Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mac Flashback Attack Began With Wordpress Blogs

timothy posted more than 2 years ago | from the slashcode-was-lower-on-their-target-list dept.

Desktops (Apple) 103

With more on the Flashback malware plaguing many Macs, beaverdownunder writes with some explanation of how the infection grew so quickly: "Alexander Gostev, head of the global research and analysis team at Kaspersky, says that 'tens of thousands of sites powered by WordPress were compromised. How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in.'"

Sorry! There are no comments related to the filter you selected.

In the end, it's better that it happened (5, Insightful)

skipkent (1510) | more than 2 years ago | (#39768289)

At it's height it was never as bad as some of the windows viruses have been, but it plants the seed that macs aren't safe and are just as vulnerable as any other OS.

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39768317)

I say make it worse next time! And, target all OS's!

Re:In the end, it's better that it happened (5, Informative)

WrongSizeGlass (838941) | more than 2 years ago | (#39769095)

I say make it worse next time! And, target all OS's!

The Java exploit used to spread Mac Flashback wasn't Mac specific, it just went unpatched for several months longer on OS X than on Windows. All the while almost all Mac users surfed the internet with a false sense of impunity.

I don't think any researchers have tried to figure out how many PC's were affected by the same Java exploit, but the impact this has had on the Mac user mindset - and Apple's security responses - should be rather sobering.

Re:In the end, it's better that it happened (0)

AdrianKemp (1988748) | more than 2 years ago | (#39769295)

Comments like your's really bother me.

This is not the first malware to infect macs*, not even remotely close. It *may* be the worst, but frankly I have serious doubts about that too.

In my experience dealing with tech dullards mac users have no more false security than windows users running Norton (and lets face it, at least the mac users have SOME protection).

*This, as with the adobe vulnerabilities and java malware of the past has nothing to do with macs and could infect linux or windows equally.

Re:In the end, it's better that it happened (2)

AdrianKemp (1988748) | more than 2 years ago | (#39769303)

That's interesting... the comment my reply was added to was not the one I replied to and in fact didn't even exist when I clicked reply.

Re:In the end, it's better that it happened (1)

WrongSizeGlass (838941) | more than 2 years ago | (#39774443)

That's interesting... the comment my reply was added to was not the one I replied to and in fact didn't even exist when I clicked reply.

That's odd. I guess it's the ghost of Commander Taco haunting the machine ... or it could just be the UI Ajax going rogue ;-)

Re:In the end, it's better that it happened (1, Funny)

lister king of smeg (2481612) | more than 2 years ago | (#39771177)

no it could not infect linux equally well and not because of linuxs security but because of the user they are generally more computer savy and would have been less likely to execute random code. also iirc beleive linuxs gets jre updates sooner than mac and then would of been secure sooner.

Re:In the end, it's better that it happened (1)

noh8rz3 (2593935) | more than 2 years ago | (#39774151)

Comments like your's really bother me.

grammar like your's really bothers me.

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39770011)

Actually, they did. There were Windows infections that numbered in thousands, but they also detected FreeBSD and Linux machines; even a few Solaris ones. However - Mac OS infections made up by far the most of it.

Re:In the end, it's better that it happened (0, Interesting)

Anonymous Coward | more than 2 years ago | (#39768319)

I've heard percentage wise it is worse than any single Windows virus in history.

Re:In the end, it's better that it happened (2, Funny)

Anonymous Coward | more than 2 years ago | (#39768337)

Where did you hear this? At the cooler in Redmond?

Re:In the end, it's better that it happened (5, Informative)

oldlurker (2502506) | more than 2 years ago | (#39768411)

Where did you hear this? At the cooler in Redmond?

From the numbers it doesn't seem like an unlikely claim actually (single virus compromising percentage of installed base), though a citation would be nice so it made me check (source for numbers below [daringfireball.net] ):

The Mach Flashback virus compromised around 600.000 Macs, which is around 1% of installed base.
The single largest Windows-based infection ever was Conficker. At its peak in 2009, it infected about 0.7% of the total Windows installed base.

Re:In the end, it's better that it happened (1)

jaymemaurice (2024752) | more than 2 years ago | (#39768631)

I wonder more about Nimda then Conficker

Re:In the end, it's better that it happened (4, Interesting)

BasilBrush (643681) | more than 2 years ago | (#39768687)

Wiki says estimates of Conflicker infections were between 9 million and 15 million in Mar 2009. Installed base of PCs was about 1.1 billion then. Which would mean Conflicker had between 0.8% and 1.4% of PCs infected.

It's too close to call.

Re:In the end, it's better that it happened (4, Interesting)

quacking duck (607555) | more than 2 years ago | (#39771117)

Let me see if I read this right...

Despite most Mac users not having antivirus installed, it still had roughly the same percentage of users infected as a platform where users DO have antivirus and anti-malware installed (or their users are very aware they're supposed to be running them), but the latter's supposed protections against malware were useless at detecting and/or preventing the Conficker outbreaks.

My takeaway is that Mac users therefore *still* would not benefit from installing and running antivirus software that sucks up resources all the time. The better defence is simply to do system updates weekly.

Re:In the end, it's better that it happened (1)

amicusNYCL (1538833) | more than 2 years ago | (#39774527)

Wikipedia also claims that conficker peaked at 7 million, and that Microsoft detected 1.7 million with their own tools. A UPI article in the references claims that most estimates were between 8 and 12 million, with one estimate at 15.

I can't find much for Nimda, other than that it took about 22 minutes to become the largest infection at that time, and Code Red looks like it never hit more than 400,000 machines. The ILOVEYOU virus is claimed to have hit 10% of internet-connected machines, one estimate (from a dead link cited in wiki) claimed 50 million infections. That was in 2000 though, so I'm not sure what percentage of computers were online, but that may be the largest infection by percent to date.

