Hundreds of thousands of Macs infected

It was going to happen sometime...

BBC News - Half a million Mac computers 'infected with malware'

Mac Flashback Trojan: Find Out If You're One of the 600,000 Infected

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

tpatt100

You know your doing something right and increasing market share to the point where malware writers start to target your systems lol.

Reminds me of the botnet stories lately where the FBI was involved. Crazy didn't realize how many millions of infected machines are out there.

the_Grinch

I find it funny that they make a big deal about this. 600k out of the millions of Mac computers out there really doesn't make it big news. Now if they wrote some iOS malware that would be big news.

Jayjett90

Well this is bad and good at the same time. Of course infected PCs are never good lol but now all of the non-technical Apple fans who thought Macs could not get viruses just got a reality check. Any system can get a virus, it just wasn't common with macs because majority of the world's population uses Windows.

Zartanasaurus

the_Grinch wrote: »

I find it funny that they make a big deal about this. 600k out of the millions of Mac computers out there really doesn't make it big news. Now if they wrote some iOS malware that would be big news.

Mac Hacker Puts Rogue iPhone App Into iTunes Store | SecurityNewsDaily.com

tpatt100

Not sure how much of a reality check it is since there are millions of Windows machines infected and I doubt even a single digit percentage of them even know what a botnet is.

Forsaken_GA

It's not so much a Mac exploit, as it is a Java exploit. Just more proof that Java is a Bad Idea (tm)

the_Grinch

Apple maintains the Java package for OSX though...

afcyung

I think it should point out that the concept of security through obscurity is long gone.

tpatt100

How is it long gone? It is still a significantly small target compared to the millions of available Windows machines that are exploited.

Forsaken_GA

the_Grinch wrote: »

Apple maintains the Java package for OSX though...

I understand that, doesn't change the fact that Java is a platform which has been riddled with security holes over the years. Just because they maintain the package doesn't mean they write it, and security auditing is hard. I'm not at all surprised that what's reportedly the most compromising attack on OS X to date came via a Java vector.

Roguetadhg

java and firefox has been causing issues for us here, firefox disabling it by default.

the_Grinch

Fair enough

Forsaken_GA wrote: »

I understand that, doesn't change the fact that Java is a platform which has been riddled with security holes over the years. Just because they maintain the package doesn't mean they write it, and security auditing is hard. I'm not at all surprised that what's reportedly the most compromising attack on OS X to date came via a Java vector.

Forsaken_GA

Roguetadhg wrote: »

java and firefox has been causing issues for us here, firefox disabling it by default.

That's Mozilla's doing. They recently started disabling old versions of JRE that had known security issues in order to encourage the user to update rather than risk a compromise. In my opinion, this is a very good idea.

lordy

Well, believe it or not, there are stupid Mac users out there.

I had a friend who downloaded some Adult Video File and when he opened it it just showed a message saying "You need to install SomeEvilGuy's Codec to view this", and so he did. He downloaded, installed it and even typed in his password when the installer asked for it...

tpatt100

lordy wrote: »

Well, believe it or not, there are stupid Mac users out there.

I had a friend who downloaded some Adult Video File and when he opened it it just showed a message saying "You need to install SomeEvilGuy's Codec to view this", and so he did. He downloaded, installed it and even typed in his password when the installer asked for it...

That video codec one is pretty popular. I like the ones that look like Windows UAC and even walks you through how to allow it to mess up your pc.

Novalith478

tpatt100 wrote: »

That video codec one is pretty popular. I like the ones that look like Windows UAC and even walks you through how to allow it to mess up your pc.

The UAC and fake anti-virus ones are so popular. I've had to clean that off friends/family computers more times than I have fingers to count. You'd think they'd learn...nope.

ptilsen

Let's not dismiss anything significant, here. IMO 600,000 is a significant number, period, and a highly significant number given Macs relative market share. A botnet of 6,000,000 Windows machines would not be dismissed as trivial. That's a lot of infected machines, even if it's a small percentage of potential targets.

A agree strongly that JVM being the infection method is not remotely surprising. Even on Windows, Java is one of the most often exploited features and one of the hardest to secure. You can have users locked down to least privilege, browser settings restricted, host antivirus, threat management on the gateway, 100% patch and update compliance, and still get hit through Java along with various browser plug-ins (hint: Adobe).

Honestly, I hate almost everything about Java. It's made programming seem so easy that lazily written, poor code is a staple of modern computing. Most browser-based applets that require a JVM are horribly slow and buggy, and Java is an administrative pain. All that being said, I'm inclined to blame Apple. Their slow pace of patching that vulnerability is inexcusable, IMO. And keeping Java maintained on Macs is too hard, Apple should stop supporting JVM use altogether. I'm serious. That's what they did with Flash in the mobile sector, and I could easily see it with Flash and Java on Macs. If you think about all the programs that already don't run natively in Mac OS X, web-based Java and Flash applets are really a drop in the bucket. The major web developers would re-code to support Macs, and frankly the rest don't matter enough to make a difference.

Mac market share has steadily enough that indeed, Macs are more and more likely to be targeted. Technical implementation of security measures on Macs compared to Windows has been lax for years now. The non-technical Mac users (the vast majority of Mac users, just as with the vast majority of Windows users) do not know enough to do their part and automatic measures from Apple are not implemented enough. Until things change, I bet we'll see more Mac exploits in the near future. Apple definitely wants to maintain the image of Macs as systems with far fewer problems than Windows PCs, so I think it's likely these sorts of issues will get addressed.

