Lessons for IT, Apple in Flashback brouhaha

While the number of Macs infected by the Flashback malware is seemingly in decline now, the security reverberations for Apple continue. The discovery of the botnet a couple of weeks ago—and Apple’s response—has prompted criticism by IT security pros, concern among Mac users and even some smug told-you-so’s from Windows users who’ve watched for years while Apple and its fans derided the the omnipresent malware issues plaguing PCs.

Security by obscurity, if it ever existed, is no more.

Now that Apple and several third-party software firms have produced detection and removal tools, it’s time to take stock of the situation and dig a little deeper. What does the Flashback debacle mean for Mac users, Apple itself and the businesses that have increasingly adopted Macs? And does it affect those with iPads and iPhones?

Just a drop in the bucket

Let’s start with a reality check. The only reason this story got the attention it did is because for more than a decade Mac OS X has not been hit hard with any major malware threat. There have been some proof-of-concept pieces written; plenty of Macs have been infected with Microsoft Office macro viruses (that generally have no damaging effects on Macs, especially those running Office 2008, which didn’t offer macro support); and there have been a couple of genuine malware alerts that didn’t amount to a serious online threat.

A piece of malware like Flashback that targeted Windows PCs would’ve been a minor story in tech circles that ended with reports of anti-virus companies releasing updated malware definitions, Microsoft releasing a patch for the underlying vulnerability, and possibly a free detection and removal tool being pushed out to users. This is something that happens in the PC world all the time. But not on the Apple side of the equation.

Given the thousands of malware threats facing Windows PCs, this is barely a drop in the bucket. As a result, Apple came under much closer scrutiny than any other major company would have been in similar circumstances.

The good and the bad of Apple’s response

Apple may have been subjected to more scrutiny than Microsoft, but there were some telling points in how it handled the situation.

First, the company made the unfortunate choice of trying to shut down the domain used by Dr. Web researchers seeking to determine the extent of the infection. A generous take would be that Apple took a misstep because this is a new experience for it. A more jaundiced view would be that Apple was trying to minimize information about the extent of Flashback infections. (The truth is probably somewhere in between.)

This much is clear: Apple didn’t handle the initial situation well.

That said, it quickly released a fix as soon as its engineers could create the patch, made needed corrections immediately after that, and ultimately released tools that would protect uninfected Macs and remove any infections. Apple did this by leveraging its software update infrastructure so that users who regularly agree to accept Apple’s Software Update notices were protected—even if they had never heard of the threat.

Ultimately, the company dealt with the problem in a way that protected the most non-technical of users and did so at no cost to them.

Whether you like Apple or not, the move shows commitment to its users. Sure, it could have issued an initial patch, scheduled a follow-up release later on, and never looked back, but it didn’t.

Still, Apple could’ve been more forthcoming and engaged the security industry more fully. Not doing so was typical of the company’s propensity to keep all information to itself until its executives feel comfortable that they have the best solution at hand. Usually, that works to Apple’s advantage. Not so this time.

Apple also focused its efforts around current Macs and the most recent releases of OS X. That isn’t surprising. The company has been pretty open and consistent in pushing its platform forward and not offering extensive backwards compatibility.

What about security and antivirus companies?

One of the striking parts of this story was that almost none of the security and antivirus vendors offered up a solution much quicker than Apple did. F-Secure, which provided instructions for detecting the malware early on, was the first major security vendor to offer a quarantine and removal tool. Kaspersky and Symantec followed in quick succession. Apple’s offering followed them.

More than 600,000 Macs have been infected with a new version of the Flashback Trojan horse that’s being installed on people’s computers with the help of Java exploits. How does this infection affect Apple’s reputation for security?How does the Flashback botnet infection affect Apple’s reputation for security?

Intego, a company that specializes in Mac security and produces the Mac-specific Virus Barrier antivirus tool, was not only aware of the threat but had already been protecting Mac users from it. The company’s Mac security blog notes that it was aware Flashback was targeting Macs in the fall of 2011 and said it began offering protection before the malware became a news story. Intego even pointed out that its 30-day free trial was available and would identify infections.

This raises a rather thorny question: Why didn’t other companies identify and address the threat sooner? It would seem logical that companies pro-actively protecting a wider computing audience would be the first to announce a solution. On other hand, such companies don’t have Mac users as their primary customers. One could posit that, as a result, their priorities (and thus budget and manpower) lie elsewhere.

What about Macs in enterprise environments?

This entire saga is a wakeup call that Macs are just as vulnerable as PCs to malware. One can quibble about specific security technologies employed by Apple, Microsoft, and other players—and there is merit to such discussions—but the days where Mac users could ignore security concerns and shrug off the possibility of infections is gone. Apple’s efforts with the Mac App Store,OS X Mountain Lion, and the upcoming Apple Developer ID program are good security moves, but they can’t turn back time to the state of comfort many Mac users enjoyed a month ago.

Even more so, this is a major wake-up call for IT departments now adding Macs to businesses of all shapes and sizes. Simply handing out new laptops, desktops and iPads and trusting that users—or maybe just one or two IT team members—can handle any issues is no longer an option. (It really never should’ve been thought of as one in the first place.) Whether Macs at your company are business-owned or employee-owned as part of a BYOD program doesn’t really matter; IT shops need to ramp up their Mac knowledge and skills—pronto.

IT departments cannot allow Mac security efforts to slip through the cracks. Apple has done a lot to help bolster Mac security for OS X in its default state, but that isn’t enough.

Being able to handle Mac security effectively requires a real depth of knowledge and understanding about OS X. Apple new (and free) Mac Integration certification is a starting point, but it only scratches the surface. Apple’s larger training and certification programs are a great additional resource (and the texts of those classes are available as part of Peachpit’s Apple Training Series for those who can’t attend those programs). Beyond that, there’s the MacTech conference each fall and related events through the year, which are excellent options. For sharing knowledge, the PennState Mac Admins List is a great resource (and even has its own two-day conference in May). APF548.com and MacWindows.com are two additional resources. If all else fails, there’s the Apple Consultants Network.

Beyond simply understanding OS X and Mac security, however, this situation raises the prospect that Mac security may require additional tools and systems to work well. Intego was the first vendor to address this threat, and it’s not one of the vendors most IT departments turn to for site licensing of security software.

At the end of the day, this threat shows that there is a need for a new perspective about Apple and Mac OS X on the part of Mac users, IT professionals and the tech media. While Flashback represents the first real shot across the bow of Apple security, it won’t be the last.

[Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. He has been a Computerworld columnist since 2003 and is a frequent contributor to Peachpit.com. Faas is also the author of iPhone for Work (Apress, 2009). You can find out more about him at RyanFaas.com and follow him on Twitter (@ryanfaas).]

recommended for you

Securitysplainin'

Read more »

Subscribe to the Apple @ Work Newsletter

Comments