Re:In the end, it's better that it happened (-1)

Anonymous Coward | more than 2 years ago | (#39768831)

Actually just one vendor said they had found 600,000 Macs infected, that doesn't mean its the total number of infections, but just what Dr Web found. If you included the reports from all AV vendors, the number would be much higher.

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39769027)

The Morris Worm is believed to have infected 10% of UNIX systems connected to the internet.

Nimda become the Internetâ(TM)s most widespread virus/worm within 22 minutes. Maybe it only infected 450,000 machines though.

Apple II machines are considered to have suffered the first major computer virus outbreak in history, thanks to the Elk Cloner virus.

Re:In the end, it's better that it happened (2)

CheerfulMacFanboy (1900788) | more than 2 years ago | (#39771135)

Where did you hear this? At the cooler in Redmond?

From the numbers it doesn't seem like an unlikely claim actually (single virus compromising percentage of installed base), though a citation would be nice so it made me check (source for numbers below [daringfireball.net] ):

The Mach Flashback virus compromised around 600.000 Macs, which is around 1% of installed base. The single largest Windows-based infection ever was Conficker. At its peak in 2009, it infected about 0.7% of the total Windows installed base.

But the original source (Ed Bott from ZDNet) for those numbers is wrong - Conficker was only the worst PC infection in recent times. The ILOVEYOU mail virus infected 50 million PCs in 2000 - far more than 1%.

Re:In the end, it's better that it happened (1)

oldlurker (2502506) | more than 2 years ago | (#39771585)

Where did you hear this? At the cooler in Redmond?

From the numbers it doesn't seem like an unlikely claim actually (single virus compromising percentage of installed base), though a citation would be nice so it made me check (source for numbers below [daringfireball.net] ):

The Mach Flashback virus compromised around 600.000 Macs, which is around 1% of installed base. The single largest Windows-based infection ever was Conficker. At its peak in 2009, it infected about 0.7% of the total Windows installed base.

But the original source (Ed Bott from ZDNet) for those numbers is wrong - Conficker was only the worst PC infection in recent times. The ILOVEYOU mail virus infected 50 million PCs in 2000 - far more than 1%.

Fair enough, should have added the disclaimer 'in recent times', but still thinks that is what is of interest comparing; recent times, platforms that are relevant today. Or else you could talk about The Morris Worm infecting 10% of all Unix systems on the net as mentioned above and conclude that Unix is the worst.

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39773635)

Morris Worm got into Digital Equipment Corporation's DECNET environment and other commercial networks beyond the UNIX world, so I think it still wins. I was a DEC when that happened and a LOT OF PEOPLE WERE PISSED in a lot of companies. Morris was shall we say unpopular for quite some time after that...

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39768421)

Actually from John Gruber of all people: http://daringfireball.net/2012/04/flashback_eword

Re:In the end, it's better that it happened (4, Interesting)

V!NCENT (1105021) | more than 2 years ago | (#39768425)

It's not true. It climbed to 600.000 infections, according to Kaspersky (anti-virus developper) and dropped to 30.000.

Anyone cautious of privacy and security should know that the OS isn't targetted so much anymore, because aside from it being illegal and a more fragmented market now, you can legally spy on people with tracking the web. The web is where all the action happens (Banking, Facebook, etc.). Seriously; install Collusion for Chrome or Firefox, lurk an hour on the web and see what's tracking you. It's insane.

So the new security is in web browsers. And anyone who values their web security has a coockie, script, plugin and TCP/IP domain blocker. And if you had the plugin blocker (disableing the autorun), you wouldn't have this drive-by hack.

But ofcourse even OpenBSD had remote holes, which proves that (and anyone arguing otherwise is an idiot) any OS is hackeable.

What's so funny (actually sad) about this, is that Trusted Computing doesn't protect against this shit. So much for that argument. Even with Gatekeeper (Mac OS X tool for allowing users to decide if they do or do not want to be able to execute non-sealed binaries (DRM'd/ Appstore stuff).

Inb4 fantards.

Re:In the end, it's better that it happened (4, Informative)

chrb (1083577) | more than 2 years ago | (#39768797)

At it's height it was never as bad as some of the windows viruses have been

Mac Malware Outbreak Is Bigger than 'Conficker' [pcworld.com] . Remember that OS X only has about 5% of global desktop market, 0.6 million desktops may not sound like much in comparison to Windows, but as a share of the Mac total it is significant: "Mac OS X is the number two desktop OS with 6.54 percent market share. Windows, on the other hand, accounts for 92.48 percent of the market. Based on market share, the Flashback Trojan botnet is equivalent to a Windows botnet of nearly 8.5 million PCs. That makes it an even larger threat than Conficker--just on a much smaller platform."

It's not true. It climbed to 600.000 infections, according to Kaspersky (anti-virus developper) and dropped to 30.000.

They got it wrong; Symantec and Kaspersky both said the number had fallen, but Symantec have admitted they were wrong, and Kaspersky are now "looking into the matter". Flashback botnet not shrinking, huge numbers of Macs still infected: [computerworld.com]

"We've been talking with them about the discrepancies in our numbers and theirs," said O Murchu in an interview Friday. "We now believe that their analysis is accurate, and that it explains the discrepancies."

"This server communicates with bots but doesn't close a TCP connection," wrote Dr. Web. "As [a] result, bots switch to the stand-by mode and wait for the server's reply and no longer respond to further commands. As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists [including Kaspersky and Symantec]. "This is the cause of controversial statistics," said Dr. Web.

Also see Antivirus Researchers Confirm: Flashback Still Infects More Than 500,000 Macs [forbes.com] .

Re:In the end, it's better that it happened (5, Funny)

tao (10867) | more than 2 years ago | (#39768867)

Now we just need a botnet for Hurd... 1 infected computer would be enough for, say... 100% of the user base :)

Re:In the end, it's better that it happened (1)

DarkOx (621550) | more than 2 years ago | (#39768801)

Security is not anywhere, it must be everywhere. If your OS and underlying libraries get compromised the browser process could do anything! It has to be baked in, treating "hotspots" is what the industry has done for decades and it does not work. Security means best effort at every layer and zero trust designs anywhere possible.

Re:In the end, it's better that it happened (1)

V!NCENT (1105021) | more than 2 years ago | (#39770181)

Yes, but trusted computing is not trusted security. Trusted computing means only executing sealed binaries if they haven't been tempored with. This, however, does not mean that it's secure. In fact, if there is a flaw in the sealed binary, you can trust that the flaw will be executed.

Trusted Computing is kind of confusing as it is not that much of a security mechanism as it is a DRM scheme. Therefore trust doesn't mean relience on something, that you can't secure, to work, for which you can do nothing but trust that it won't fail.

Re:In the end, it's better that it happened (3, Informative)

sribe (304414) | more than 2 years ago | (#39770005)

...according to Kaspersky (anti-virus developper) and dropped to 30.000.

The drop to 30,000 has been discredited. The number is still, unfortunately, much higher.

Re:In the end, it's better that it happened (3, Interesting)

Sneeka2 (782894) | more than 2 years ago | (#39768341)

True. Anybody with half a brain knew this of course. It was merely time for the practical proof.
From here on Apple will have to proof itself in how well it does or doesn't respond to such incidents.
For its first trial by fire, it didn't receive very high marks so far.

Re:In the end, it's better that it happened (1, Flamebait)

Chrisq (894406) | more than 2 years ago | (#39768709)

True. Anybody with half a brain knew this of course.

And now the Mac fanbois know it too.

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39774283)

New rule - any idiot who writes "fanboi" gets modded down, regardless of the direction of their zealotry.

Re:In the end, it's better that it happened (2)

lipanitech (2620815) | more than 2 years ago | (#39769299)

This is the same thing that happened at pown to own. Any time you integrate the browser into the OS you are open up security vulnerabilities. Microsoft has had issues like this for years. Apple sacrificed security for useability.

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39770041)

Depends on who's grading I suppose.

http://laws.qualys.com/2012/04/new-apple-java-takes-care-flas.html

Re:In the end, it's better that it happened (1)

Anonymous Coward | more than 2 years ago | (#39768399)

But how does that help? I mean "seed", heck, we've been /terraformed/ with evidence that Win security is bad, yet the average Win user is still pretty clueless about it.

Re:In the end, it's better that it happened (2)

WrongSizeGlass (838941) | more than 2 years ago | (#39769131)

But how does that help? I mean "seed", heck, we've been /terraformed/ with evidence that Win security is bad, yet the average Win user is still pretty clueless about it.

We Mac users pay a premium for our computers with the presumption that one of the benefits of a Mac is that security is stringent. Just make sure your updates are up-to-date, don't randomly install crap or casually click with a 'Hey, OK, if you really think you should install that' mentality.

This is like relying on the warning light on your dash that you're about to run out of gas. You never take it for granted that it will keep you from doing something stupid after the first time it fails you.

Re:In the end, it's better that it happened (1)

jedidiah (1196) | more than 2 years ago | (#39770523)

> Just make sure your updates are up-to-date, don't randomly install crap

If you are going to go that far then you don't really need to flee to another platform really. Being crippled by fear is no enhanced security, it's gravely degraded capabilities.

Someone else has already brought up the distinction between security and DRM in this regard.

Re:In the end, it's better that it happened (4, Informative)

mwvdlee (775178) | more than 2 years ago | (#39768403)

As I understand it, Mac's installed base is roughly ~8%, windows about ~85% (obviously, accurate and unbiased statistics are pretty near impossible to find).
Flashback infected some ~600,000 macs, so a PC trojan would have to have hit ~ 6,375,000 PC's in order to be worse.
Conficker (http://en.wikipedia.org/wiki/Conficker) infected ~7 million PC's, which is somewhat worse, but not by a large margin.

Obviously Flashback had the benefit of fighting against a userbase largely ignorant of security and it's quite likely that if Apple and it's users start taking security seriously, future Mac infections will have significantly less impact. But history tells me things will become much worse before it gets better.

Walled Garden (0, Troll)

DrYak (748999) | more than 2 years ago | (#39768483)

Obviously Flashback had the benefit of fighting against a userbase largely ignorant of security and it's quite likely that if Apple and it's users start taking security seriously, future Mac infections will have significantly less impact. But history tells me things will become much worse before it gets better.

Or, not.

For this you'll need Apple to back pedal on some simplification they've made to make their OS more accessible to less technical people. (Like installing application simply by drag-droping an icon from an archive into a system folder. With no privilege asked).

I think that they'll rather use this incident as a golden pretext to put consummer OS X laptops into a iOS-like walled garden. If users only install Apple approved Apps on the laptops, the risks of infection should be dropping, right?~ And who needs non approved apps expect some developpers and other similarly crazy people.

Re:Walled Garden (3, Interesting)

Sneeka2 (782894) | more than 2 years ago | (#39768505)

For this you'll need Apple to back pedal on some simplification they've made to make their OS more accessible to less technical people. (Like installing application simply by drag-droping an icon from an archive into a system folder. With no privilege asked).

Oh darn, I'll feed the troll...

OK, please elaborate how installing an application by simply copying the executable into a location where all executables are stored is insecure. Is there an exploit that has been facilitated by this that would have been impossible otherwise? /Applications is not a system folder BTW. The system is in /System, and /Library. /Applications is a location to install applications, nothing more, nothing less.

Re:Walled Garden (0)

Anonymous Coward | more than 2 years ago | (#39768633)

Actually, /Library is not a system folder. /Library is a system-wide configuration directory, kind of like /etc on other Unices.

That would be /System/Library you are thinking of.

