Friday, April 6, 2012

Flashback

Rich Mogull:

The significant thing is that, unlike almost all other Mac malware we’ve seen, Flashback can insinuate itself into your system if you merely visit an infected webpage and are using vulnerable software. You do not need to enter your administrative password or to manually install anything.

[…]

The vulnerability in Java that Flashback exploits was patched in February by Oracle (which inherited Java as part of its acquisition of Sun Microsystems). But Apple waited nearly two months to update OS X with that patched version.

This is the single biggest security issue for Macs. OS X includes a number of software components from third-party vendors and the Open Source software community, and Apple has a terrible track record in updating those components. When a vulnerability becomes publicly known because it’s been patched on another platform, but it isn’t patched on another, the bad guys have a straight-line roadmap to compromising that unpatched system.

In recent years, I’ve only used Java for CrashPlan, so I had it turned off in the browser. And, as it happens, Macs with Xcode or Little Snitch installed are not vulnerable.

The previous incarnation of Flashback was a Trojan horse that masqueraded as an installer for Flash. The interesting thing about that attack vector is that neither sandboxing nor Gatekeeper would be able to protect against it.

6 Comments RSS · Twitter

"The previous incarnation of Flashback was a Trojan horse that masqueraded as an installer for Flash. The interesting thing about that attack vector is that neither sandboxing nor Gatekeeper would be able to protect against it."

Just security theater to protect the velvet rope revenue stream. We're all clear on this, no?

"The vulnerability in Java that Flashback exploits was patched in February by Oracle ... But Apple waited nearly two months to update OS X with that patched version."

See. They've just got to lock down the platform to stop these 60 day exploits.

"In recent years, I’ve only used Java for CrashPlan, so I had it turned off in the browser."

I've got a bunch of apps that require Java. But I turned Java off in the browser by default back in the '90's. If I ever need to visit a trusted site that depends on Java, which I don't these days, I'd use a Fluid-style single instance browser app.

"And, as it happens, Macs with Xcode or Little Snitch installed are not vulnerable."

I like the Little Snitch angle for two reasons:

1) It shows good form on the part of the malware writers. They respect Little Snitch. Good on them.

2) It shows that a Little Snitch approach, which provides users with fine-grained control over what users want to let their apps do, is actual security, as opposed to the security theater approach that Cupertino takes for their own non-security reasons.

"The interesting thing about that attack vector is that neither sandboxing nor Gatekeeper would be able to protect against it."

It's probably the case that Gatekeeper will not protect against this but all the Mac zealots (including Mogull) are saying it surely will protect against that kind of attack:

"Gatekeeper will significantly change the game for manually installed trojans when it’s released later this year; it will make that form of attack much less profitable (and thus less likely)." (From Macworld article).

It's also interesting to see what kind of solutions people are suggesting in this case:

- running command line instructions to check for infections. Seriously?

- disabling Java to be protected. Well, turning off the computer works too.

Personally, what I would like to know is not which tools or solutions can detect it but which tools can repair an infected system. Because manual instructions are OK for advanced users but for mainstream users, they are not.

@bob I found that line from Mogull’s article rather strange. It seems carefully worded so as to avoid saying that Gatekeeper would have protected users from this Trojan, but he wants to say that it will make a difference against others.

Just to be clear, my understanding is that Gatekeeper only affects applications (.app folders). Thus, the first form of Flashback would have been immune because it was an installer (a document for Apple’s Installer.app, the same one that users trust to install iTunes and other apps). And the recent form would be immune because it exploited a Java vulnerability that used existing, trusted processes to execute arbitrary code.

It’s not clear to me how trusting users will be of Gatekeeper’s warnings. But, assuming that it works in that respect, I assume that Trojan authors would simply switch to producing installer packages. Apple will probably end up making Installer warn about packages not signed by an Apple key.

"It’s not clear to me how trusting users will be of Gatekeeper’s warnings. But, assuming that it works in that respect, I assume that Trojan authors would simply switch to producing installer packages. Apple will probably end up making Installer warn about packages not signed by an Apple key."

I'd be astonished if, under the Gatekeeper release, unsigned installed packages don't get the "x has not been signed by a recognized distributor and may damage your computer. You should move it to the Trash" dialog box.

I'd assume Malware authors will likely just keep doing what these folks did - target some known exploit in middleware, or target some known exploit in the open source portions of the OS - since Apple hasn't historically been willing to roll out patches in anything like a timely manner after the exploits are known and patches are available, no?

But who knows if Flashback is a proof of concept or a trend. I mean, targets like this have been available for years, and this is the first time anyone bothered. Market share is still utterly dwarfed by the other Cola, so unless there is real and significant value-add in attacking a better demographic, malware writers could still end up leaving security via obscurity in place. (Or Apple could decide to spend pennies to do timely updates for known and patched exploits.)

One does have to admire Apple's security policy when lapses occur.

Sending police impersonators to the wrong house to intrusively search for a lost phone prototype was good fun and all, but trying to shut down the domain of the folks who alerted them to the Flashback malware is far better.

Installation packages will have to be signed too.

Leave a Comment