With well over half a million Macs reportedly infected with the Flashback Trojan, the myth of Apple’s invincibility to viruses is well and truly smashed.
Last week, researchers at Russian antivirus firm Kaspersky confirmed that more than 600,000 computers running Mac’s OSX had been infected with the Flashback botnet, with the majority of affected machines being in the US, followed by Canada, United Kingdom and Australia (Map courtesy of Dr Web).
Flashback exploited an unpatched vulnerability in Java, with the blame resting firmly with Apple who failed to update Java in OSX when Oracle first issued the fixes months ago – something that doesn’t quite chime with the claims made on their website:
Stay up to date, automatically.
When a potential security threat arises, Apple responds quickly by providing software updates and security enhancements you can download automatically and install with a click.
Kaspersky Lab’s Chief Security Expert, Alexander Gostev was scathing about Apple’s tardy response:
The three month delay in sending a security update was a bad decision on Apple’s part. There are a few reasons for this. First, Apple doesn’t allow Oracle to patch Java for Mac. They do it themselves, usually several months later. This means the window of exposure for Mac users is much longer than PC users. This is especially bad news since Apple’s standard AV update is a rudimentary affair which only adds new signatures when a threat is deemed large enough.
Apple knew about this Java vulnerability for three months, and yet neglected to push through an update in all that time! The problem is exacerbated because – up to now – Apple has enjoyed a mythical reputation for being ‘malware free’. Too many users are unaware that their computers have been infected, or that there is a real threat to Mac security.
Although Apple continue to insist that their machines are secure “right out of the box,” researchers have been pointing out that they’re no safer than Windows machines for years.
With the Flashback Trojan now proving this beyond any doubt, it’s disheartening to see Apple still trying to lull its users into a false sense of security, with its website saying:
Is a Mac safe from PC viruses?
Yes. The OS X operating system isn’t susceptible to the thousands of viruses plaguing Windows-based computers. And although no computer connected to the Internet is completely immune to all viruses and spyware, OS X has built-in defenses designed with your safety in mind. The Mac web browser, Safari, alerts you whenever you’re downloading an application — even if it’s disguised as a picture or movie file. And Apple continually makes free security updates available for Mac owners. You can even have them download automatically
Although the clever, wriggly wording means there’s no chance of infected OSX users getting legal redress, it’s clearly a misleading claim, implying that Macs are safe from all viruses.
The only question a Mac user really wants answered is, “Is a Mac safe from viruses?” – but that’s something Apple’s image-conscious PR machine doesn’t want to answer honestly.
As McAfee Labs’ Dave Marcus commented: “All the stuff the bad guys have learned for doing attacks in the PC world is now starting to transition to the Mac world.”
“Mac has said for a long time that they are not vulnerable to PC malware, which is true: they are vulnerable to Mac malware.”
Time to be honest, Apple
Although most Macs users remain at relatively low risk of encountering a virus or trojan, that’s no excuse for encouraging complacency and continuing to foster the illusion that it’s only Windows machines that are going to be affected.
It’s time to stop the BS and be honest with your loyal users, Apple, and let users make informed choices – especially so when one considers how many viruses and scams are socially engineered.
More info and background:
If you are infected by the Flashback Trojan, you can find useful guides to removing it here and here.
[Dr Web analysis of Flashback virus]
[Apple update info]
[Apple Snubs Firm That Discovered Mac Botnet, Tries To Cut Off Its Server Monitoring Infections]
[Download the free Kaspersky Flashfake Removal Tool]