Re:Walled Garden (1)

Sneeka2 (782894) | more than 2 years ago | (#39768665)

There you go, even better. :)

Re:Walled Garden (0)

Anonymous Coward | more than 2 years ago | (#39769673)

/etc still exists on OS X and iOS. Both are BSD Unix. The various "Library" folders are for configuration file and information storage (as in "central app databases" versus "documents"). but were originally meant to be user-browsable. In Lion, Apple started marking the ~/Library folder as invisible because too many grandmas were messing up their user environments by playing around in there. They're annoying power users to save the rest by hiding this.

Re:Walled Garden (2)

jbolden (176878) | more than 2 years ago | (#39771149)

If you are a power user you know how to edit the defaults and show these directories.

Re:Walled Garden (3, Informative)

BasilBrush (643681) | more than 2 years ago | (#39768749)

For this you'll need Apple to back pedal on some simplification they've made to make their OS more accessible to less technical people. (Like installing application simply by drag-droping an icon from an archive into a system folder. With no privilege asked).

There's no simplification there. It's standard Unix permissions. The normal Application folder is shared between users for read and execute, but you need admin privileges to write there. So only admins can install there. A user can set up their own private Applications folder if they want and install applications there though.

Neither Applications folder is a system folder.

This ability to do drag and drop installs has precisely nothing to do with vulnerability to malware.

You'd do better to restrict predictions of the future to things you know something about.

Re:Walled Garden (0)

Anonymous Coward | more than 2 years ago | (#39769445)

For this you'll need Apple to back pedal on some simplification they've made to make their OS more accessible to less technical people. (Like installing application simply by drag-droping an icon from an archive into a system folder. With no privilege asked).

There's no simplification there. It's standard Unix permissions. The normal Application folder is shared between users for read and execute, but you need admin privileges to write there. So only admins can install there. A user can set up their own private Applications folder if they want and install applications there though.

"Secure" UNIX variants have moved on from classic user and group level permissions and implemented application level Mandatory Access Controls, such as SELinux, Trusted BSD, etc. Apple has also moved in this direction with some success but has held off implementing it universally in order to maintain legacy support and make things easier for developers. The "Gatekeeper" due in the next OS X version will make these settings configurable by the user on a not very granular scale and only at install time, but it still has a long ways to go if they want to avoid the constantly out of date blacklist paradigm used on Windows.

Re:Walled Garden (0)

MightyYar (622222) | more than 2 years ago | (#39769377)

(Like installing application simply by drag-droping an icon from an archive into a system folder. With no privilege asked).

Excuse me, Stewardess, I speak Windows.

An EXE can be installed in Windows by dragging and dropping the EXE onto the "C:\Program Files" folder. You have to do this when installing programs that come without installers. Most people never do this because program makers learned early on that people are too retarded to make their own Start Menu shortcuts, and it also lets them install other crap that people don't really need. Macintosh also has an installer, but it's not usually necessary unless the application requires system folders to be touched.

Hey, you know what they say: see a broad to get dat booty yak 'em... ...leg 'er down a smack 'em yak 'em!
COL' got to be! Y'know? Shiiiiit.

Golly!

Re:Walled Garden (0)

Anonymous Coward | more than 2 years ago | (#39769471)

An EXE can be installed in Windows by dragging and dropping the EXE onto the "C:\Program Files" folder.

The difference being the executable format. APP is a format that supports inclusion of multiple executables, resources, and reference copies of configurations. EXE is not well suited to this same role.

Re:Walled Garden (1)

MightyYar (622222) | more than 2 years ago | (#39769843)

The difference being the executable format.

That's certainly true, but what impact does that have on security?

Re:Walled Garden (1)

ceoyoyo (59147) | more than 2 years ago | (#39769711)

Ah, a comment about Apple and the Mac from someone who clearly doesn't know much about it.

Dragging an executable to a particular place on the drive (/Applications isn't a system folder) isn't insecure. Of course, once you do that, and run the thing, the OS will ask you if you really want to do it anyway.

But yes, the dominant system on Windows where everything asks for admin credentials whenever it does anything, resulting in most people just running as admin all the time is MUCH better.

Re:Walled Garden (1)

jedidiah (1196) | more than 2 years ago | (#39770555)

> Dragging an executable to a particular place on the drive (/Applications isn't a system folder) isn't insecure

This kind of thinking is why MacOS is not really a Unix.

If you suggested a comparable thing with any other Unix, you would get laughed at and rightfully so.

Re:Walled Garden (1)

grcumb (781340) | more than 2 years ago | (#39777311)

> Dragging an executable to a particular place on the drive (/Applications isn't a system folder) isn't insecure

This kind of thinking is why MacOS is not really a Unix.

If you suggested a comparable thing with any other Unix, you would get laughed at and rightfully so.

Why? If I have write permissions on a directory, I can put whatever the fuck I want into it.

You seem to be under the impression that /Applications is equivalent to /bin or /sbin. It's not. It's more like /usr/bin or even ~/bin.

Re:Walled Garden (0)

Anonymous Coward | more than 2 years ago | (#39769969)

Actually I can't wait for the ability in Mountain Lion to lock out non-appstore apps. I mean Android had this feature forever and Android are "the good guys", right? So how can you complain? Sorry, but if you're a professional who actually pays for his tools and not some pirate kiddie gamer then there is no reason to whine about this. It makes life that much easier and if life is easier life is more productive and if life is more productive I make more money. Sure, waste your time playing amateur sysadmin on some crappy Linux box but I have paid work to do.

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39769185)

Yeah [cad-comic.com]

Re:In the end, it's better that it happened (0)

Anonymous Coward | more than 2 years ago | (#39769869)

Oh, now malware is the same as virii? Man you guys need to get your excuses straight

Re:In the end, it's better that it happened (1)

jbolden (176878) | more than 2 years ago | (#39770825)

Except they aren't as vulnerable there is a pretty long history at this point of OSX. Further the ability to move the developer community rapidly, and having a user base that is comfortable with application breakage on OS updates, means that Apple can enhance security. They have also laid a lot of groundwork in terms of security infrastructure for example the defaulting regarding application install and the sandboxing.

