The discovery earlier this month that more than 600,000 Macs, roughly 1% of all in use, were infected with the password-stealing Flashback malware left no doubt that security could not remain an afterthought for consumers or businesses using an Apple computer. For security experts, the discovery was validation for what they had been saying for years: Hackers can break into a Mac as effectively as a Windows PC. For Mac users, the massive infection means it is time for attitudes to change. For Apple, it will no longer have the luxury of waiting weeks to fix a known vulnerability.
"They've been so used to not being targeted for so many years, anytime there is news about an infection on the Mac, it's met with a lot of disbelief or skepticism from the side of Mac users," says David Marcus, director of security research for McAfee Labs.
Like its customers, Apple will also have to adapt to a world in which cybercrooks have placed a bull's eye on its platform. Flashback exploited a vulnerability in the Java platform for running Web applications. The infection occurred weeks after Oracle, the overseer of Java, released for Windows a patch for 14 vulnerabilities, including the one exploited by the malware. Apple, which refuses to let anyone else send Java updates, didn't have its fixes out until nearly two months after Oracle. Apple released its Java patch last week. It was still needed: According to Symantec researchers, more than 140,000 Macs are still running Flashback across the world.
Apple is notoriously slow at fixing vulnerabilities. Over two days last October, the company released new versions of iTunes, iOS for the iPhone and iPad, and a new version of Mac OS X that included a huge number of security patches, some of which had been identified months earlier, according to Kaspersky Lab's security news service ThreatPost. The difference this time is that cybercriminals wasted little time in taking advantage of Apple's tardiness. "This does make you wonder whether Apple takes security as seriously as it should," Chester Wisniewski, a senior security adviser for Sophos, said in the company's blog after Apple released the Java patch long after Oracle.
Whether Apple moves more quickly in the future remains to be seen. The company doesn't discuss security of its products, so it's anyone's guess whether Flashback has the Cupertino, California-based company rethinking its strategy.
- David Marcus, director of security research for McAfee Labs
"No matter what operating system you use, you need to be thinking about security," says Liam O Murchu, manager of operations for the Symantec Security Response team. "You're not immune because you use a certain flavor of operating system."
Businesses also have to think about Mac security, if they are inclined to follow the advice of firms like Forrester Research. The market researcher last October recommended that companies support the Mac, which Forrester found was being brought from home by executives, top sales reps and other tier-one employees.Â
"If businesses weren't seeing the need to do risk management and endpoint protection on the Mac before, they've certainly got their proof point now," Marcus says.