It was a busy week
for Apple malware hunters fighting the Flashback Trojan horse, which has
infected between 270,000 and 600,000 Macs. A bevy of tools to find and remove the
malware debuted this week. And two days after promising to release a detection
and removal tool, Apple finally offered its own fix. Now, as the dust settles
on what is considered to be the largest Mac malware threat to date, experts
have started pointing fingers at Apple as being partially to blame for the
scope of the Flashback malware infection. They argue that if Apple were more
transparent about security issues--and if it had promptly released a Flashback
fix--the extent of the damage could have been smaller. Also contributing to the
magnitude of the infections is a boost in the number of Mac OS users, they say.
"When the installed base [of an OS] is 10 percent or less, the bad guys
don't care,” says Peter James, spokesperson for Mac antivirus and security
product vendor Intego. The bigger the user base, the more attractive the
target, he says. Web analytics firm NetMarketShare.com estimates that the Mac
installed base has jumped to 13 percent in the United States, and research firm
Gartner says that Apple has become the fastest-growing U.S. computer
maker--overtaking Acer and Toshiba--over the past year.
Apple's
Image of Invulnerability--Gone
Perhaps surprisingly,
James and other security experts say that Apple needs to look to Microsoft when
it comes to handling OS security breaches. For years Apple has mocked Microsoft
for its track record in dealing with Windows malware, viruses, and weekly
patches. Now the tables have turned, says Larry Ponemon of the Ponemon
Institute. Ponemon and others say the Flashback Trojan horse is the final nail
in the coffin for Apple's stellar security image. He says that although Microsoft
juggles a much larger number of threats, it does a better job of warning
customers and delivering fixes. We have heard dire "Macpocalypse"
warnings before. Last year Apple's sterling security image was tarnished with
the advent of the Mac Defender malware program. Before that, in 2006, the focus
was on the Leap.A virus, the first ever virus for Mac OS X. (For a great short
history of Apple Mac malware, check out NakedSecurity.com's timeline from 1982
to 2010.) But this time, security experts insist, Apple's security bragging
rights are gone for good.
Mac
Security Experts: Full Disclosure
It's worth noting
that Mac security software sales jumped as Flashback infections began to
dominate tech headlines. That fact has prompted many vocal critics to point out
that it's in the self-interest of Mac antivirus companies to be critical of
Apple's security measures. But a brief timeline of Flashback, security experts
say, illustrates their point. The underlying Java vulnerability that Flashback
exploited was publicly known, and patched by Oracle, in February. On April 3,
Apple released a Java security bulletin pointing to the Oracle patch, and
declined to disclose, discuss, or confirm the infections. On Tuesday, Apple
acknowledged the existence of Flashback and said that it was developing
software to detect and remove the malware. On Thursday, it released the
Flashback malware removal tool.
What
Apple Can Learn From Microsoft Security
First off, there is
no disputing that Microsoft, having the dominant OS, faces far more security
threats than Apple does. You can argue all day about how secure Apple's flavor
of BSD Unix is versus Microsoft's Windows, but the difference is Microsoft's
transparency. As PCWorld's sibling publication Macworld puts it: Apple has a good
security record, but "it still has some work to do in terms of its
reputation for security." Mac OS users unfamiliar with Windows may be
surprised to learn that Microsoft regularly schedules the rollout of security
fixes on Patch Tuesday, the second Tuesday of each month. But for IT managers
and consumers, knowing what's at risk and when a fix will be available is vital
for minimizing exposure to threats. Microsoft also issues critical patches as
they become available for exploits. The system is not perfect; coupled with
Windows Update, however, it offers a first line of defense against malware,
exploits, and viruses. Mac OS also automatically checks for software updates
every week, and you can change that setting for more-frequent updates. But it's
Apple's legendary wall of silence and foot-dragging on deploying fixes that
have placed it in security experts' crosshairs. “When problems and
vulnerabilities exist, Microsoft provides information quickly," Ponemon
says. Microsoft, he notes, has been good at communicating, sometimes to the
point of being annoying. "Apple hasn’t done as much to communicate with
its users,” he says. Apple's iron grip on information and the release of fixes
has been a nagging issue for years. In 2008, for example, Apple took over four
months to patch a DNS vulnerability. "Why Apple did not deploy these fixes
before Mac users were victimized by criminals is unclear," wrote Chester
Wisniewski, a security researcher for UK-based vendor Sophos, in a blog post
about Flashback. Brian Krebs, of Krebs on Security, says that more threats are
on the way. “We can expect an evolution of threats against Mac users that will
largely mirror those that Windows users face: that is, via the exploitation of
vulnerable browser plug-ins, such as Adobe Reader, Flash, and most definitely
Java.” Apple's Flashback fix, deployed Thursday, mitigates Java flaws. "As
a security hardening measure, the Java browser plug-in and Java Web Start are
deactivated if they are unused for 35 days," Apple says.
Ignorance
Is Not Bliss
The bigger problem,
say some observers, is correcting the perception that the Mac platform is
invulnerable. That notion has fostered a laissez-faire attitude toward security
among Apple customers, says Intego's Peter James. For years Apple has promoted
the idea that Macs are far less vulnerable to malware and viruses than PCs are.
As part of the "Get a Mac" television ad campaign in 2006, actor John
Hodgman (as the PC) says, "Last year, there were 114,000 known viruses for
PCs." And Justin Long (as the Mac) replies, "PCs, but not Macs."
Mac users are faced with new threats that require new security precautions,
James says. “They’re faced with threats they’ve never seen before.” System
administrator Steve Mallard says that many of the student Mac users for whom he
provides help-desk services live in denial. Mallard, an IT manager for several
state universities at the Tennessee Technology Center in Shelbyville,
Tennessee, says students come to his staff with Mac problems and don't believe
that their computers have been infected until shown the evidence. Over the past
few years, Mallard says, he has seen the percentage of infected Macs brought in
by students jump from 1 to 15 percent. “Even though the Mac OS is more secure,
its users don’t have the awareness," Intego’s James says. "Educating
users to the risks that they face is one of the most important things Apple can
do, the same way you teach your kid to cross at the green light.”
No comments:
Post a Comment