Flashback Shows Why Mac AV Is Vital

For many years, Mac users -- and, indeed, Apple itself -- has touted that "Macs don't get viruses". The party's most definitely over, and Flashback is (sadly) just the beginning. I've written about the subject of Mac security before, and it's one that invariably gets some folk a little on the touchy side. Still, last week's reveal of the extent of the Flashback botnet does rather point out something that I've been saying for quite some time. Mac viruses aren't a matter of innate additional security, or some kind of golden halo; they're a matter of market size and opportunity.

Classic malware/viruses/use-whatever-term-you-feel-like targeted individual systems and were largely destructive; whether that was a matter of your data, system, or just your time. Modern malware's all about one thing: Money.

Whether it's directly ripping you off via hijacking your financial accounts, nicking your identity for other forms of theft or simply turning your computer into a for-hire botnet, cold hard cash is now the key reason for malware creation. Cold hard cash is exactly what Mac buyers have shown they're willing to part with in increasing numbers; while the Mac market is still a fraction of the Windows one, the growth rate in recent years has been outstripping the market by a surprising percentage, and that raises interest from the security community.

What's worrying about Flashback in this context isn't particularly the size of the outbreak -- now correlated by Kaspersky at around 600,000 computers worldwide, most of them Macs. That's still only about two per cent of the Mac market, after all. No, what's concerning is the fact that it acts as a very large operational proof of concept. There has been proof of concept Mac malware in the past, along with very small scale outbreaks of malware -- typically associated with pirated software.

Flashback acts as a rather large banner ad to every malware writer out there; Macs are ripe for the picking. Indeed, based on many of the responses I've had whenever I've written about Mac malware, I'd say that it's a very ripe field indeed, whether that's due to the perception that Macs are somehow "bulletproof", or ardent fan belief that nothing bad could happen. Not only could bad things happen, Mac users, but you're living in an age when they happen and don't even let you know that they're compromising your system.

Some of that's inevitable. You can point to OS X's Unix underpinnings all you like, but the simple fact of the matter is that it's software written by human beings, and human beings make mistakes. Software is buggy -- all of it -- and where there are bugs, there are exploits. Exploits are exactly what malware writers look for, and as Flashback proved, it doesn't even particularly need to rely on user input or acceptance to run.

So what's the solution? Do we all run out into the street screaming, waving our hands around and proclaiming, (in best Tim Brooke-Taylor fashion) that we're teapots? No, that's not really necessary. Although if you do feel inclined, send me the video -- I could do with a laugh.

Once you're all tuckered out, make sure your system is updated and secured as best you can manage. It'd probably also help to point out to Apple that it'd be useful for them to be far more proactive with security updates in the future, given that the Java vulnerability that allowed Flashback to propagate was patched for other systems nearly two months ago.



    Is this a sponsored post, or is it just a fluke that the post is completely over advertising Trend Micro? If this post is meant to act as an Ad, please at least be transparent about it.

      Transparent reply: I wrote it in response to the Flashback outbreak; no sponsorship involved. Editorial and advertising are separate parts of the business, and they have no say in what I'm writing. Any ads you see here are clearly labelled as such.

      Transparent enough for you?

      This si a stupid post. This si like people who go on and on the Global Warming and climate change is a myth. WHO CARES! What happens if it is not a myth: we would have done our very best to clean up our act and make the world a better place for our grand-children. And what happen if it IS a myth? OH NO! We have done our very best to clean up our act and make the world a better place for our grand-children!

      The exact same thing applies here: if it is a genuine post you have just gone out and made your vulnerable computer safer, and if it is a post post than you have again gone out and made your vulnerable computer safer.

      Whatever the story you win…

    Your the Author representing gizmodo, no need to be rude / sarcastic, When I read this I thought the same, in the last year or two gizmodo has gone far south... I used to soley read gizmodo, now I occasionally glance at it because of things like this, Engadget seems to be only getting better - IRL section, good in depth reviews, more coverage of events.

    Think before your reply Alex...

      No i think they are a bit sick of every second comment being a sarcastic/rude remark. They are people as well, if you want to be negative take it somewhere else cause people really dont care for it.

