Apple needs to respond faster because malware will return
Apple needs to patch its own and third-party included software faster, or the recent Flashback infection will be the harbinger of much worse malware to come.
Special to The Seattle Times
Coping with Flashback• Developer Juan Leon's free download to check for Flashback's presence: https://github.com/jils/FlashbackChecker/wiki
• F-Secure website, with instructions to remove Flashback.
The Flashback malware has likely infected more than 500,000 Macintoshes, or at least 1 percent of current Macs, representing one of the broadest penetrations of a computer platform by a malicious program.
Most Mac writers I know (and yours truly) have expected for years an event of this magnitude. Those who denied the possibility were using magical thinking. Mac OS X is cleverly designed, but not impregnable.
Once Flashback installs itself (and back to that in a moment), it can harvest passwords and other data from the Safari browser, and try to trick you into typing in an administrative password. Even without that password, it has the capability of malicious activity against your own data and on the broader Internet.
The malware makes your computer into part of a "botnet," in which it can be remotely controlled, have new malware installed and perform attacks on other systems. It can also rewrite Web pages as they load to replace advertising, from which the malware authors receive income.
Unlike previous malware for the Mac that's made it into the wilds of the Internet, as opposed to theoretical exploits discovered by researchers that were then fixed, the current form of Flashback merely requires visiting a Web page that can exploit a flaw in an earlier version of Java.
Apple has since updated Java for Snow Leopard and Lion to fix this problem. Lion doesn't include Java by default, but you're prompted to install Java the first time you need it. (I use CrashPlan for backup, which is a Java-based program.)
This kind of assault is called a "drive-by attack" and doesn't need to fool a user into downloading software or forcing a download after which a password must be entered to install the malware.
Flashback first emerged last year as a Trojan horse (appearing to be an Adobe Flash installer) that had to be installed. Now, it's fully self-running when conditions are met.
Apple distinctly erred when it sat for two months on an update from Oracle, which maintains Java, for the Flashback exploit. This mistake should serve as a wake-up call within the company to turn such patches from outside sources into updates for Mac OS X much faster.
Apple uses an enormous amount of not-created-there software. The security community has criticized Apple for years in its lackadaisical approach to security fixes for its own and included programs and components.
On Thursday, Apple released Mac OS X 10.6 and 10.7 Java update via Software Update and its support website that removes Flashback, and deactivates Java for Web pages in Lion. (It can be re-enabled when a page requires Java, but Lion will turn it back off after 35 days of no Java use on a website.)
It's fortunately relatively easy to detect whether you have the malware. The tech site Ars Technica wrote up a free download by a developer, Juan Leon, that checks for Flashback's presence. Download it here.
Removal of the virus can be a pain. You have to enter a series of command-line instructions via the Terminal. There's a link in Leon's program to those instructions at security software firm http://f-secure.com.">F-Secure's site
If you find Flashback infesting a system, you might wonder how to avoid the problem in the future. Turning off Java in browsers except on the occasions when it's needed, which is relatively rarely these days, is one method. (In Safari's preferences, click Security, then Web Content, and uncheck the Enable Java box.)
Java was once a way to have sophisticated interaction on a single Web page, something first supplanted by Adobe's Flash and now increasingly by Web apps relying on Ajax (browser scripting that can interact with the Web server) and HTML5.
The malware apparently also doesn't install if certain advanced tools were installed, such as Little Snitch (a program that alerts you about network activity by applications), Apple's development software Xcode, and several anti-malware software packages.
But anti-malware software can't detect risks that it doesn't yet known about, and thus while Flashback avoided malware detectors, the detectors didn't notice Flashback.
The greatest freakout factor with Flashback is that it spread without action. One group having proved this possible means more will attempt it.
While popular websites likely didn't accidentally host the attack, advertising networks are insinuated across millions of websites, and have in the past been exploited to carry what seemed like innocuous burdens.
Apple needs to patch its own and third-party included software faster, or Flashback will be the harbinger of much worse malware to come.
Glenn Fleishman writes the Practical Mac column for Personal Technology and about technology in general for The Seattle Times and other publications. Send questions to firstname.lastname@example.org. More columns at www.seattletimes.com/ columnists