Flashback: Mac Security Holed by Java

The Macintosh operating system has long basked in a reputation for invincibility. Mac users routinely advised their virus-stricken friends to switch from Windows to Mac. Experts know otherwise; Apple has been forced to patch plenty of security vulnerabilities in MacOS.

However, the Flashback attack that affected over half a million Macs isn't specifically a MacOS attack. Rather, as Chris Valasek, Senior Security Researcher at Coverity, explained, it totally relies on vulnerabilities in Java.

"Unlike a handful of other Mac malware, Flashback does not require the user to click an actual executable file," said Valasek. He pointed out three Java vulnerabilities that let Flashback do its dirty work.

CVE-2011-3544 "allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability."
CVE-2008-5353 "allows remote attackers to run untrusted applets and applications in a privileged context."
CVE-2012-0507 doesn't have an official description, as it is still under investigation, but it is Java-specific.

"Not only are they all Java vulnerabilities, but they’re not your typical 'memory corruption' vulnerabilities," said Valasek. "Memory corruption vulnerabilities usually require some very application- or OS-specific information to execute code on a remote machine. These Java vulnerabilities, on the other hand, only require executing Java code or providing a pre-compiled executable."

Worse yet, these aren't new problems. Valasek noted that "all of these vulnerabilities have had public exploits available for a while. This means that the malicious attackers didn’t have to spend the time writing their own exploits."

Like Kaspersky's Roel Schouwenberg, Valasek chastised Apple for its slow response. "All of these vulnerabilities are patched in the Windows version of Java. Unfortunately, Mac typically is a few weeks behind with Java patches. This leaves OSX users vulnerable to known, patched vulnerabilities for quite some time after public disclosure. Imagine having to wait 2 months for Windows Update to have the correct patches."

"It’s not that Mac has ever been virus 'bullet proof'," Valasek continued. "The malware... was just behind the times when compared to Windows. Now that the malware is being distributed via the browser through exploits derived from public examples, they tend to be on par with the Windows world (of malware)."

"Welcome to the club OSX, it’s nice to meet you," he concluded.

Apple did finally issue patches for these vulnerabilities last week. Just yesterday they announced that a detection and removal tool for Flashback is in the works, without specifying a release date. If Apple's security team doesn't start addressing flaws more expeditiously, they risk losing what's left of MacOS's reputation for security.

About Our Expert

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio