The perception of “malware invulnerability” on the Mac OS X operating system has basically fallen apart. A modified version of the BackDoor.Flashback trojan earlier this year had gone into the wild and begun to rack up some impressive infection numbers. At its peak, the “BackDoor.Flashback.39” malware had found a home on more than 600,000 Macs, disguising itself as a critical Adobe Flash Player update to exploit a Java vulnerability. Once a user had gone to a bogus website, a chunk of JavaScript installed an executable applet on the Mac, with remote activation capability.

The malware, which was tied into a larger botnet known as “Flashfake,” operated as part of a click-fraud scam that could siphon login credentials and more sensitive information at will, as well as drive Web traffic toward sites involved in advertising campaigns. Still more perilous, the trojan could potentially be remotely updated to take advantage of additional features down the line.

Since the infection, Apple has indicated that the company is working on a process in which the company will simultaneously issue Java fixes as they’re available for the Linux, Solaris and Windows platforms. The company has also begun to tout its Gatekeeper feature for the upcoming Mac OS X 10.8 operating system on its website, citing a greater availability of software and updates through its Mac App Store, wherein developers will be screened in advance. Once approved and uploaded to the Mac App Store, applications can be tagged with a developer’s digital signature file to help determine if a file has been tampered with or is actually malware. Developers will need to pay an annual US$99 fee to be allowed into the sandbox sanctum of the Mac App Store, complete with its review processes and the like.

Yet Apple’s response to the trojan, according to industry professionals, was not what it could have been. While Oracle, the principal developer for Java, was able to isolate the vulnerability and offer a fix on Feb. 14, Apple would not release a Mac OS X version fix for the Java issue until April 3, with the company later issuing additional updates on April 12 for Mac OS X 10.6 and Mac OS X 10.7 before eventually releasing a fix for the Intel version of Mac OS X 10.5. During this time, the company advised users with older operating systems to disable Java altogether as a means of avoiding the Flashback trojan. Apple was not available for comment for this story.

In the roughly eight-week delay between the Oracle fix for the Java issue and the Apple fix for the same issue, more than 600,000 Macs had been infected, a slew of third-party software companies had begun offering fixes for Flashback, and the prevailing sentiment that Mac OS X was essentially impervious to malware had been shattered.

Yet even with Apple’s announced security changes en route, red flags concerning Mac OS X’s security have been raised. “Malware was already in the wild and infecting users, but Flashback hit critical mass in terms of the number of users infected,” said Lysa Myers, a virus hunter at security software company Intego. “Now, more people are beginning to understand that Macs have never been immune to malware, and they need to be concerned with security just as on any operating system.

“Now that Flashback has proven that OS X is a rich target market, malware authors will develop exploits and malware based on what’s found.”
Apple slow on the uptake
Perhaps the most severe point of contention has been the delay between fixes for the Flashback trojan, with other operating systems seeing patches for the exploit long before Apple delivered its solution. “It’s inexcusable at this point,” said Kurt Baumgartner, a senior researcher at Kaspersky Lab. “Apple instilled a complacent mindset in relation to the security of their products, enabling multi-month delays in updating Java components on their customers’ systems. This work is in opposition to the serious efforts other OS and software vendors have successfully pushed for software development, response and awareness.”

When asked about Apple’s response to the issue, as well as the upcoming Gatekeeper security features for Mac OS X 10.8, the experts’ opinions were mixed.

“Apple needs to ‘get’ the security religion,” said Baumgartner, who pointed out that while the Flashback trojan proved to be a slap in the company’s face, Apple has enabled Oracle to handle Java Development Kit 7 deployment on Mac OS X 10.7 as opposed to staying with its longer update cycle. He then pointed out that the company still seemed hesitant to interact with the rest of the security community, including outfits such as Adobe, Facebook, Google and Microsoft.

“Also, Gatekeeper may provide another hurdle for malware writers to hop over, but given more market penetration, an ID is not something that raises the bar that much higher for a determined hacker. How many people have you come across on the street that would let someone else set up and use a test account in their name for $50?” said Baumgartner.

“While few things can prevent a determined, resourceful hacker from getting to your computer, the App Store makes a great deal of sense for vetting applications from the beginning,” said David Johnson, a senior security analyst with Forrester Research.

Perhaps vetting from the beginning is what’s needed. As of the writing of this article, Flashback’s developers have yet to be publicly identified, and recent installations of Mac OS X 10.6 and Mac OS X 10.7 direct users to download the most recent version of Adobe Flash Player from the Adobe website.

Chris Barylick is a veteran technology journalist and has written for outlets such as The Washington Post, Macworld, MacAddict, MacLife, PC Gamer, GamePro, Inside Mac Games, the UPI newswire, and O’Grady’s PowerPage. Chris lives in the San Francisco Bay area and divides his time between stand up comedy, technology journalism and tinkering with any new computer hardware within arm’s reach.