Flashback: Macs finally attract the bad guys

Last week brought disturbing news for the Mac community. With the advent of the Flashback Java exploit, malware made its way onto a significant portion of Macs for the first time since the late ’80s. While Flashback doesn’t signal the end of the world, it is a wake-up call of sorts and should be taken seriously by Mac users and especially Apple’s security team.

What is Flashback?
Simply put, it’s “drive-by” malware that automatically installs itself on your Mac if you visit an infected website. It only works if your Mac is running Java, which unfortunately is extremely common. Your Mac almost certainly has Java installed if you bought it before last year. It’s Java, not the Mac OS itself, which contains the vulnerability that Flashback uses to get onto your computer. Once it’s installed itself, Flashback starts scanning your web activity (presumably for usernames and passwords, etc) and sends its findings back to whoever developed it.

How do I get rid of it?
Oracle, the company that owns and produces Java, found this particular hole back in February and patched it for Windows users. Apple, however, releases its own Java updates on a much slower schedule, and didn’t offer a fix until last week. But once news started pouring in from antivirus companies about Flashback, Apple leapt into action with three Java updates, the last of which patches Java, turns it off until you actually need it, and removes Flashback from your system. The fix is available through Software Update (under the Apple menu) for Snow Leopard and Lion, so get downloading if you haven’t already. If you’re running an older version of OS X (Tiger, Leopard, or anything else), then follow the instructions here to test your Mac and uninstall Flashback. I still wouldn’t recommend running antivirus software, since Flashback is really the only Mac malware out there right now. If you really want to, ClamXav is highly reviewed.

It’s a safe bet that Java has more, as yet undiscovered, chinks in it that future malware could exploit. Due to its complex nature, Java is somewhat of a leaky ship, with a long history of security holes. If you don’t absolutely need it, consider disabling Java entirely. The latest update from Apple does this already, but go to Applications -> Utilities -> Java Preferences in the Finder to do it manually. You can also disable Java in Safari under Preferences -> Security. For Google Chrome, the process is significantly more complicated. (It’s almost like Google doesn’t want you finding too many privacy settings!)

Why is Flashback important?
Flashback is relatively tame malware, especially compared to the truly nasty stuff found on Windows. But it’s impressive that it managed to infect over 600,000 Macs within only a few weeks. That’s peanuts for Windows (there are actually more than 600,000 unique varieties of Windows malware, to say nothing of the computers they infect) but it’s about 1% of all Macs. The most widespread Windows worm in memory, Conficker, only managed to get .7% of all PCs. This gives Apple a pretty noticeable black eye, and leaves a lot of questions about how secure the Mac really is.

So are Macs going to become a virus-ridden mess just like PCs? Only time will tell, but I wouldn’t bet on it. It’s true that Mac marketshare is on the rise, and with each new gain comes added attention from hackers and cybercriminals. But Macs won’t take a majority share from Windows anytime soon, and probably never will. If you’re going to make a virus, it only makes sense to target the majority, so economics works strongly in the Mac’s favor.

That line of reasoning only works if you assume PCs and Macs are equally protected, and it’s currently unclear how exactly they stack up. As renowned Mac-cracker Charlie Miller says, “Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town.” Both platforms are practically secure, though one is far more likely to be attacked.

Overall, Apple has historically been very slow to patch vulnerabilities and doesn’t seem to acknowledge the existence of Mac malware until absolutely necessary. That culture has to change soon if they are to prevent any more malware from becoming this widespread. While Apple hasn’t been very proactive with its security, I’m hopeful that Tim Cook will seize the opportunity to tighten up his company’s reaction time and focus more on securing the Mac. Tim seems more pragmatic than Steve, and I doubt he wants anything to tarnish his legacy. An explosion in Mac malware would certainly do that. To its credit, Apple has been working on Mac security for some time, introducing daily updates to its virus definitions, app sandboxing later this year, and Gatekeeper with the Mountain Lion update due this summer.

I should note that iOS has almost no security risk, and Apple is clearly heading towards an iOS future. There are a handful of theoretical exploits that can affect the iPhone, but the real-world risk is nonexistent.

So in summary: Flashback is a wide-spread threat, but Apple has taken care of it already. The real question is whether Apple can keep up with malware in the future. Their track record so far isn’t stellar, but there are some promising signs of change.

For more in-depth coverage of Flashback and some sound security advice, read this Macworld article. It’s written by Rich Mogull, probably the preeminent Mac security researcher today. (And winner of the Wealthiest-sounding Name contest, if such a thing existed.)

– image from the 1992 cinematic platformer Flashback, as seen on gameanim.com