Forsaken_GA

ptilsen wrote: »

All that being said, I'm inclined to blame Apple. Their slow pace of patching that vulnerability is inexcusable, IMO. And keeping Java maintained on Macs is too hard, Apple should stop supporting JVM use altogether. I'm serious.

Sure, it's ultimately Apple's fault, but this isn't a vulnerability in OS X, which is what it's being trumped up as. In order to fall vulnerable to this, it requires two things -

A) A specific piece of software to be installed

The user to do something stupid.

That is much closer to social engineering than a code fault, and there isn't an operating system in existence that can protect against those parameters before the fact.

The fact that it's so rare for an exploit of this nature to hit a Mac goes to show it's got a fairly decent track record when it comes to security - folks can't wait for the chance to jump all over it. If this had been a windows flaw instead, folks would say 'what else is new?' Windows exploits are so common that it originated Patch Tuesday.

And Apple's track record is still better than Microsofts when it comes to patch times. They just recently fixed some exploits that have been around since Windows 2000. I mean really, you're going to criticize Apple for taking two months to patch when it took Oracle 5 months to do so? (Please note that the article author cannot do math - Oracle patched on Feb 14th, Apple on April 4th. That's a difference of 50 days. 50 / 7 = ~7.14. Quoth the article 'Apple released its own "security update" on Wednesday - more than eight weeks later.' Idiots.) I don't think ~2 months is unreasonable to push a patch that had a couple conditionals in order for it to take effect.

ptilsen

Forsaken_GA wrote: »

Sure, it's ultimately Apple's fault, but this isn't a vulnerability in OS X, which is what it's being trumped up as. In order to fall vulnerable to this, it requires two things -

A) A specific piece of software to be installed
The user to do something stupid.

That is much closer to social engineering than a code fault, and there isn't an operating system in existence that can protect against those parameters before the fact.

I will be the last person to disagree with any of this. I'm certainly not claiming it's a fundamental flaw in the programming of OS X.

Forsaken_GA wrote: »

The fact that it's so rare for an exploit of this nature to hit a Mac goes to show it's got a fairly decent track record when it comes to security - folks can't wait for the chance to jump all over it. If this had been a windows flaw instead, folks would say 'what else is new?' Windows exploits are so common that it originated Patch Tuesday.

No one will disagree that there are more Windows exploits. But, it goes back to "there isn't an operating system that can prevent against those parameters before the fact." The number of actual Windows remote vulnerabilities that don't require a user or configuration problem is very low, especially in the last five years. Even the ms12-020 is only applicable to systems configured in a certain way -- RDP must be on (off by default), NLA must be off (recommended on), and the system must be accessible on the public Internet for a significant risk of exploitation (not recommended, even for remote access to TS/RDSH) -- this situation describes a poor configuration even without the vulnerability as RDP has always been a known attack vector and these best practices and defaults were there to mitigate against that risk.

Forsaken_GA wrote: »

And Apple's track record is still better than Microsofts when it comes to patch times.

Not sure I can agree with that. Microsoft searches out and patches the vast majority of vulnerabilities before they are exploited, often long before they are even identified by third parties. Microsoft patches very frequently, releasing updates before the next Patch Tuesday if they're important. I don't feel great about how many vulnerabilities there are and how large the code and customer bases behind the Windows platform and its staples are, but the fact that Microsoft patches so often and so quickly is a good thing, to me. I would compare Firefox favorably to IE for the same reason; Firefox actually gets security patches more frequently than IE, even though IE is a more frequently targeted system.

Forsaken_GA wrote: »

I mean really, you're going to criticize Apple for taking two months to patch when it took Oracle 5 months to do so? (Please note that the article author cannot do math - Oracle patched on Feb 14th, Apple on April 4th. That's a difference of 50 days. 50 / 7 = ~7.14. Quoth the article 'Apple released its own "security update" on Wednesday - more than eight weeks later.' Idiots.) I don't think ~2 months is unreasonable to push a patch that had a couple conditionals in order for it to take effect.

That's somewhat fair, and I am not experienced enough with that sort of code development to make a truly informed analysis of that response time. That being said, Microsoft and even Apple have been known to develop and release other patches in shorter time frames, and I have no reason to believe those should take longer. But again, if Apple wants to take responsibility for the development and deployment of Java patches, I think that there either needs to be more resources put on it or a decision made to not support it at all.

I will give Apple more credit for the mobile sector, despite some of the problems they've had. Considering how many more iPhones and iPads there are then Macs and how they are potentially an easier target, Apple has actually done a good job of securing the OS and the applications. Android's opening, by comparison, is a security issue. Apple vets App store apps reasonably well, considering how many there are. One might slip through here and there, but it's nothing compared to Android, which has no basically no quality control, by comparison. If Apple applied similar policies to Mac OS X, I think that could make it compare favorably to Windows.

afcyung

I imagine that the programers do their patches in priority from largest threat to least given things like how difficult would it be to exploit the vulnerability and what mitigation steps can be taken by the end user to prevent the exploit.