Information Security News
mailing list archives
Apple Delays, Hackers Play
From: InfoSec News <alerts () infosecnews org>
Date: Mon, 16 Apr 2012 00:52:24 -0500 (CDT)
Forwarded from: Simon Taplin <simon (at) simontaplin.net>
By Jordan Robertson
April 12, 2012
Jeroen Frijters describes himself as an “accidental” hacker, a guy who
trips over security holes the way a pedestrian stumbles over a sidewalk
crack. In July the Dutch software engineer discovered the Grand Canyon
of sidewalk cracks: a serious vulnerability in Java, one of the most
widely used programming languages and a building block of many websites.
He reported the flaw to Oracle (ORCL), which oversees Java.
About nine months later, that bug has enabled the largest malware attack
ever to target Apple (AAPL) computers. Since the end of March, more than
600,000 Macs have been infected by a virus known as Flashback. The
attack, disclosed on April 4 by a little-known Russian antivirus company
called Doctor Web, has mainly affected computers in the U.S. That
includes a few hundred Macs in Apple’s hometown of Cupertino, Calif.,
suggesting some employees at the world’s most valuable company may have
caught the virus. The incident has shattered the sense of
invulnerability felt by many users of Apple products, which generally
face fewer security risks than those running Windows.
Even more dismaying to Apple fans: The company may have been able to do
a lot more to prevent the outbreak. Oracle works closely with Microsoft
(MSFT) on security issues, and after the company developed a fix for 14
security holes, including the one Frijters discovered, it released a
software patch directly to Windows users in mid-February. Those patches
are like beacons for criminals, who compare the code before and after
the fix to home in on the underlying flaw and then develop ways to
exploit it on unpatched computers. Apple, which insists on issuing its
own Java patches, waited nearly two months before distributing a fix.
The company has announced it’s working on software to detect and remove
the malware from infected machines.
“Waiting that long was unacceptable given the severity of the
vulnerabilities,” says George Kurtz, former chief technology officer of
antivirus software maker McAfee (INTC) and now chief executive officer
of CrowdStrike, a security startup. It’s not clear why Apple didn’t work
with Oracle to release a patch earlier, but Kurtz says it’s in line with
the tech giant’s famed desire for control. “Apple marches to the beat of
its own drummer,” he says. “It makes great hardware, it makes great
software, and it controls everything from start to finish. I don’t think
it likes doing anything that’s not on its own timeline.” Apple and
Oracle declined to comment.
The malicious code is from a family of password-stealing programs
originally spotted last year, says Liam O Murchu, manager of operations
for Symantec’s (SYMC) security response unit. The owners of infected
computers could be exposed to identity theft and fraud. Doctor Web
reports the virus can also alter Google search results, displaying spam
links instead of actual ones.
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
- Apple Delays, Hackers Play InfoSec News (Apr 16)