A few slips once in a while is substantially different than the same level of problems as windows.

Re:In the end, it's better that it happened (1)

CheerfulMacFanboy (1900788) | more than 2 years ago | (#39771473)

At it's height it was never as bad as some of the windows viruses have been, but it plants the seed that macs aren't safe and are just as vulnerable as any other OS.

But for some reason people here don't want to admit that it proves that Wordpress admins (many of them running Linux) either don't keep their servers updated, or were duped into installing a Trojan plug-in - and thus Linux is just as vulnerable as any other OS.

It spread quickly because the average Mac User.... (1)

Anonymous Coward | more than 2 years ago | (#39768321)

...knows far less about computer security than the average Windows user that's lived with viruses for 20 years?

That's one tough learning curve they're entering.

Re:It spread quickly because the average Mac User. (1)

Anonymous Coward | more than 2 years ago | (#39768363)

Oh, they do know about viruses, but the majority of these users moved away from windows so they can keep being lazy and not care about security, of course, the malware is going to follow them.

Re:It spread quickly because the average Mac User. (0)

Anonymous Coward | more than 2 years ago | (#39769525)

...knows far less about computer security than the average Windows user that's lived with viruses for 20 years?

That's one tough learning curve they're entering.

The average Mac user is a former average Windows user.

Neither understands jack shit about security.

Ignorance (3, Interesting)

dejanc (1528235) | more than 2 years ago | (#39768349)

The main problem here may be ignorance. I use OS X and I only heard about this malware here on Slashdot. I really don't recall reading about it anywhere else. I immediately installed a Java update when it was available because I heard the fix was propagated through it. I might have as well skipped it or postponed it as I often do when I am in a situation when I don't want to wait for the updates to install, e.g. when checking email in a hotel on a vacation or just turning on the laptop to quickly see something like weather forecast.

Most Mac users probably never even heard about Flashback.

Re:Ignorance (2, Insightful)

TubeSteak (669689) | more than 2 years ago | (#39768419)

The main problem here may be ignorance.

The main problem here may be WordPress.
It didn't have to be OSX malware, they could have targeted any operating system.

Re:Ignorance (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39768553)

The main problem here may be WordPress.
It didn't have to be OSX malware, they could have targeted any operating system.

No, the main problem is arrogance and ignorance.

WordPress does have security bugs, but if that was it, then there'd be tens of thousands of compromised blogs and nothing else. Your computer shouldn't be compromised simply by going to an untrustworthy site. Period.

It could have targeted any operating system, but it didn't. It could have targeted Windows which are more numerous by an order of magnitude, but it didn't. The difference is clearly that:

  • The bug was initially in Java, but Oracle patched it relatively quickly. But Apple, with their own custom version of Java, took too long. Many have argued that it's due to a lack of security awareness within Apple.
  • A history of security vulnerabilities in Windows has led to a robust and mature ecosystem of antivirus/antimalware.
  • Users are conditioned to be on the lookout for malware (again, due to Window's chequered history).

Mac OSX will continue to have zero-day malware attacks, especially as their marketshare grows. In turn, Apple will develop their security team once it becomes obvious the attacks will continue and Mac users will over time learn to be as wary as Windows users.

Re:Ignorance (0)

Anonymous Coward | more than 2 years ago | (#39769549)

The bug was initially in Java, but Oracle patched it relatively quickly. But Apple, with their own custom version of Java, took too long. Many have argued that it's due to a lack of security awareness within Apple.

Apple doesn't have a custom version of Java anymore. They don't even ship with a JVM. Oracle is maintaining the JVM and Apple is keeping it up to date for legacy systems. There is debate as to when Oracle actually patched the Mac version of their JVM. Apple is, however, clearly lagging on security awareness and response, especially with regard to this particular problem.

A history of security vulnerabilities in Windows has led to a robust and mature ecosystem of antivirus/antimalware.

A reactive system, not well designed.

Mac OSX will continue to have zero-day malware attacks, especially as their marketshare grows. In turn, Apple will develop their security team once it becomes obvious the attacks will continue and Mac users will over time learn to be as wary as Windows users.

Apple actually has very good security technology. Their R&D has put together some great MAC frameworks (based on TrustedBSD's code base and heavily influenced by Bitfrost). Where they are lacking is in upper level directives putting security above other business concerns and driving a widespread culture of security audits. Well, that and having a decent real time response team.

Re:Ignorance (4, Informative)

sapphire wyvern (1153271) | more than 2 years ago | (#39768559)

The malware still has to install on the user's OS, which requires browser/plugin exploits on the user's PC for user-privilege level access and possibly a local escalation bug if the malware wants admin rights without user "approval". So I think it's fair to cast _some_ aspersion at Apple here, even if WordPress is providing the server end of the malware deployment ecosystem.

But getting back to your point about WordPress. It seems to me that WordPress has been the server-side vector for far too many malware deployment efforts. I've certainly heard its name associated with a lot of previous malware storms. What are some more secure alternatives to WordPress?

Re:Ignorance (3, Informative)

jaymemaurice (2024752) | more than 2 years ago | (#39768673)

It probably doesn't matter what you use if you do not plan on continually updating it or install every third party plugin... It's not like the WordPress comunity can't deliver a working blogging platform or patch the security flaws but it is the prevailing platform, open source, and nobody updates. Same problems the OS vendors have really.

apparlindia (1)

apparelindia (2610461) | more than 2 years ago | (#39769069)

relly right saying

Re:Ignorance (1)

metrometro (1092237) | more than 2 years ago | (#39771665)

The secure alternative to WordPress is a current version of WordPress.

