First things first: What is the Flashback Trojan horse?
Flashback is a malicious software program, discovered in September 2011, that masqueraded as an installer for Adobe Flash. The original version of Flashback relied on users to install it, but this new form uses an unpatched Java vulnerability to install itself.
When you visit a website hosting Flashback, it attempts to display a specially crafted Java applet. If you have a vulnerable version of Java installed and enabled in your Web browser, the malicious code will infect your system.
Flashback doesn’t necessarily mean that Macs will soon be as laden with malware as Windows computers.
Flashback then pops open a Software Update window to obtain your administrative password, to embed itself more deeply into your Mac. Even if you aren’t fooled at this point, you are still infected.
Flashback inserts itself into Safari and appears to harvest information from your Web browsing activities, including usernames and passwords. It sends this information to command-and-control servers on the Internet.
Who is at risk of being infected by Flashback?
1. You have Java installed on your Mac. Open the Terminal app (located in/Applications/Utilities) and type java -version at the prompt. A version number appears if Java is installed.
2. You do not have the Java for OS X Lion 2012-001 (if you’re running Lion) or Java for Mac OS X 10.6 Update 7 (if you’re running Snow Leopard) installed, or you were infected before either of them was installed. Both of those updates install Java version 1.6.0_31.
3. You allow Java applets to display in your browser. In Safari, go to Preferences ? Security ? Web Content and see if the Enable Java option is checked.
4. You do not have any of the security tools installed on your Mac that Flashback checks for, including Little Snitch, Xcode, and a few anti-malware tools.
How can I tell if my computer is infected by Flashback?
Apple has released an update to remove the malware (see “Remove Flashback from an Infected Mac”). Antivirus products should also detect whether you have the latest signatures installed. (Usually, you can update manually in your security app’s preferences, but this varies from product to product; most update automatically.)
How can I protect myself from Flashback?
Run Software Update and make sure you have the latest patches. This will prevent any infections that exploit the current vulnerability.
Disable Java in Safari and other Web browsers. In Safari, go to Preferences ? Security ? Web Content and uncheck Enable Java.
Uninstall Flash and use Google Chrome as your browser. Chrome includes an embedded, sandboxed (access to your system is limited) version of Flash that reduces the chances of infection. I still use Safari, but when I need Flash I switch to Chrome.
If you don’t need Java at all, disable it. The Java Preferences utility is in /Applications/Utilities; uncheck the boxes next to the versions listed in the General tab. Be careful, though: Some programs (such as CrashPlan) require it.
I haven’t allowed Java to run in my browser for some years now. Mac antivirus tools may help, but they still don’t catch everything. That said, the current programs are far less intrusive and performance-impairing than they used to be; some of them (including Sophos and ClamXav) offer free versions. Remember, you can still be infected by new malware if those tools don’t specifically protect against it.
What does this mean for the future of malware on Macs?
Most Mac malware hides itself inside software programs that the average user is unlikely to install. But Flashback is far more serious, because it can infect a vulnerable computer without user interaction. Dozens of new variants have been detected, which means the malware authors are working hard to extend the life of the infection.
Flashback doesn’t necessarily mean that Macs will soon be as laden with malware as Windows computers. But the future of the platform’s security depends a lot on Apple and good old-fashioned luck.
Apple has been introducing a series of technologies—tools like Address Space Layout Randomization (ASLR), sandboxing, and data-execution prevention (DEP)—to reduce the chances of exploitation even when a Mac is vulnerable and to limit the potential damage of an attack. But these technologies aren’t perfect, especially when complex programs that run Web content like Java or Flash are involved.
Apple clearly needs to be quicker about patching software that’s known to be vulnerable. After the success of Flashback, we can only assume the bad guys will move more quickly the next time. Apple should consider sandboxing Safari even further. It should also explore the possibility of sandboxing Flash and Java independently; if the latter isn’t technically feasible, the company should work more directly with the vendors of those technologies to develop sandboxed Mac versions.
Gatekeeper, a security feature in the upcoming OS X Mountain Lion release, will significantly change the game for manually installed Trojan horses; it will make that form of attack much less profitable (and thus less likely).
Attackers clearly care more about Macs now. But we need to keep our perspective: There’s still far less malware aimed at Macs than at, say, Android phones. Nevertheless, Flashback is a significant development. We’ll see more malware on Macs, but as long as we all take precautions and stay vigilant, the attacks will be infrequent events rather than the continuous onslaught of epidemics that some observers are predicting.