Saturday, April 07, 2012

New Mac malware epidemic exploits weaknesses in Apple ecosystem

For Mac owners, the nightmare scenario finally arrived. A piece of malware called Flashback, which has been in existence and steadily evolving for at least seven months, has infected more than 600,000 Macs worldwide, based on forensic analysis by a Russian antivirus company.

What makes this outbreak especially disturbing is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do anything stupid. All they had to do was visit a web page using a Mac that had a current version of Java installed.

Although Apple owners have been told for years that Macs don't get viruses. that's known to be untrue. Furthermore, Apple's casual approach to security updates makes them debatably more vulnerable. The Java flaw was reported in January and patched in February by Oracle. Apple's version of Java didn't get a patch until early April.

Security expert Brian Krebs points out that this behavior by Apple is lamentably typical:

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.

For complete article, see ZDNet.