It's a widely used tool for non-experts to manage their own servers. Standards vary. Good news is WordPress updates automagicly with one click. Bad news is there's a huge plugin market and theme aftermarket, and some of it is insecure. The only way to fix this is a) make it less open or b) kick out the newbies. Both medicines are worse than the disease.

Re:Ignorance (0)

Anonymous Coward | more than 2 years ago | (#39774965)

Not sure "a) make it less open" is a solution anyway. Since Mac is not "open" to the point where they refused to use Java's version of Java ... and thus didn't fix an exploitable problem three months after Java released a patch for it.

Re:Ignorance (2)

makomk (752139) | more than 2 years ago | (#39768577)

Now figure out what would happen if the malware was coded to infect WordPress blogs adminned from the computers it affected. OSX is the problem here, no question about it.

Re:Ignorance (1)

Anonymous Coward | more than 2 years ago | (#39768469)

hey ! how many's I's can one pack into 4 lines of comments about one's "greatness" ...

counting 8 I's and very irrelevant data here ...

Re:Ignorance (1)

dejanc (1528235) | more than 2 years ago | (#39768589)

I'm going for a new record which I'm about to set so I can brag about it :)

Sorry for awful writing :)

Not really a surprise (4, Informative)

Sycraft-fu (314770) | more than 2 years ago | (#39768871)

Apple really wants to downplay the issue. This actually isn't the first Malware to hit Macs (one of our professors got one that was using text to speech to read out ads, it was hilarious) just the first one to be really bad. Apple is still addicted to selling the viewpoint that Macs are immune to that kind of shit. So they didn't go putting out any big press releases warning people of nasty shit.

Most of the time when there's a nasty problem, the vendors put out press releases to try and let people know that the patches this time around are more important than normal and yes, you really need to apply them Right Now. Apple didn't so reporting on it wasn't as widespread as you might expect.

Also there are a surprising number of Mac users who drink the "Macs can't get viruses," kool aid whole heartedly. They don't just believe the specifics of the Apple advertising, they really believe Macs are 100% immune to security issues. Drives me up the wall when I'm dealing with one of them and trying to explain that yes, you DO need to patch your OS even though it is a Mac and no, running an FTP with world write access is not ok just because it is a Mac (really, had some grad students pull that one).

Given the amount of Mac users in journalism, and the general techno-unawareness of journalists, that makes the problem worse. Someone sees a story about a "mac virus" and they say "Nah, can't be real, Mac's don't get viruses, just more stupid shit floating around the 'net."

As time goes on, and Macs continue to be targeted (which they will) or we see cross platform attacks (using Java or HTML5 or something) the awareness of security on Macs will slowly rise.

Re:Not really a surprise (0)

ColdWetDog (752185) | more than 2 years ago | (#39771317)

And there are way too many Windows users who think they're immune because 'Mcfee' comes with their PC (too bad you didn't pay for the updates). Or that you can keep your antivirus program up to date and still happily surf 'midgetsandgoatsxxx.com' all day and click on anything that blinks.

Drives me mad when I have little conversations with people who think it's cool to update a policy document on said compromised machine and then want to send it to me via a USB drive. Last time that happened, I put the little drive in a sterilizer bag and ran it through and autoclave and gave it back to the guy. It was pretty clean, just a bit twisted. Doubt it could be used as a malware vector anymore.

Re:Not really a surprise (1)

jbolden (176878) | more than 2 years ago | (#39771411)

I don't think so this isn't Microsoft with a complex eco system of interlocking vendors this is Apple with a top down style. If Mac users are being confronted with security threats Apple is going to design a response and focus on developers to rapidly bring their applications up to date. The message is going to be "we are taking care of it, make sure your applications are focused on meeting security standard XYZ because in 47 days..."

The infrastructure is in place for apple to turn the security way up very quickly. What doesn't exist yet is a business need.

Re:Not really a surprise (2)

Vokkyt (739289) | more than 2 years ago | (#39772385)

I would hope the general response by tech journalists to Mac Malware is an inquisitive one. It's certainly my reaction, since it is still a fairly unique occurrence.

Macs and Malware are an annoying thing to read about because you have to dig through so much Pro/Anti Apple uselessness to figure out even the most basic information about the malware, like "what's it doing?" or "how do I know I'm infected?". I think when I read this on /. initially, it wasn't until ~ the 200th comment that someone posted the F-secure update on the malware which was really informative. The original article was a very brief description of what the malware did and then a doomsday prophecy for OS X.

Obviously, this is anecdotal, but the concerns that the users I support have are less "Pfft, My mac is invulnerable" and more "Does this affect us?". There was so little actual data on the malware that most of my users just heard second-hand from the few vocal anti-Apple folk on our campus about how the OS X sky was falling.

Apple does have some growing to do with security, but I think that the security community and the tech community in general needs to grow up a little when reporting on OS X. I get it -- Apple's old marketing is coming back to bite them in the ass, and it's an embarrassment that makes for a phenomenal opportunity to make fun of Apple. But if you're a security firm breaking a story on malware, you should probably start with just the facts, and leave the jabs to an editorial. As it stands, pretty much any Mac malware has a script:
1. Declare something has been found
2. Provide the known number of infections, strongly suggest it's far greater (without any evidence thereof)
3. Declare this a sign of the end of OS X's innocence
4. Say how OS X has enjoyed a period of invulnerability due to marketshare, and that period is now gone as we expect to see more and more malware infections just like this one.
5. Repost the same story 9 months later when another mild infection occurs, update the story to use the new infection name.

6 million is a decent number of Macs, and it's really frustrating to know that they are being targeted now. So let's change the style of reporting to something actually useful instead of the same rehashed doomsday prophecies OS X has been getting for the last 4 years.

