Thursday, April 5, 2012

'Rude awakening' for Mac users: serious Mac flaw needs urgent fix


Apple has released an urgent patch that will fix a security hole in its Mac operating system that has allowed some 30,000 Mac computers in Australia and more than 500,000 worldwide to be infected with malicious software (malware ).
The critical update to Apple's version of Java for Mac OS X plugs at least a dozen security holes in the program and mends a flaw that attackers have recently pounced on to broadly deploy a malicious software program, known as Flashback Trojan, both on Microsoft's Windows and Apple's Mac operating systems.
Flashback Trojan's most recent variant (it has been around since 2011) self installs after users visit legitimate websites that have been infected to distribute the program - a process known as drive-by download. Once installed, the malware sniffs data traffic from the computer in search for user names and passwords.
The update , Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507 ) that miscreants recently rolled into automated exploit kits  designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan  to infect large numbers of Mac computers with malware.
The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs (hat tip to Adrian Sanabria  who wrote on his blog "(...) many Mac users have been lured into a false sense of security, and will be, or may already be, in for a rude awakening. Apple's marketing efforts are at least partially responsible for this."). Dr.Web's post is available in its Google translated version here.
Flashback is an increasingly sophisticated malware strain that sniffs network traffic in search of user names and passwords. Early versions of it prompted Mac users to enter their password before it would run, but the most recent strains will happily infect vulnerable Mac systems without requiring a password, writes Ars Technica , among others. F-Secure has additional useful information on this Trojan attack here .
As Ars notes, although Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck "Enable Java"). In Google Chrome, open Preferences, and then type "Java" in the search box. Scroll down to the Plug-ins section, and click the link that says "Disable individual plug-ins." If you have Java installed, you should see a "disable" link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).
Delete Java
I can't stress this point strongly enough: If you don't need Java, remove it from your system, whether you are a Mac or Windows user. If you need further convincing of my reasons for this recommendation, I'd encourage you to browse through some of my past Java-related posts .
Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple's patch delays on Java  and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp – first issued an update to plug this flaw and others back on February 17. I suppose Apple's performance on this front has improved, but its lackadaisical (and often plain puzzling ) response to patching dangerous security holes perpetuates the harmful myth that Mac users don't need to be concerned about malware attacks.


  1. Reports are saying 600-750k Macs are now infected. Isn't that ALL of them?

  2. Lol, what say you now Brett? Don't you always say that these mac infections won't spread? That they're all just "fud"? I'll bet you anything this is only the beginning. It was probably a proof of concept for an even bigger payload.

  3. Consider that the "infection" stats are being sourced by a security software company with a strong incentive to inflate the figures.

    Reports of actual users experiencing problems have been insignificant.

    Regarding Dave's snarky remark, there are 58 million of Macs in use. Apple shipped 2.5 million Macs in Q1 2012 alone. Even if we were to believe Secunia's figures, 600-750k hardly constitutes ALL Macs. Exaggeration is just one of the distortions that haters like to use.

    This is just another overhyped anti-Apple issue. The press will swarm on it for a while like flies on shit. Nevertheless, Mac sales and user satisfaction won't be affected adversely, and things will die down until the next "-gate" is trumped up.

  4. Brett let me ask you a question. Are you a bottom-feeding lawyer or something? You sure do act like one. First you'll say, "there are no reports of Macs being effected", if there are you say "those reports are false or FUD (my favorite)" or if the reports are numerous and impossible to ignore you'll say they are inflated for someone to make money or exaggerated. It's always about redirection or denial and rarely about accepting the facts. Just sayin.

  5. Although I haven't seen reports of how this malware has actually harmed users, it apparently has the potential to do so. The estimate of infection rate has now been verified by a second source. So apparently, about 1% of Macs in use have been hit. This is significant-- perhaps a milestone. I can accept facts. But it doesn't invalidate the years of relative freedom from malware that Mac users have already enjoyed.

    Apple will undoubtedly step up its vigilance and response to these types of threats. The Mac will continue to provide a superior computing experience for most users, and life will go on.

  6. I think the big story here is that Apple has sold half a million computers!

  7. For haters who had no idea the the Mac had become popular while they were busy dismissing it as useless, this would be an eyeopener.

  8. All I've said is that the Mac has historically been much safer than Windows, that numerous reports of Mac malware have been overhyped and have done little if any damage, and that the Mac will continue to be relatively safe as long as its marketshare remains low. All this is true. I never said the Mac was invincible.

    I even said the time may eventually arrive when I would be inclined to install security software. Up until now, I saw no need. So yesterday, I did in fact install ClamXav, and ran a manual check on my system (which turned up nothing).

    Haters are acting like this incidence somehow finally equates Mac security problems with those that have plagued the PC for years. Well, it's true that Apple needs to step up it's game now that Mac market share is attracting serious black hat interest. We still have a long way to fall before we would ever experience the net amount of misery that PC users have endured. At worst, we could achieve parity, but I don't think things will get that bad.

  9. But Brett, that's just the thing. The Mac has NOT always provided a "superior computing experience" for most users. I used to own a Mac and did not enjoy it much at all. The available software for it was limited at best and recovering files was not easy. Since I have switched to a PC I now know EVERYTHING is made for Windows. I've learned some DOS on my own over the years and file recovery is super easy. I can do all the same stuff that my Mac could, but more. I know many former Mac users, it's not as great as you think it is.

  10. Brett's living in denial, as usual. If you knew anything at all, it would be to have AV installed regardless of how safe you THINK you are. ALL of the AV apps for Windows I've used over the years have all been FREE and lightweight and I have NEVER gotten any sort of malware or virus on any of my systems. You seriously sound stupid when you defend Mac, just saying.