Are Macs as insecure as PCs? It's a notion that once was unthinkable, but increasingly is being said out loud.
Recently, Mac OS X users have been at risk thanks to a Java-based attack vector. The Flashback malware specifically targeted OS X, and took advantage of the fact that Apple had not yet updated its users to a fully patched version of Java. More than half a million Macs were infected by the malware, which turned the victimized machines into a remote-controlled botnet.
Late Thursday, Apple issued a new Java for OS X Lion update that patches Java and provides a unique type of protection for OS X users.
Apple's update not only provides a fully patched version of Oracle's Java SE 1.6.0_31, it also removes the Flashback malware. Taking a proactive approach, Apple has configured their version of the Java plug-in to not execute Java applets automatically by default. This means that user interaction will be required to enable a Java applet to run. Even if a user changes their preferences to auto-execute Java, the Apple Java plug-in will revert to disabling automatic execution, if no Java applets have run for an extended period of time.
At least one security expert views Apple's new Java plug-in approach to be a step in the right direction.
"We have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security-conscious users will do so," Qualys CTO Wolfgang Kandek said. "Giving the task of monitoring Java use to the computer itself is a great idea and it will be interesting to see how user acceptance will work out."
Apple's Java Update Delays to Become a Thing of the Past
The Flashback malware was successful because it was able to exploit a vulnerability in Java that Oracle had already publicly patched. Apple has long trailed Oracle (and previously Sun) in providing OS X users with updates to Java. Back in 2009, security researchers issued warnings about the possible risks of the long delay between the official Sun/Oracle Java release and the Apple Java release.
In fact, multiple organizations have in recent years pointed to out-of-date Java installations as being the most vulnerable browser plug-in.
Both Oracle and Apple are aware of the issue and eSecurity Planet has learned that there is a fix in the works that may help to reduce the vulnerability window for Apple users. Currently there is a delay between the time an Oracle Java update is released and the corresponding Apple Java release is generally available. That delay will soon be a thing of the past.
Apple has been working on fixing this delay since at least November 2010. At that time, Apple announced that they would be giving the components for their implementation of Java on OS X to the Oracle-led OpenJDK project. However, Apple's OpenJDK announcement was specific for Java SE 7, while Apple would continue to maintain Java SE 6 for OS X.
There is an OpenJDK update that is due to drop in the next two weeks, before month's end. eSecurity Planet has learned that for the first time, OS X will be part of that release. Unfortunately, that release will only be the JDK (Java Developer Kit) and not the JRE (Java Runtime Environment) that end-users install. It is, however, the first official step in the process that will soon lead to a release of a Java JRE for Mac OS X at the same time as it is available for Windows, Linux, and Solaris users.
OS X: The Next Malware Frontier?
While OS X's window of vulnerability with delayed Java updates was the root cause that triggered the recent Flashback malware outbreak, it's not the only security issues facing Mac users.
Last June, Apple had to patch OS X for the MacDefender malware infection. Furthermore, security researchers at Black Hat have been targeting Macs for several years, and have demonstrated multiple exploits in public.
Simply staying up to date with Java and other applications might not be enough anymore. As the escalation of recent Mac-specific malware and attacks have demonstrated, Mac users and IT organizations should be taking steps to properly secure their Apple hardware assets. From a network perspective, enterprises can protect their Macs with proper Intrusion Prevention System (IPS) rules.
"We provide detection of the exploit that delivers Flashback and detection of post-compromise behavior as well, which then allows us to help enterprises have the proper protection," Matt Watchinski, vice president of vulnerability research at Sourcefire, told eSecurity Planet.
But at the client level, it is probably time for Mac users to abandon the pretense that their machines don't need antivirus software. Roger Thompson, Chief Emerging Threats Researcher at ICSA Labs, explained to eSecurity Planet that for a platform to be a virus target, three conditions need to be met:
- The operating system has to be well enough understood that people of hostile intent can write malware.
- The development system needs to be cheap enough that the people of hostile intent can afford it.
- The target base needs to be big enough to provide a return on the effort.
"If you're missing any of these three, you probably don't have a virus problem," Thompson said. "It's why it's not an issue for mainframes or mini-computers, for example. Mac now satisfies all of those conditions."
ICSA Labs is a testing and certification center for anti-virus software and currently publishes test results for solutions running on both PCs and Macs. Thompson noted that there is currently no difference in how ICSA Labs tests the products on different platforms. In his view, the risks are fundamentally the same.
As a result of the attention that the Flashback malware has brought to the topic of Mac security, Thompson says he expects that antivirus vendors that don't currently have a Mac product are probably now looking to build one.
"Having said all that, I have to add that I don't expect a rush by Mac users to install antivirus," Thompson said. "It reminds me of the very early days of MS-DOS viruses, where people simply weren't interested, until they got one and then it got their attention really quickly."