Re:Ignorance (1)

Kyusaku Natsume (1098) | more than 2 years ago | (#39772759)

I also did that, I updated my wife's computers even if her didn't like to reboot her machines for updates, but this helped her to understand why it is necessary. Flashback worked because we are pestered with Flash Player updates almost weekly, so for many users this appeared to be a legitimate update, and because Apple was incredibly lazy in updating Java. 1 or 2 weeks of delay between Oracle's patch and Apple's patch is reasonable, 2 months not.

mod 0p (-1)

Anonymous Coward | more than 2 years ago | (#39768685)

AAl servers. Coming are a few good

started with LAMP exploits (0)

Anonymous Coward | more than 2 years ago | (#39768717)

as usual.. the countless rooted LAMP boxen hosting blogs serving malware to Windows computers. Irony?

Wordpress wasn't that vulnerable, timthumb was. (5, Informative)

Anonymous Coward | more than 2 years ago | (#39768837)

"How this happened is unclear. The main theories are that bloggers were using a vulnerable version of WordPress or they had installed the ToolsPack plug-in."

This it not unclear at all. There were a few security problems with WP in the last year. But a LOT of themes use the timthumb.php module to do dynamic rescaling of images. Timthumb used to be extremely vulnerable, you could download a file from http://www.youtube.com.attacker-domainname/anything.php, install it in the timthumb's cache and have full access like forever.

Updating WP wouldn't do any good, as a fully updated WP installation can still run a vulnerable theme. Even when the flaws in timthumb were fixed and the theme is updated, these sites have been flooded with backdoors, varying from eval($_POST['a']) in wp-config.php to newly created admin users. (Admin users can edit .php files from /wp-admin, an admin user effectively has power to run any php code desired.)

I've manually removed and analysed infections from several customers wordpress websites, all were hit by timthumb exploits. Some of these websites had literally dozens of backdoors, each of which gave full access to the site. I've seen malware that hid from googlebot to avoid detection. I've seen infections with timers, and infections that kept an IRC connection open to accept commands. These infections were just waiting for the right moment to be abused.

Re:Wordpress wasn't that vulnerable, timthumb was. (4, Interesting)

AndrewStephens (815287) | more than 2 years ago | (#39769335)

Exactly right. I have noticed a huge upswing of probing behavior in my Wordpress site logs, all targeting timthumb in various common themes. Wordpress is easy to install (and easy to upgrade) but requires ongoing upkeep as vulnerabilities are found and patched. Too many people just install it and let it rot.

Re:Wordpress wasn't that vulnerable, timthumb was. (1)

colfer (619105) | more than 2 years ago | (#39770105)

Also, themes are difficult to update. Compared to plugins and the Wordpress core, theme updates have these problems:

1. First, themes do not notify you when they have updates available.

2. It takes an expert to merge a theme update with the existing customization of the theme. (Plugins and core updates are one click.)

3. Theme vendors limit their support. I dealt with a well-known theme vendor which charges some small amount for a subscription to all its themes. It refuses to provide archive versions or changelogs. So the expert is left guessing what customizations have been made, unless some previous person working on the site has keep a copy. (Plugins are more commonly from the WP site, with changelogs and archives.)

4. Users keep unused themes lying around online and see no reason to update them. (This can also be a problem with inactive plugins.)

5. Wordpress core can do nothing to protect against bad code. A theme can run arbitrary PHP, as can any admin user from the admin interface, as mentioned by parent. (Plugins are similar, though runtime the active theme has priority over plugins.)

Msc People are awake now, this is a good thing! (5, Interesting)

anthony_greer (2623521) | more than 2 years ago | (#39768993)

I have had non technical Mac users ask me about this, that means that they (or at least more of them than before) are open to advise about security and don't just smugly boast about Macs being invincible any longer. This makes everyone safer from my view.

BTW the advise I give Mac users who ask is as follows:
1: run apple menu->software update manually at least once a week, and download everything it suggests*
2: use a non admin account for daily activity and NEVER provide admin creds unless you know exactly what it is using them for, you should never need to do this while surfing the web.
3: Only get software from trusted sources, like the app store, SourceForge, or vendor web sites like Adobe or Autodesk.
4: Switch to a platform where java is controlled and updated by the first party, Oracle and not a third party, Apple to ensure you have the best security possible.

*Just as with windows or any other *NIX box, there is an exception to the all update thing, if you know that it will break your workflow or some component thereof, you can skip it while that is worked out.

Re:Msc People are awake now, this is a good thing! (2)

jrminter (1123885) | more than 2 years ago | (#39769091)

Your point about updates breaking critical workfows is something Windows users have struggled with for years. The problem is that it is typically difficult to find out until it is too late unless one spends a great deal of time following all the development mailing lists on all software in one's toolchain.

Re:Msc People are awake now, this is a good thing! (1)

quacking duck (607555) | more than 2 years ago | (#39771175)

Very glad to see you didn't include "install and run anti-virus" on the list.

As I noted above, Windows users got hit just as bad with Conficker, percentage-wise, despite being conditioned to run antivirus and anti-malware tools all the time. Those tools do very little against new malware that exploit already-patched vulnerabilities.

Re:Msc People are awake now, this is a good thing! (1)

anthony_greer (2623521) | more than 2 years ago | (#39772781)

There is some value to heuristics in AVs in Windows. I have seen both SEP and MS Fep stop undefined malware with heuristics in a large company.

On the Mac however, there are no heuristic algorithms in wide enough use to be valuable, so AVs only really stop you from propagating Windows viruses, which Macs cant do anyway unless you are forwarding spam email, so its really pointless to run AVs on Macs.

Re:Msc People are awake now, this is a good thing! (1)

Huge_UID (1089143) | more than 2 years ago | (#39771873)

4a. Uninstall Java. 4b: If you must run Java, switch to a platform where java is controlled and updated by the first party, Oracle and not a third party, Apple to ensure you have the best security possible.

