A nasty bit of malware named “Flashback” has reportedly infected 600,000 Macs worldwide, more than half located in the US. Here’s some news coverage when the announcement was made last week by a Russian security company, followed by corroboration by Kaspersky Lab.
Apple is gaining market share, which inevitably will draw attention from bad guys. The first thing that will be exposed is the myth that Apple’s Mac OS is somehow intrinsically more secure than Windows – or any other operating system that touches the Internet. All software can be broken by a determined hacker; security for operating systems will always be a game of whack-a-mole. Apple’s aura of invulnerability has always been a fraud which the company has done nothing to discourage.
The Flashback virus is particularly nasty because it is installed silently with no user interaction whatsoever. All it takes is a click on a link that leads to a poisoned web page. Mac owners have no way to know if their computer has been compromised. Once installed, the malware contacts servers all over the world to download and install more malware.
Security experts have warned for years that Apple has poor systems in place for updating its operating system. The Flashback malware was able to infect half a million fully patched, up to date Macs by exploiting a vulnerability in Java.
Here’s the problem.
The flaw was reported in January to Oracle, the current owner of Java.
Oracle issued a patch in February.
Apple does not allow Oracle to install patches for Java on Mac OS X. Apple got the Java update in February but didn’t release it until last Thursday, after the Flashback virus hit the news.
That means 600,000 Macs were infected by malware exploiting a known vulnerability because Apple failed to deliver a timely patch that would have prevented it.
That’s typical for Apple. Ed Bott wrote an article examining an Apple update in May 2011 and found that every one of the 23 vulnerabilities being fixed that month had existed in OS X for 18 months or more, and “every entry on that list was capable of executing hostile code on an unpatched system with little or no user interaction.”
Security researcher Brian Krebs says: “Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. . . . I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.”
It’s mildly amusing to see Apple apologists protesting weakly: “No, I explain, I never said Macs will never get viruses or other Malware. But historically its record versus other platforms compares favorably. As is the case with investment instruments, past results are no guarantee of future performance, and let’s face it, there’s no such thing as a perfectly secured computing platform.”
That’s small comfort to someone with malware on their Mac which could have been prevented if Apple had better security practices. Microsoft stepped up its security efforts years ago and has been responding quickly and effectively with timely updates. Patches for Windows from third parties like Adobe and Sun are annoyingly frequent but their products are also being hardened as time goes on. (Subscribers to Bruceb Remote Management are getting those patches automatically delivered and installed.)
Mac owners: be careful out there.
That wasn’t the only bad news for Apple last week. Apple is also investigating reports of WiFi problems with the new iPads. There is an active forum thread with almost a thousand comments this evening from iPad owners describing problems with dropped connections, slow speeds, and occasional failures detecting wireless networks at all. Apple has quietly acknowledged the issue and issued an internal bulletin instructing its stores to “capture” and replace any WiFi-only iPads “if they exhibit any issue related to Wi-Fi.”
Amazon took a lot of heat when some Kindle Fire tablets had difficulty connecting to wireless networks. It seems fair that Apple get the same angry reaction, doesn’t it?
There was also a flurry of articles last week about the FTC’s investigation into price-fixing of e-books, which could lead to a full-blown antitrust lawsuit if Apple does not reach a settlement soon.
Amazon had been artificially keeping the price of e-books low to promote its Kindle platform. Although potentially Amazon could have reached a monopolistic position where it could then raise prices, it was more likely that the publishing industry and consumers were going to adjust to the lower prices as a new industry model.
Apple approached the publishers and said, “We don’t give a damn what the consumer pays as long as we get our cut. We’ll let you charge whatever you please for e-books on one condition: force Amazon to match our inflated price.” The publishers thought that was swell and e-books jumped in price by 50% overnight.
It was naked collusion to raise prices, one of the most odious anticompetitive, anti-consumer deals that I can recall. Apple deserves to have it blow up in its face.