Is Apple to Blame for Size of Mac Botnet?

Mac OS X may be more secure than Microsoft Windows in some ways, and it certainly has fewer attacks aimed at it, but it’s not invulnerable. Reports are emerging that as many as 600,000 Macs have been compromised by a Trojan horse.

The Flashback Trojan was discovered in August of last year. The malware masquerades as a Flash Player update, but when executed it exploits a flaw in Java to infect the system and make it part of a Mac botnet.

Cyber criminals develop attacks for the low hanging fruit. They want malware with the widest pool of potential victims, and the greatest possible return–either financial, or information that can be sold for financial gain. Apple has been flying under the radar of relevance for years from a malware developer perspective, but as the popularity of Mac OS X increases so does its value as a malware target.

“There has been a significant increase in Mac malware in the last several quarters, so what we’ve seen with the Flashback Trojan isn’t particularly surprising. Attackers are leveraging years of success from writing PC malware and they’re doing the same thing in the Mac world,” said Dave Marcus, director of advanced research and threat intelligence at McAfee Labs.

That may be true. But, in this case it seems that Apple’s own hubris has contributed to the scope of the problem as much or more than the malware itself. The threat has been known for months. It has been somewhat common knowledge–at least in security circles–that attacks were being targeted at Mac OS X systems. But, Apple was silent.

Oracle issued a patch for the underlying Java vulnerability in February. Apple just pushed out an update to address the Java flaw last week–two months later. While Mac users waited for a fix, malware developers continued to target and exploit vulnerable Mac systems. Even if Apple wasn’t ready to issue a patch earlier, it had an obligation to its users to communicate the risk and make users aware of the threat and steps to take to avoid becoming a victim.

Andrew Storms, director of security operations for nCircle, faults Apple’s head-in-the-sand approach to security for letting this threat spread as far as it has. “This malware has been circulating for months. Even though Apple didn’t have the Java patch available for distribution they certainly could have warned their users. Apple’s closed-mouth policy regarding OSX security issues played a direct role in a malware infection affecting hundreds of thousands of Macs.”

Storms chastises, “Bad policy Apple–step up your game.”