Re:Msc People are awake now, this is a good thing! (1)

tlhIngan (30335) | more than 2 years ago | (#39772355)

4a. Uninstall Java. 4b: If you must run Java, switch to a platform where java is controlled and updated by the first party, Oracle and not a third party, Apple to ensure you have the best security possible.

Basically, you mean upgrade your Mac.

OS X has stopped shipping Java for a little while now - I think Leopard was the last version to come with it by default, but later versions excluded it (like Flash). The main reason was to avoid reinstalls installing vulnerable versions again (Flash, notably). But for Java it was basically the end of a deprecation of the Java API as a first-class environment on OS X.

Now all updates are done through Oracle w.r.t. Java.

Re:Msc People are awake now, this is a good thing! (2)

kybred (795293) | more than 2 years ago | (#39773169)

Apple stopped installing Java with Lion. But if you attempt to run a Java app you get a prompt asking if you want to install Java. I believe that is still the Apple Java implementation, with Apple still handling the updates.

In fall 2010, Apple announced that they were stopping their in-house Java development and was putting their support into OpenJDK [wikipedia.org] . It looks like that is targeting Java SE 7, so I think that Apple must be continuing their Java development in house until that is released. So perhaps Apple is in the middle of the transition from in-house to OpenJDK; that could have caused the delay in the last Java update.

As a side note, Apple is not the only vendor to have their own Java. If you go to the Oracle Java download page [java.com] it lists only Windows, Solaris and Linux versions. IBM and HP do their own. Looks like IBM spun their update quickly after Oracle, but HP took about a month for their update.

IS Wordpress fundementally broken? (3, Interesting)

anthony_greer (2623521) | more than 2 years ago | (#39769017)

I am not a web dev but it seems to me that there are way too many stories that involve wordpress attacks in the past year, I have heard of at least 10 cases of wordpress being compromised, but in that same time not one case of Drupal, Sharepoint, Joomla, or Movable Type having the same issues assuming all were running the latest releases.

Is wordpress broken at it's core, or is it all just crummy plugins that open holes?

Re:IS Wordpress fundementally broken? (0)

Anonymous Coward | more than 2 years ago | (#39769191)

"assuming all running the latest releases".

That part, right there: do you know how *PAINFUL* it is to get peuple to update to the latest releases of these tools? Especially Sharepoint?

Re:IS Wordpress fundementally broken? (1)

Shikaku (1129753) | more than 2 years ago | (#39769203)

Crummy plugins and people that never update Wordpress/said crummy plugins.

Re:IS Wordpress fundementally broken? (2)

ledow (319597) | more than 2 years ago | (#39769391)

Joomla gets more than its fair share of serious compromises (usually XSS), but the difference that I found is:

1) It automatically updates.
2) You can sign up to an email about those updates and perform them manually
3) People don't install ten millions kinds of junk and plugin into it.

But, of course, what keeps it with a better reputation is a) not being stupid, b) fixing things that are broken and c) not as many people using it.

Wordpress would be fine - if you kept it up to date in the same way and didn't use random plugins. That's not what people do.

Re:IS Wordpress fundementally broken? (1)

Danzigism (881294) | more than 2 years ago | (#39770091)

I don't think it's a matter of WP being broken at it's core. They have some of the best core developers I've seen work on any open source project. However, it is easy to fall out of the best practices for running a WP site. Also consider that it is the most largely growing CMS out of them all. Not setting correct file permissions, using DB users with too many privileges, not keeping the damn thing up-to-date (it's easy to update, just sign in and click the notification), and just generally being an inexperienced user is what ultimately allows their sites from being hacked. Why it doesn't happen in Drupal? Simple. Inexperienced users don't use Drupal.

Re:IS Wordpress fundementally broken? (1)

dkf (304284) | more than 2 years ago | (#39770495)

I don't think it's a matter of WP being broken at it's core. They have some of the best core developers I've seen work on any open source project. However, it is easy to fall out of the best practices for running a WP site. Also consider that it is the most largely growing CMS out of them all.

What they appear to have is a more subtle problem: it's not designed to Fail Safe. Get something wrong? Fail to update? Any problem, and you end up with some ability to do local damage and set in motion a full exploit. If the system failed safe, it wouldn't allow you to do anything until you'd proved that you were legit; any bugs would just result in a reduction in what could be done.

That said, I've got no idea how far you could get with creating a full CMS on the principles I described. Yes, I use the principle in my own web programming but there the set of operations is far more restricted. (I also don't support run-time updating.)

isn't wordpress open source? (0)

Anonymous Coward | more than 2 years ago | (#39769787)

figures the source for this whole fiasco would be some open source crap for cheapskates

Mac using bloggers... (1)

SCHecklerX (229973) | more than 2 years ago | (#39770501)

Enough said.

Antivirus Anyone? (0)

Anonymous Coward | more than 2 years ago | (#39771365)

Maybe the point here is that maybe 1 in a 1,000 Macs has antivirus software installed. If you sit behind a veil of invincibility, eventually you learn... sometimes the hard way.

hmmm (0)

Anonymous Coward | more than 2 years ago | (#39772791)

I thought Macs were "immune" to computer viri..... Thats what my robot artist friends have always told me......... gee.....

Re:hmmm (0)

Anonymous Coward | more than 2 years ago | (#39772837)

protip: the plural of virus is viruses.

MORONS (0)

Anonymous Coward | more than 2 years ago | (#39775451)

First off you moron gotta figure out what is a virus and how this even touches a computer. I get a kick out of viruses be noted when its a hole in an os which means I would close this hole or stop running the poorly written software. Second, Like i said before unix aka mac os x is a parent child process controlled system and has no way of running any virus nor infect anything from the browser. If you are unsure of how to run a machine turn it off and go back to knitting.

MORONS>

Mac is not infected nor will it ever be... Unix is Unix.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?