Flashback trojan Flash installer

Flashback trojan Flash installer

Brushed under the carpet or blown out of proportion by the sensational mainstream media? However you think the coverage of the Flashback trojan played out the fact is that Apple handled the whole thing badly. But in typical Apple fashion seems to have scraped through unharmed, I suspect in future they won’t be so lucky.

It all played out much the same way that any major exploit does. For Microsoft if an exploit grabs hold and spreads to tens of millions of Windows computers then it is big news, even if that proportion of install base is relatively quite low. For Apple, who’s reputation of invisible Macs prevails, the story is much the same. The Flashback trojan was said to have spread to over 600,000 Macs worldwide-which is estimated to be about one percent of the install base.

The method of infection was all relatively textbook, some nefarious JavaScript code on a webpage is used to load a Java-applet which will download a fake Flash installer. Safari if set to open “safe files” upon download will open the installer and any unsuspecting user will jump right into thinking it is a real Flash player installer. Once infected the trojan changes a bunch of network settings and attempts to silence network activity detection apps like LittleSnitch. The aim of the trojan is to add the infected Mac to a botnet used for DDoS attacks on websites.

All sounds unfortunately all too common so far and naturally such a trojan’s spread could be stopped by good user education. Installing apps that you haven’t opted to download or install, not opening downloaded files by default, not entering the system password unless 100% sure why, and ensuring you trust all websites visited are just a few ways in which the spread of such trojans could be slowed significantly. But that’s not the case and I know even relatively savvy Mac users who got snagged by Flashback, somehow.

Apple however doesn’t seem to want to take onboard any of these lessons and instead has opted for a worrying tactic that involves saying nothing about the exploit, releasing a patch and removal tool over a week later and assuming it’ll go away. I’m being kind by saying Apple took just over a week to get a handle on this problem, the truth is that Flashback was discovered by Intego in September 2011, long before the infection spread to hundreds of thousands of Macs. For the record Oracle patched the actual Java exploit earlier in the year but Apple opts to bundle such updates into large security updates which it chooses to release intermittently throughout the year.

When Apple did eventually release a patch, with an accompanying invisible removal tool, the company’s tactics became very clear. Apple’s solution to prevent future infections is to disable the automatic execution of Java applets which can be re-enabled by the user. If after a period of time no Java applets have been used then the Java plugin will disable itself again. This is merely patching a still untreated and bleeding wound.

I can almost see Apple huffing and puffing like a teenager who’s been told to do the washing up. Why should Apple spend resources constantly keeping up-to-date with Java patches and whilst we’re on the subject Flash exploits when Macs don’t even come with these installed? I appreciate that’s not quite an oranges to oranges comparison there as Java will offer to install upon detection and Flash will not but the point remains Apple should not try an remove itself from the responsibility for the security of its customers Macs.

The whole Flashback story is marred by a cringeworthy performance from Apple, when one of the largest mainstream news websites in the world covered the Flashback infection Apple “could not” provide a statement. Any communication from the company came through updates on its support website.

There is even a report that anti-virus firms trying to track the botnet servers and block them came up against Apple’s attempts to do the same but ended up with Apple blocking harmless tracking servers. Could very well have been an innocent error but one that a communication channel would certainly fix.

Apple handled this badly but at the end of the day it wasn’t their plugin. I don’t agree that simply disabling the plugin is a solution nor is assuming that because Macs don’t ship with certain plugins that it is seemingly OK to take in excess of three months to patch major vulnerabilities.

However, one day either OS X or iOS will come up against a serious security problem. We’ve had brushes with incidents on iOS in the past and whilst its true that the OS is heavily sandboxed it is not immune from exploits especially as the market share continues to grow. OS X is a much more vulnerable beast, also with a growing market share. An exploit right inside Apple’s code that spreads to hundreds of thousands of devices couldn’t go ignored for six, four or two months not even one week.

Apple has a gold plated reputation of having computers that don’t require clunky anti-virus software and where users can feel safe using the internet as well as mobile devices that alleviate all the concerns that Android users suffer. But chinks in this shiny facade can and will quickly ruin this reputation for a very long time. Just think how you feel about Windows today.