Sophos Cloud Optix
If you still think malware on a Mac is more myth than reality you may want to talk to the security engineers over in Cupertino at a rather prestigious fruit company.
According to Reuters, “Apple Inc. was recently attacked by hackers who infected the Macintosh computers of some employees”.
More specifically Apple engineers had their Mac OS X laptops infected by the same zero-day Java vulnerability that infected Facebook last week.
In a statement Apple made to The Loop an Apple spokesperson said “The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers.”
From the information that is publicly available this statement reaffirms that this is likely what has become known as a “watering hole attack”.
The concept is that it is much easier to compromise a site where people might frequently go than it is to assault the company directly.
Trying to break through all of the layers of protection at Facebook and Apple is going to be extremely difficult.
Yet it might be much easier to compromise the security of a small application developer’s website that Apple, Facebook and other high value targets might frequently visit.
I think it is fair to say Apple’s OS X is popular enough among people who are likely to be targeted by malware that it is no longer being neglected by the criminals behind online attacks.
Those people who have said “only dumb Mac users would voluntarily install malware” might be surprised to learn that even Apple’s own engineers can fall victim to a drive-by.
This isn’t about the capability of a user or about the kinds of websites one might choose to frequent. An unpatched vulnerability impacts all of us the same way.
This is why it is essential to run anti-virus regardless of the platform in use. It is also important to carefully monitor network traffic by using an IPS and firewall.
Things do get past anti-virus and an effective defense starts with preventing the infection at the start, but detecting it if you aren’t able to stop the infection.
People often think of their firewall as a simple blocking mechanism, but it also serves a forensic purpose.
If you are Apple or Facebook and you need to know what data may have been ferreted off to your criminal overlords the detailed logs from your monitoring solutions are essential to the forensic investigation team.
While it might be unwieldy to keep two or three years worth of logging, it may well be worth your trouble if you are faced with a targeted compromise.
What should you do as a result of this? If you are a Mac user you should be sure to keep your computer patched. Apple stated they will be releasing a Java malware removal tool this afternoon to respond to this attack.
It is also a good idea to run an up to date anti-virus to detect any future attacks and to disable Java in the browser if you don’t require it for day to day web surfing.
To be fair, that advice applies to all computer users whether they prefer Windows, OS X or Linux. Many times staying safe isn’t convenient, but it is an investment that pays off in the long run.
Apple and watering hole images courtesy of Shutterstock.
If people have Java turned off , could they still be infected?
Yes.
Malware can get in by a whole range of routes. USB keys, email, shared files, intentional (but poorly chosen) downloads, badly-configured software, vulnerabilities in other parts of the browser like JavaScript, Flash or the code of the browser itself…
It just seems that in Apple's case, this now well-publicised intrusion was largely due to a buggy version of Java being enabled in the browser.
As we've written elsewhere, cybercrooks particularly like Java holes because they are often cross-platform, meaning the same bug can be used to "own" both Mac and Windows computers.
> Those people who have said "only dumb Mac users would voluntarily install
> malware" might be surprised to learn that even Apple's own engineers can
> fall victim to a drive-by.
Software engineers with Java(tm) enabled browsers should be fired and sued into oblivion.
Obviously you don't know much about Software Engineering. Java is pretty much a baseline now. You might being thinking of Javascript.
> Software engineers with Java(tm) enabled browsers should be fired and sued into oblivion.
Unless, of course, their job is to develop more Java applets. 🙂
The advice to disable Java is completely bogus in a corporate environment. There are just too many mandatory Java applets to avoid or work around. In a day I encountered a couple of web conference schemes, two patent research websites, a Wiki, an enterprise search engine, and a performance appraisal applet.
Be careful of letting the tail wag the dog here.
The applets you mention are, strictly speaking, not *mandatory* at all. Their use of Java is the choice of the vendor, not of their users.
Look out in case you end up stuck in what you might call the "IE 6" cul-de-sac, using technology everyone else has left behind because it's "too hard" to change.
Why not turn the tables? Evaluate the performance of that appraisal applet, and see if it really does meet your security objectives.
I'd be surprised if there weren't a credible and cost-effective alternative to each of the examples you gave that doesn't use Java. That alone, of course, is no reason to switch, but it would prove the point that there's life beyond Java in the browser.