I am using title from source 2(less flamebait title) but content is from source 1 (nice summary). I haven't seen this covered on main page or forums, if it is - Mods please merge topics.
For Mac owners, the nightmare scenario finally arrived. A piece of malware called Flashback, which has been in existence and steadily evolving for at least seven months, has infected more than 600,000 Macs worldwide, based on forensic analysis by a Russian antivirus company.
What makes this outbreak especially chilling is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do something stupid. All they had to do was visit a web page using a Mac that had a current version of Java installed.
I’m not surprised.
Last May, I wrote a post titled “Why malware for Macs is on its way,” in which I pointed out evidence that a “tipping point” was near, thanks to the growing popularity of Apple’s software:
We now know the answer.
A gain of a few percentage points in the Mac market might not seem like a lot, but in a universe with a billion Internet-connected devices, each percentage point equals a potential 10 million victims. A market with 60 million, 80 million, or even a hundred million Mac users is big enough for the bad guys.
Upcoming versions of crimeware kits will probably be cross-platform, with the capability to build and deliver Windows and OS X packages using as many vulnerabilities and social engineering tricks as possible. On every poisoned web page, visitors get sorted by OS: Windows users this way, OS X users over there. Each group gets its own custom, toxic blend. If all it takes is a tick of a check box, the gangs using these kits can jump into the Mac market literally overnight.
So now the question is when will that day come? This year? Next year?
If you think 600,000 users isn’t a lot, let’s put it in perspective. According to the latest statistics from Net Market Share, there are roughly 13 Windows PCs for every Mac in the world. So an equivalent infection rate in the Windows population would translate to 7.8 million Windows PCs.
And that’s for one strain of one malware attack, launched over a very short period of time.
This won’t be the last, either. Unfortunately, the Mac community is ill-prepared for a sophisticated wave of attacks like these. Here’s why.
These attacks are designed to be quiet. The gang that unleashed Mac Defender last year was anything but quiet. Their business model was based on being very visible and convincing victims to pay for a rogue antivirus product that would remove the malware they had just installed. By being so obvious, they forced a response (and some of them wound up in jail). This gang, by contrast, managed to infect 600,000 machines while barely tripping any alarms.
Macs are not immune. For years Apple owners have been told that Macs don’t get viruses, but we know that’s not true. And Apple’s casual approach to security updates makes them arguably more vulnerable to this sort of attack than other platforms. Like all operating systems, OS X has its share of vulnerabilities that can be exploited. In that May 2011 post, I looked at a single OS X update, which repaired 23 separate vulnerabilities:
That’s an awfully big window of opportunity. And that pattern is found in other OS X updates.
Every one of the vulnerabilities in the April update had existed in OS X for a minimum of 18 months before being patched. Every entry on that list was capable of executing hostile code on an unpatched system with little or no user interaction. If an attacker develops a successful exploit of one of those vulnerabilities, your system can be compromised, silently and with deadly effect, if you simply download a document, view a movie or image, or visit a website.
Third-party software is an ideal vector. The current exploit is triggered by a known flaw in Java, which was installed on every copy of OS X until the release of Lion (OS X 10.7) last summer. The flaw was reported in January and patched by Oracle in February, but the Apple version of Java didn’t get a patch until early April. So for several months, every Mac owner was vulnerable unless they took specific steps to remove or disable Java.
Security expert Brian Krebs points out that this behavior by Apple is sadly typical:
Similar recent attacks have successfully targeted vulnerabilities in Word on Macs. And there’s no reason not to expect attacks against other vulnerabilities in other popular third-party products like Adobe Reader and Skype.
Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.
Older Macs are especially vulnerable. According to the latest Net Market Share data, 17% of Macs worldwide are running Leopard (OS X 10.5) and Tiger (OS X 10.4), older versions of OS X that are no longer officially supported. The Java update that blocks this exploit is available for Leopard, but at least one Leopard user I spoke with says it hasn’t been offered to his Mac via Apple Software Update.
And the biggest problem of all, as any Windows security researcher can tell you, is that a large number of PC owners don’t install updates regularly or at all. On Windows PCs, for example, the most commonly found malware in 2010 was installed using an exploit that had been patched years earlier:
Mac owners are human beings, just like their counterparts who own PCs. Some nontrivial percentage of them will ignore this and other updates and will be vulnerable to this sort of attack.
Conficker’s means of propagation is a vulnerability in the Windows Server service. This vulnerability was fixed in October 2008 by Security Bulletin MS08-067, which patched Windows 2000, XP, Vista, Server 2003, and Server 2008. (Windows 7 was never affected.) There’s no excuse for that patch not being installed nearly two years later, in 2010.
Antivirus software alone won’t help. The makers of Windows-based malware know how to build executable packages that change with every installation. These polymorphic viruses frustrate signature-based defenses. Apple added automatic updates to its XProtect lists as a response to Mac Defender last year, and that list has been updated 47 times in the past 11 months. But it’s useless against even a moderately sophisticated attacker.
It looks like the Mac malware industry has moved out of testing and into active deployment. For the bad guys, it’s a tremendous untapped market. And all the pieces are now in place for a long-term problem with no easy solutions.