A Russian computer security firm got a lot of publicity this week after they announced that about 600,000 Macintosh computers allegedly have been infected with a malware called “Flashback”. Of course, MacOS malware is quite rare, so the news spread like wildfire. It is not quite known what Flashback will lead to, but at this point, there’s no reason to panic.
A couple of points: Flashback is not a OS-level attack on the Mac. (To this date, no such thing has ever been successful in MacOS, and Apple Macintosh computers remain the most secure personal computing platform available to consumers).
Instead of attacking MacOS, Flashback exploits a weakness in Java, a programming language developed by Sun Microsystems (now Oracle Corporation). It uses this weakness to disable some of the Mac’s security features. For various reasons, Apple has supported Java (more or less grudgingly), but viewed it as an (outdated) liability for some time now. Apple finally dropped Java support with the current version of the MacOS (OSX 7 or “Lion”). In its current version of the MacOS (OSX 7 or “Lion”), Apple no longer includes Java in the standard installation. However, users are still able to install and run Java if they wish. (Note: Java, the programming language is not the same as “Java Scripts”, which are a component of many web sites).
Although Apple’s latest operating system does not even support does not install Java by default any longer, many Mac users still have vulnerable Java versions installed, and are therefore vulnerable. But even so, Flashback can only install itself on the user account active at the time of infection. It cannot spread throughout the entire operating system.
At a meeting yesterday, certified Apple Certified Support Professional and consultant, Benjamin Levy (Solutions Consulting) questioned how widespread Flashback really is. So far, he says, there have been almost no reports of infections on the Apple Consultants Network. Levy noted that the claim of “600,000 infected machines” originated with a Russian company selling security software.
How big is the risk? So what should be be done?
Benjamin Levy: “From what is known at this point, the threat from this malware is low. And if you want to go back to the Symantec website for confirmation, it lists Flashback as Risk Level 1: Very Low.”
“I am certain that in the weeks to come this malware will be fully dissected and we’ll know a great deal more about what it does, but for now I think reasonable caution is about all I would recommend. Check to see if you have it, remove it if you do. Learn from the experience and be vigilant about keeping your systems up to date. And yes, this means not letting your computers age outside of current versions of the OS.”
In summary: If you are using Apple’s latest OS (Lion) and have not installed Java, you are fine. If not, make sure you have the latest Java version installed.
If you want to check if your system has been infected, there are various options. Consultant Bruce Gerson (BSG Solutions) recommends:
http://flashbackcheck.com/
Or, you could download and run a simple script developed by Bart Busshots:
http://www.bartbusschots.ie/blog/?p=2236
(I have personally tested this script. It ran fine).
Even if you have the malware, this does not necessarily mean it it working, Gerson points out. (Using the FlashbackCheck.com website will determine if you are part of the botnet).
If you want to wait, Apple will be releasing a removal tool:
http://support.apple.com/kb/HT5244?viewlocale=en_US&locale=en_US
(Thanks to Bruce Gerson, Ben Levy, Garry Margolis, LAPUG.org, Bart Busschots).