starting with the way it handles patches for Java vulnerabilities, in the case of the most recent version of Flashback hits users with CVE-2012-0507, used by the Blackhole Exploit Kit to hit users via compromised websites.
Java’s overseer, Oracle, patched this flaw in February but Apple only added this to its security fix cycle on 3 April, leaving anyone looking to exploit the flaw with several weeks to do so.
In fact, according to Dr Web, the domains used as command and control for the newest versions of Flashback exploiting CVE-2012-0507 were only registered on 25 March, so swifter action could have dented the botnet.
Apple stuck to its traditional update cycle and, with the apparently rapid infection levels made public around the same time as the official patch, the company found itself looking flat-footed.
It took Apple until 10 April to say anything particularly meaningful about with the support forum statement “Apple is developing software that will detect and remove the Flashback malware,” about as far as it went as the community was forced to visit the sites of security companies better known to Windows users to get hard information.
“While it's encouraging to see Apple taking steps to eradicate the Flashback Trojan, they're late to the party,” complained Zscaler ThreatLabZ security research VP, Michael Sutton.
“Unfortunately, Apple has a long history of putting blinders on when it comes to dealing with security researchers,” says Sutton, a reference to a clutch of smaller but equally poorly-handled incidents dating back as far as 2006.
The sentiment chimes with Roger Thompson of security testing outfit, ICSA Labs.
“Not only did they apparently fail to communicate with Dr. Web when first informed of the infection, their attempts to take down a command and control (C&C) domain also harmed the work being done by Dr. Web to sinkhole the C&C traffic.”
“It [Flashback] means that Mac malware is not just a reality, but is now a genuine problem,” he says, echoing sentiments being expressed across a range of security experts and vendors.
In short, Apple remains stubbornly complacent on the basis of assumptions that sounds strikingly similar to the travails of Adobe over numerous exploits targeting its software four years ago.
With Flash and Reader at the top of the arsenal of targeted software being used to compromise Windows PCs, Adobe tried to sit out the storm before finally embracing change and through 2009 and 2010, modifying its patching design and cycle.
"We're not a security company and this is not our probelm," seemed to be the attitude, an obsolete misunderstanding of the nature of contemporary software development.
Interestingly, at the time some described Adobe’s struggles as being a “Microsoft moment”, a reference to the OS giant’s failure to grasp the sudden and huge spike in attacks on Windows XP and the company’s Office suite during 2002.
Microsoft eventually buckled up, instituted a huge security reform programme that saw the adoption of its now-model Software Development Lifecycle (SDL), and today serious Microsoft OS and app vulnerabilities are much rarer and certainly quickly more quickly patched.
The pattern is one that Apple should pay attention to. As Microsoft reduced the number of serious flaws in its software, criminals looked elsewhere, settling on another commonly-installed vendor, Adobe. As Adobe and Sun/Oracle’s Java have tightened up, the same forces have spied a new frontline of poorly-protected Apple users relyng on an independent patch cycle, and so the world continues turning.
To sceptics in the Apple community, the security industry has its self-interest at heart and perhaps they have a point. Antivirus sales look to be decreasing somewhat in the PC world in the face of acceptable free products, not least Microsoft’s own Security Essentials, and a slow waning of interest in established operating systems.
The appearance of Mac malware is good for business, or would be if some vendors such as Sophos didn’t offer free products. These products represent good value given the still relatively low level of malware threats to Macs. Others will prefer to pay to get support.
Flashback is the important moment when Apple users were put on notice that they are not, after all, that different to PC users, just fewer in number.
“The issue is that for a decade, Apple has made a point of telling users that they had no malware problem, and the result of that is that Mac users have no antibodies, when it comes to malware. They don’t expect it, and too many people will click on, and install, anything,“ says ICSA’s Thompson.
“What, then, does this all mean to an end user, and what should they do about it? Folks, it’s time to install an anti-virus program. There will soon be a name for Mac users who are not running AV – victims.”