The first Apple-targeting malware to go wide has infected 600,000 Macs. IT needs to get proactive about educating Mac-toting BYOD employees who may be complacent about security.
The Flashback family of Trojans has been around and targeting the Mac platform since the middle of last year. The early versions, one of which presented itself as an installer for Flash Player, required user input and cooperation to infect a Mac. In recent days a far more dangerous variant appeared. OSX/Flashback.I operated in a "drive-by" mode, meaning that a victim need do no more than visit a malicious Web page to get infected.
Russian security firm Doctor Web estimates that over 4 million Web servers have been commandeered to spread the Trojan, and that 600,000 Macs worldwide have been infected as of April 5. Over half of the infected machines are in the US and 20 percent are in Canada, according to the security firm.
The creators of Flashback have used a variety of vulnerabilities in the Java runtime environment to get in the door. The early versions used a pair of JRE holes that had been discovered in 2008. The more dangerous current version began exploiting CVE-2012-0507 after March 16. This vulnerability had been reported to Oracle (the current custodian of Java) in January of this year and patched for Windows machines in February. Apple didn't patch it until April 3 (in fact it released two patches, amid speculation that the first one had been flawed, on the Lion platform at any rate). That 6-week window was sufficient to get over half a million Macs infected -- and almost all of those infections happened in the final 2 weeks.
Mac users are not accustomed to dealing with serious malware. Many believe their Macs to be invulnerable, in some intrinsic way, to the threats that have plagued the Wintel world for over a decade. In its marketing Apple has encouraged this dangerous belief, when surely the company has known the truth all along: that the Mac was not invulnerable, merely not targeted yet.
The combination of this unwarranted overconfidence on Apple's part, and the fact that the company maintains its own version of Java, has meant that patches for Java vulnerabilities have been slow in coming out of Cupertino. Security expert Brian Krebs concluded in 2009 that Apple was averaging 6 months to issue a Java patch. So its recent accomplishment of turning around a fix in only 6 weeks may be counted as progress. But in the face of an active drive-by exploit in the wild, it is still far too slow.
In its latest OS, Lion, Apple does not include Java by default, but it is easy to obtain and install there. In the previous OS, Snow Leopard, Java is present by default and is supported. Earlier OSs are no longer supported, but all have default Java installations. It's safe to assume that a fair number of users of these OSX systems are not in the habit of rushing to install security patches when they arrive from Apple.
For any company that allows or encourages employees to bring their own devices, the historical security of posture of OSX presents risks. IT should be pushing to educate Mac-bearing users to the realities of the security situation their machines operate in. They must not be allowed to jeopardize corporate security by a belief that security need not concern them.