Flashback Malware Puts Apple in Security Spotlight: Experts Weigh In

Increased market share coupled with Apple's lack of transparency are largely to blame for an uptick in Mac security problems, say experts.

It was a busy week for Apple malware hunters fighting the Flashback Trojan horse, which has infected between 270,000 and 600,000 Macs. A bevy of tools to find and remove the malware debuted this week. And two days after promising to release a detection and removal tool, Apple finally offered its own fix.

Now, as the dust settles on what is considered to be the largest Mac malware threat to date, experts have started pointing fingers at Apple as being partially to blame for the scope of the Flashback malware infection. They argue that if Apple were more transparent about security issues--and if it had promptly released a Flashback fix--the extent of the damage could have been smaller. Also contributing to the magnitude of the infections is a boost in the number of Mac OS users, they say.

"When the installed base [of an OS] is 10 percent or less, the bad guys don't care," says Peter James, spokesperson for Mac antivirus and security product vendor Intego. The bigger the user base, the more attractive the target, he says. Web analytics firm NetMarketShare.com estimates that the Mac installed base has jumped to 13 percent in the United States, and research firm Gartner says that Apple has become the fastest-growing U.S. computer maker--overtaking Acer and Toshiba--over the past year.

Apple's Image of Invulnerability--Gone

Perhaps surprisingly, James and other security experts say that Apple needs to look to Microsoft when it comes to handling OS security breaches. For years Apple has mocked Microsoft for its track record in dealing with Windows malware, viruses, and weekly patches. Now the tables have turned, says Larry Ponemon of the Ponemon Institute.

Ponemon and others say the Flashback Trojan horse is the final nail in the coffin for Apple's stellar security image. He says that although Microsoft juggles a much larger number of threats, it does a better job of warning customers and delivering fixes.

We have heard dire "Macpocalypse" warnings before. Last year Apple's sterling security image was tarnished with the advent of the Mac Defender malware program. Before that, in 2006, the focus was on the Leap.A virus, the first ever virus for Mac OS X. (For a great short history of Apple Mac malware, check out NakedSecurity.com's timeline from 1982 to 2010.) But this time, security experts insist, Apple's security bragging rights are gone for good.

Mac Security Experts: Full Disclosure

It's worth noting that Mac security software sales jumped as Flashback infections began to dominate tech headlines. That fact has prompted many vocal critics to point out that it's in the self-interest of Mac antivirus companies to be critical of Apple's security measures.

But a brief timeline of Flashback, security experts say, illustrates their point. The underlying Java vulnerability that Flashback exploited was publicly known, and patched by Oracle, in February. On April 3, Apple released a Java security bulletin pointing to the Oracle patch, and declined to disclose, discuss, or confirm the infections. On Tuesday, Apple acknowledged the existence of Flashback and said that it was developing software to detect and remove the malware. On Thursday, it released the Flashback malware removal tool.

What Apple Can Learn From Microsoft Security

First off, there is no disputing that Microsoft, having the dominant OS, faces far more security threats than Apple does. You can argue all day about how secure Apple's flavor of BSD Unix is versus Microsoft's Windows, but the difference is Microsoft's transparency. As PCWorld's sibling publication Macworld puts it: Apple has a good security record, but "it still has some work to do in terms of its reputation for security."

Mac OS users unfamiliar with Windows may be surprised to learn that Microsoft regularly schedules the rollout of security fixes on Patch Tuesday, the second Tuesday of each month. But for IT managers and consumers, knowing what's at risk and when a fix will be available is vital for minimizing exposure to threats. Microsoft also issues critical patches as they become available for exploits.

The system is not perfect; coupled with Windows Update, however, it offers a first line of defense against malware, exploits, and viruses.

Mac OS also automatically checks for software updates every week, and you can change that setting for more-frequent updates. But it's Apple's legendary wall of silence and foot-dragging on deploying fixes that have placed it in security experts' crosshairs.

"When problems and vulnerabilities exist, Microsoft provides information quickly," Ponemon says. Microsoft, he notes, has been good at communicating, sometimes to the point of being annoying. "Apple hasn't done as much to communicate with its users," he says.

Apple's iron grip on information and the release of fixes has been a nagging issue for years. In 2008, for example, Apple took over four months to patch a DNS vulnerability.

"Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear," wrote Chester Wisniewski, a security researcher for UK-based vendor Sophos, in a blog post about Flashback.

Brian Krebs, of Krebs on Security, says that more threats are on the way. "We can expect an evolution of threats against Mac users that will largely mirror those that Windows users face: that is, via the exploitation of vulnerable browser plug-ins, such as Adobe Reader, Flash, and most definitely Java."

Apple's Flashback fix, deployed Thursday, mitigates Java flaws. "As a security hardening measure, the Java browser plug-in and Java Web Start are deactivated if they are unused for 35 days," Apple says.

Ignorance Is Not Bliss

The bigger problem, say some observers, is correcting the perception that the Mac platform is invulnerable. That notion has fostered a laissez-faire attitude toward security among Apple customers, says Intego's Peter James.

For years Apple has promoted the idea that Macs are far less vulnerable to malware and viruses than PCs are. As part of the "Get a Mac" television ad campaign in 2006, actor John Hodgman (as the PC) says, "Last year, there were 114,000 known viruses for PCs." And Justin Long (as the Mac) replies, "PCs, but not Macs."

Mac users are faced with new threats that require new security precautions, James says. "They're faced with threats they've never seen before."

System administrator Steve Mallard says that many of the student Mac users for whom he provides help-desk services live in denial. Mallard, an IT manager for several state universities at the Tennessee Technology Center in Shelbyville, Tennessee, says students come to his staff with Mac problems and don't believe that their computers have been infected until shown the evidence.

Over the past few years, Mallard says, he has seen the percentage of infected Macs brought in by students jump from 1 to 15 percent.

"Even though the Mac OS is more secure, its users don't have the awareness," Intego's James says. "Educating users to the risks that they face is one of the most important things Apple can do, the same way you teach your kid to cross at the green light."

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)