Flashback has put approximately six hundred thousand Macs into a botnet over the past month, which is the structural end of "Macs don't get viruses" as a defensive position. Apple released Java patches on the third of April and a dedicated removal tool on the twelfth — the timeline is uncomfortable enough that I want to write the incident down before it gets sanitised by the vendor messaging.
The technical history is straightforward and depressing. Flashback first appeared in September 2011 as a fake Flash Player installer that asked users for administrator credentials and installed itself with full system access. This vector worked but was relatively limited, because users had to actively run the installer and provide admin credentials. The interesting development came in mid-March 2012, when the Flashback operators retooled the malware to exploit CVE-2012-0507, a Java vulnerability that Oracle had patched on 14 February 2012 but which Apple had not yet pushed to OS X. The exploit allowed Flashback to install itself silently from a compromised website with no user interaction beyond visiting the page; the six-hundred-thousand-host infection figure landed by early April, with the count from Russian security firm Dr.Web on the 4th and corroboration from Kaspersky and others through the following week.
The operational question is why Apple took six weeks to ship the Java patch that Oracle had released on 14 February. The honest answer is that Apple's Java distribution model — Apple has, historically, distributed its own custom build of Java for OS X rather than letting Oracle's installer run — means that every Java security patch requires Apple's separate engineering work to integrate, validate, and release. The model worked badly for several years before Flashback and is, on present evidence, going to change: Apple announced last year that they were transitioning Java distribution to Oracle directly for OS X 10.7 and later, and this incident is going to accelerate that transition. The Mac users running OS X 10.6 and earlier — which is a meaningful proportion of the install base — remain dependent on Apple's slower release cadence for Java patches and will, presumably, continue to be vulnerable to Java-based exploitation until they upgrade their OS or stop using Java entirely.
The "Macs are immune" framing has been wearing thin for several years. Apple's marketing has been quietly walking it back since the Get a Mac advertising campaign ended in 2009; the "Macs don't get viruses" line has not been part of the official messaging for some time. But the consumer perception has been slow to follow the marketing, and the number of Mac users who run without antivirus software, who do not check for security updates, and who treat their Mac as a "secure platform" because it is "different from Windows" — that population has not been small. Flashback at six hundred thousand hosts is the data point that confirms what the security community has been saying for a couple of years: OS X is sufficiently widely deployed that it is operationally worth attacking, and the defensive culture in the Mac user population has not caught up with the threat profile.
For the engagements I run, this matters less than the press coverage suggests, because I have been advising clients to treat OS X laptops as the same threat profile as Windows laptops for some time. The defensive controls — endpoint protection, patch management, removal of unnecessary browser plug-ins — have been the same regardless of platform. The Mac-specific implementations of those controls have been less mature than the Windows equivalents, but that is a tooling problem rather than a strategic one. Several of the secondment clients run substantial OS X estates — Browne Jacobson's partners are mostly on MacBook Airs, the editorial side at News International runs a lot of Mac, both Towry and Northcott have OS X laptops in scope — and the post-Flashback conversation has been "what is your Mac patch-management posture", which most clients have an answer to but not always a satisfactory one.
The broader piece I want to come back to is what happens to the threat landscape now that the Mac install base is operationally interesting to attack. The technical answer is that the OS X attack surface is, in 2012, less mature than the Windows attack surface from a defender's perspective — fewer vendors providing endpoint protection, less mature patch-management tooling, less developed enterprise-management infrastructure. The attacker community has been slower to invest in Mac exploitation precisely because the install base was smaller; that calculation is now changing, and I expect to see substantially more Mac-targeted malware over the rest of 2012 and into 2013. The defensive infrastructure is going to need to mature in parallel.
The next post will probably be the Hedgehog SOC discussion, which has now reached the "actually deciding" phase. Or the Flame analysis if Crysys Lab gets further with what they have been hinting at for the past two months — there are persistent rumours that the next state-grade malware piece is in their hands and will be published soon.