      He wasn't rude or sarcastic.
      Aren't most ads usually displayed because they are relevant to the topic anyway?

      I didn't detect any rude or sarcastic tones in this article at all. In fact, I thought it was a neutral, well-written and well-reasoned piece. I even re-read it to make sure I didn't miss anything after reading your comment. Perhaps your "someone's pointing out a flaw in an Apple product, regards of legitimacy, so I must defend them!" sensitivity is set a little too high, especially when Giz is so often criticised for being very pro-Apple (though that's predominantly their US counterparts).

      Don't listen to matt Alex hes a moron

    Or just don't install Flash and Java and be immune to bizarre third party vulnerabilities?

      Better yet just not use your computer, type writers and stone tablets don't have viruses!

    Goodies reference FTW!. I can just imagine the Mac users in my office doing just that, well after the denial stage subsides.

    Ads are clearly marked as such? I must be blind.

    The best way to have security on your computer is to know about the internet and how viruses work. It's not difficult and it's not limited to people under the age of 30. I've never installed antivirus on my Windows or Mac computers. Don't give access to websites that you don't trust. Don't ACCESS websites that you don't trust.
    The problem with antivirus is that it gives you a false sense of security. False because the rate that viruses come out/ are changed is a lot higher than the rate that they are prevented.

    However generally Apple is more secure for many reasons:
    1. It's UNIX, and anything that wants new access to your computer requires you to enter your administrator password.
    2. They just over 10% of the market, and of that far less is the business market. It is therefore a lot more profitable to make malicious viruses for windows.
    3. They push out updates as soon as a virus becomes well known (which occurs almost everytime there is a virus for Mac because it's big news)
    In fact this virus has already been patched.

      A few problems with that approach
      1) A number of well known (and therefore "trusted") sites have had malware installs hosted on them surreptitiously over the past few years.
      2) As mentioned; Flashback didn't actively require the admin password (although apparently could use it if given, as per the F-Secure definition for it)
      3) Yes, Macs are a small fragment of the market -- but as Flashback shows, there's enough of them out there (and if most don't run any kind of security, maybe lower hanging fruit than the Windows boxes that predominate)
      4) Apple's security update history is... spotty, to say the least. There have been plenty of instances where Apple's been slow to fix publicly known holes in security -- and they never talk about them. This, alone, needs to change.

      My 2 cents on your 3 points...

      1) Being UNIX doens't make anything more secure. Unix is a generalised term that describes a very large number of actual operating systems (Linux/FreeBSD being popular, but there's been SunOS, Solaris, OSF, DigitalUnix, SCO, AIX, HPUX and so on) each of which are developed by different groups of people implementing the same conceptual idea but in completely different ways.
      As for prompting for a password; with UAC enabled Windows also prompts an "are you sure" for system changes, that no one reads. Similarly I've seen Mac users unquestioningly enter their password whenever prompted without ever pausing to question why. Be default, an OS X system doesn't require a username/password to actually log into the desktop, Windows does. They both have weaknesses and 90% of the time it's the fault of the user for disabling security for convenience.

      2) The % only matters in terms of how easily a virus is distributed. The market share might be 10% but I've seen MacBooks penetrate upper management faster than home users, and if you're after stealing data I'd be targetting the CEOs of this world that insist on keeping all of their passwords, financial files and everything else on their personal laptop because they often insist they're too important to have IT security policy apply to them (mainly the older generation) and of course because they have a Mac they're safe... again user convenience being the cause of being vulnerable.

      3) No they don't. Rather than just quoting what a mate told you, look at the security reports from Apple and compare the patch release date with the date it was first reported (if you can find it, they often keep reports under wraps). It took them 2 months to patch this Java vulnerability. On the iOS front, they took a long time to patch the PDF bug they had. It might be a coincidence but after the PDF bug was reported nothing happened. After there was a free iPhone jailbreak web service that exploited it, they fixed it in 2 or 3 days. The most common updates I get on OS X are iTunes updates.

    to be fair, this is a 3rd party exploit (java) and is not a Mac only malware.

    Also, it's not really a virus. A trojan is different from a virus. Really, neither OSX OR Windows can get 'viruses' anymore.

    A Trojan requires the user to execute it, does it not? Or am I missing something.

      OK, fair point -- but i'm using "malware" as the catch-all term here. In the case of Flashback, while it could work from an administrator password, it could bypass that if the password wasn't entered -- which is pretty darned close to no user intervention required.

        I wasn't specifically having a go at you Alex, more the 'hurr durr Mac virus' people.

        But yeah, admittedly, it's darn close to not needing user intervention. Though, in a way, you could call having Java in the first place user intervention (yes, I know, huge stretch).

        Personally I consider Java itself malware. Unfortunately, Adobe requires this malware to run Creative Suite. Unfortunate.

          I fully agree java, adobe, should fix their stuff its their crap that lets these things in in the first place

    Youre a brave man Alex for suggesting anything to do with an Apple product is anything less than 100%

    @Matt I really don't see him (the author) being rude to you, it's quite opposite... and good luck with Engadget :(

    He has the right to defend his work. The article is fine.

    Initiate unbunching panties protocol.

    AVs are a good idea since Macs are getting more and more popular and its harder for apple to slide under the radar.
    BUT - if anything i would prefer if apple keeps the bulk of AV/malware development in house rather than outsourcing it to third party solutions like trend and norton. They know the system inside out - and one integrated solution is probably better than fifty solutions that try to sabotage each other and ends up being another backdoor into your system. (YAY WINDOWS ANTIVIRII). Turn the AV into a built in OS function and hire AV developers as consultants instead.

      While were at it, make sure that only Apple builds websites and all programs. Deny access to anything not made by Apple.

        Drew, you're such a troll, please tell me you're using UNIX!? I won't be able to sleep at night knowing trolls such as yourself are utilising and bastardising all my hard work!

      How can Apple do as you suggest, & keep AV in house? Anyone can develop & publish apps for Mac. Apple don't control that. Just a stupid comment among the MANY stupid comments

    Nothing wrong with the article, not sure why people are questioning it. Actually, I'm pretty sure I know why people are questioning his integrity, because he might be suggesting that Macs aren't ironclad. It's a balanced, well-written article that aims to dispel any misconceptions Apple and its fans have built up over the years about Mac security.

    Yes, I could have done without quotations from AV makers, who have a vested interest in keeping people scared of these things so they can make money. The AVG article about how Android's the new virus haven was particularly galling.

    Very sound advice, given in a sensible, well reasoned manner. For people to go over the top and be critical of this shows an unwillingness to face reality- a naivete that is cute but also a little alarming.

    ARGH! Why does no-one realise that none of the existing mac AV found this until AFTER it was patched by apple. Sigh. While I don't have a specific problem with anything said in the article, the headline is very sensational and clearly exists to grab page hits. The article doesn't even mention any AV that would have found this (probably because there are none).

    And as pointed out by others, this is a Trojan, not a virus. It also DID require admin priviledges, despite what is posted here. The initial post on F-Secure clearly explains that much.

    I see dozens of fully up-to-date PCs with AV installed, active and up to date, which STILL get malware every week. AV is NOT the magic bullet so many people think it is.

    Finally - all this is proof of is that keeping your system up to date, browsing with Java off (and maybe Flash too) is important, and that even supposed experts in the field don't know a virus from malware.


      By the same token you may as well leave your house unlocked because locks aren't the magic bullet to keep thieves out.

      The point of being security conscious isn't that you make yourself impenetrable, but minimise your exposure and attack surface area. That and make the the neighbour's house seem like an easier target than yours. As much as that might sound a little tongue in cheek, it's the OS X users that don't believe they're targets that will over time look like the easier tagets. 20% of all PC users with 0% protection are easier than 80% of all PC users with only an 80% protection level.

      Malware is all maximum revenue generation with minimal amount of effort; like pretty much every business out there.

      You might be right that there's no AV for OS X that could've caught this before the patch was released anyway, but if you were an AV company would you bother developing for OS X given that the vast majority of users won't buy your product anyway because they believe they're immune? It's a hard product to sell to a Mac user... which goes back to maximum revenue for minimal effort.

    This comment has been deemed inappropriate and has been deleted.

Join the discussion!