Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Apple Delays, Hackers Play

From: InfoSec News <alerts () infosecnews org>
Date: Mon, 16 Apr 2012 00:52:24 -0500 (CDT)
Forwarded from: Simon Taplin <simon (at) simontaplin.net>

http://www.businessweek.com/articles/2012-04-12/apple-delays-hackers-play

By Jordan Robertson
Businessweek
April 12, 2012
Jeroen Frijters describes himself as an “accidental” hacker, a guy who trips over security holes the way a pedestrian stumbles over a sidewalk crack. In July the Dutch software engineer discovered the Grand Canyon of sidewalk cracks: a serious vulnerability in Java, one of the most widely used programming languages and a building block of many websites. He reported the flaw to Oracle (ORCL), which oversees Java.
About nine months later, that bug has enabled the largest malware attack ever to target Apple (AAPL) computers. Since the end of March, more than 600,000 Macs have been infected by a virus known as Flashback. The attack, disclosed on April 4 by a little-known Russian antivirus company called Doctor Web, has mainly affected computers in the U.S. That includes a few hundred Macs in Apple’s hometown of Cupertino, Calif., suggesting some employees at the world’s most valuable company may have caught the virus. The incident has shattered the sense of invulnerability felt by many users of Apple products, which generally face fewer security risks than those running Windows.
Even more dismaying to Apple fans: The company may have been able to do a lot more to prevent the outbreak. Oracle works closely with Microsoft (MSFT) on security issues, and after the company developed a fix for 14 security holes, including the one Frijters discovered, it released a software patch directly to Windows users in mid-February. Those patches are like beacons for criminals, who compare the code before and after the fix to home in on the underlying flaw and then develop ways to exploit it on unpatched computers. Apple, which insists on issuing its own Java patches, waited nearly two months before distributing a fix. The company has announced it’s working on software to detect and remove the malware from infected machines.
“Waiting that long was unacceptable given the severity of the vulnerabilities,” says George Kurtz, former chief technology officer of antivirus software maker McAfee (INTC) and now chief executive officer of CrowdStrike, a security startup. It’s not clear why Apple didn’t work with Oracle to release a patch earlier, but Kurtz says it’s in line with the tech giant’s famed desire for control. “Apple marches to the beat of its own drummer,” he says. “It makes great hardware, it makes great software, and it controls everything from start to finish. I don’t think it likes doing anything that’s not on its own timeline.” Apple and Oracle declined to comment.
The malicious code is from a family of password-stealing programs originally spotted last year, says Liam O Murchu, manager of operations for Symantec’s (SYMC) security response unit. The owners of infected computers could be exposed to identity theft and fraud. Doctor Web reports the virus can also alter Google search results, displaying spam links instead of actual ones. 

[...]


_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org
Previous By Date Next
Previous By Thread Next

Current thread: