Snow Leopard users most prone to Flashback infection

Russian AV firm's data also shows that 28% of Lion users are running out-of-date OS

Of the Macs that have been infected by the Flashback malware, nearly two-thirds are running OS X 10.6, better known as Snow Leopard, a Russian antivirus company said Friday.

Doctor Web, which earlier this month was the first to report the largest-ever malware attack against Apple Macs, mined data it's intercepted from compromised computers to come up with its findings.

The company, along with other security vendors, has been "sinkholing" select command-and-control (C&C) domains used by the Flashback botnet -- hijacking them before the hackers could use the domains to issue orders or update their attack code -- to both estimate the botnet's size and disrupt its operation.

In a Friday blog post, Doctor Web published an analysis of the communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place on April 13, more than a week after Doctor Web broke the news of the botnet's massive size.

Flashback has used a critical vulnerability in Java to worm its way onto Macs. Although Apple, which continues to maintain Java for its OS X users, patched the bug in early April, it did so seven weeks after Oracle disclosed the flaw when it shipped Java updates for Windows and Linux.

Not surprisingly, 63.4% of the Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple's operating system that comes with Java.

Snow Leopard accounted for the largest share of OS X last month, according to metrics company Net Applications, making it the prime target of Flashback.

Leopard, or OS X 10.5, is the second-most-common Flashback-infected operating system, said Doctor Web: 25.5% of the 95,000 Macs harboring the malware ran that 2007 edition.

Apple bundled Java with Leopard as well, but unlike Snow Leopard and Lion, it no longer ships security updates for the OS, and so has not updated Java on those Macs.

Last month, Leopard powered 13.6% of all Macs.

But while Snow Leopard's and Leopard's infection rates are higher than their usage shares, the opposite's true of OS X 10.7, or Lion. The 2011 OS accounted for 39.6% of all copies of OS X used last month, yet represented only 11.2% of the Flashback-compromised Macs.

That disparity seems to validate Apple's 2010 decision "deprecate" Java, or stop bundling the software with OS X. Lion was the first to omit Java, although users have been free to download and install it themselves.

The lower Flashback-infection rate on OS X Lion (at far right) shows Apple's decision to dump Java was a smart one. (Data: Doctor Web and Net Applications.)

Doctor Web did not connect those dots in its analysis, but the numbers make clear that versions of Mac OS X that included Java -- Snow Leopard and Leopard -- are much more likely to be infected by Flashback. Conversely, Lion -- by default, sans Java -- is significantly more resistant to the malware.

The Russian company's data also showed that many Mac users don't keep their machines up-to-date, something ZDNet blogger Ed Bott noted on Friday.

Twenty-four percent of the Snow Leopard-infected Macs were at least one update behind, 10.4% were three or more behind, and 8.5% were four or more behind.

Lion users were no better patch practitioners: 28% were one or more updates behind.

Of course, not all Windows users patch, either. According to Qualys, which regularly examines several hundred thousand PCs, 5% to 10% of business Windows machines never receive any given update.

Qualys has seen some Microsoft updates be ignored by 20% to 30% of Windows PCs for four months or longer.

But by Doctor Web's data, Mac users are even less likely to update promptly, or even at all. OS X 10.6.7, the second-to-last update for Snow Leopard, was first issued 13 months ago, yet 9% of the infected Snow Leopard Macs run that version.

To protect Snow Leopard and Lion systems from the Java-exploiting Flashback, users should launch Software Update from the Apple menu and download this month's Java updates. Software Update will also serve the newest version of those operating systems to Macs running outdated editions.

People running Leopard can disable Java in their browser(s) to stymie attacks.

Later this year, Oracle will release Java 7 for OS X. Mac users who upgrade to Java 7 will then receive security updates directly from Oracle, not from Apple.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

This story, "Snow Leopard users most prone to Flashback infection" was originally published by Computerworld.

Top 10 Hot Internet of Things Startups
Join the discussion
Be the first to comment on this article. Our Commenting Policies