Source of Apple's malware problem: arrogance, negligence, contempt

Blaming others for the problems you've caused them is not the most realistic way to analyze a risk

More bad news today for Mac users and fanbois, many of whom appear to be trapped in a series of contradictory, self-limiting denials over the growing threat to Apple operating systems and devices from malware: The morning after Apple declared the malware threat over by issuing a patch to counter the botnet-building Flashback malware, a new bit of malice called SabPub began knocking unauthorized entries into machines running OS X, using the same Java flaw to blame for the last wave of Mac malware.

On Saturday, researchers at Kaspersky Labs confirmed a new "custom OS X backdoor, which appears to have been designed for use in targeted attacks," according to Kaspersky's Costin Raiu.

The malware arrives in custom Java applets designed to conceal and install them after being camouflaged itself to escape detection from antivirus products.

In the instance identified Saturday the payload was named Backdoor.OSX.SabPub; the installer was a "pretty standard" Java exploit called Exploit.Java.CVE-2012-0507.bf, which was disguised using ZelixKlassMaster,"a flexible and quite powerful Java obfuscator," Raiu wrote.

Once it's installed, SabPub phones home to a command & control server known as "Luckycat" (PDF), which was used in earlier Mac attacks as well.

Where the attack comes from is still a mystery, though it may have arrived in emails containing URLs pointing to web sites hosting the exploit. SabPub's nature as a back door suggests it is designed to attack specific groups or individuals, rather than as a general-purpose threat, Raiu wrote.

SabPub uses the same vulnerability as the earlier Flashback used to create a botnet of 700,000 machines.

The update Apple issued to plug the hole contained code to remove the malware and to deactivate the Java Web Start plugin, "effectively disabling Java applets in browsers" on OS X machines, Raiu wrote.

Disabling Java completely on browsers for a whole operating system is a pretty dramatic step – one that shows it recognizes the severity of a sudden, widespread infection of Macs as a serious problem that had to be dealt with, even though its first reaction was to bully the Russian security company that discovered the threat in the first place.

Russian anti-virus vendor Doctor Web identified Flashback April 4, published its findings and sent all its data on the new threat to Apple and never heard a direct word from Apple, according to quotes from Doctor Web CEO Boris Sharov in Forbes.

Apple did try to get one of Doctor Web's servers shut down by claiming it was distributing the malware rather than collecting it, however.

Super-secretive, mildly fascistic Apple is known for refusing to acknowledge its faults and for trying to resolve crises by pressuring critics to shut about them rather than fix anything.

In this Apple has always had the assistance of fanbois willing to launch ad hominem attacks on anyone they perceive as critical of the oppressed peoples of the Macintosh, whether or not the criticism is fair or whether Mac users were ever actually oppressed.

At Infoworld blogger Roger Grimes reports a wave of criticism following his entirely non-confrontational suggestion that a 700,000-user botnet might be reason enough for Mac users to realize their OS is as vulnerable to malware as any other, and that the danger from it was growing.

The criticism wasn't about his largely inarguable assertions that malware for the Mac exists and it might be a good idea to do something about it.

The destructive quality of Apple fanboi iSmugness

Critics don't seem to have addressed either Grimes or Flashback directly.

Instead they spent most of their effort trying to make Apple look good by smearing everything else in sight.

Apple responds better to malware threats than Microsoft, for example, even though it's never had to do so before and despite Apple's tacit encouragement before Flashback of the mistaken belief that Macs aren't vulnerable to viruses.

Others insisted Flashback was Java's fault for being used to deliver malware, not OS X's fault for being infected and that OS X was even less at fault because Flashback was a Trojan that tricked users into installing it.

Since Java is Oracle's, Flashback is Oracle's fault, critics said, even though Oracle fixed that particular flaw in February and Apple didn't get around to it until after Flashback was discovered in April, Grimes pointed out.

Java has an "exalted place" in the hearts of malware writers because every browser uses it and lots of users pay no attention, according to Dennis Fisher, a disappointingly un-hysterical security reporter who writes for Kaspersky's ThreatPost.

"The same ubiquity that makes Java a useful tool for developers and site owners makes it a highly attractive target for the bad guys," Fisher wrote late last week.

Apple doesn't let Oracle send updates or patches for Java directly to Mac users, Fisher wrote. Apple prefers to do the updates itself, maintaining control over its operating environment, minimizing errors or incompatible images from third-party developers and, incidentally, leaving customers more vulnerable to malware than they would otherwise be.

Too much need for control, too little respect for results

Grimes and Infoworld (despite the presence among its senior editorial staff of several openly Mac-using editors who would be in ideal positions to force the Mac agenda down the throats of Middle America should they choose) have consistently acknowledged the comparative lack of malware as an advantage for Mac users.

They've also consistently warned that, happy a coincidence as it is, the lack of malware for a popular system is more a risk than a benefit. It's a vacuum waiting to be filled by enterprising malware writers at the moment complacent Mac users become most complacent.

"If anything, Macs have more known vulnerabilities – by far – than Windows and are often patched slower. You can check any independent security vulnerability database you like to see the figures," Grimes wrote in 2009.

Market share, not virtue, kept Macs from being attacked as energetically as Windows, Grimes wrote, though that opinionappeared so frequently in so many publicationsbetween 2008 and 2012 that itclearlyowed more to common sense than uncommon wisdom. Even the New York Times made the point, on April 7 – 2009.

It wasn't until Apple made the mistake of taking over the mobile-computing world with iPhones and iPads that made hackers and malware writers think there might be enough Mac-compatible things out there to make hacking a Mac worth the effort.

Some of the bitterness behind readers dismissing a botnet containing 700,000 Macs may have been due to Grimes status as a security guru for Microsoft.

Non-'softies get the same treatment, however, and both Apple and acolytes still accuse anyone who criticizes either Apple or the Mac being biased against the One True Operating System or being in thrall to Microsoft.

The reflexive flaming of any anti-Apple column has been so common for so long it has been a truism among tech columnists for more than two decades that the quickest way to gin up something that looks like controversy is to write a column critical of Macs.

The response was so consistent and the phrasing so consistent (like listening to Republican talking points serendipitiously appearing verbatim on 100 talk-radio stations at the same time every single day) that it stopped even being funny.

Long before Apple surged past Microsoft in the competition for Who Matters Most, fanboi bile morphed from principled to irrelevant to, eventually, sad.

Unfortunately, when Mac malware is multiplying faster than iPhones in the office after Christmas, keeping up the tradition of peeing all over the shoes of anyone who criticizes Apple isn't just pathetic, it's dangerous.

Nothing bad can ever happen if you keep thinking how insanely great you are

All that rejection of the idea that Macs are vulnerable has made Mac users even more lax about security updates than users of Windows or other operating systems.

"50% of all visitors of our Online  # FlashbackChecker http://flashbackcheck.com are running a vulnerable version of Java," Aleks Gostev, chief security expert at Kaspersky tweeted last week.

Fifty percent is ridiculously high for a plugin that most users should have set to receive automatic updates.

And that underestimates the number of vulnerable machines, probably by quite a lot. Only users who have already heard about the Flashback malware, are confident enough to check for security updates on their own and are savvy enough to hunt up an automatic virus-tester will even register on Flashbackcheck.

That means a large majority of Mac users are still vulnerable, even though Flashback is the most publicized bit of malware since Stuxnet and Apple has already issued a patch to counter it (mostly).

And right on Flashback's heels comes another exploit ready to take advantage of Mac users' carefully preserved naiveté with offers of new entry points into those adorable little Macs and exciting new opportunities in spam broadcasting, identity theft and DDoS distribution.

Only a year ago Apple was refusing to offer support to Mac users infected by malware in the apparent belief being infected was their own fault.

That's not the attitude of a company that acknowledges the risks its customers face, let alone one that tries to minimize them.

It's the attitude of a company that never outgrew the childish arrogance that helped it survive as an underdog. It's the attitude of a company that has not even begun to understand it has obligations to its customers. Not only to protect them with good security in the OS, but to educate them on the potential risk and how to avoid it.

Apple apparently prefers simply to believe it has a limitless right to demand more loyalty, more money, more unmitigated for the privilege of paying too much for a computer that stopped being unique a decade ago and never was insanely great.

It's the attitude of a company that fosters the most self-destructive, self-referential attitudes from its employees and its customers – the attitude of a company that cares so little for its responsibilities it allows the people to which it owes its existence to believe they're in no danger from the swords dangling over their heads.

Remember all the smug crowing about how safe Apple's apps store is compared to the malware-infested Android app market?

It turns out, according to a NYT piece today that "a growing volume of both customers and app developers are coming forward with claims they were defrauded directly through Apple's online store."

Somehow that weakens Apple's image as the source of all security and goodness in the computer market.

Apple's tradition of denial, but not the good kind

I have to admit I thought this malware-denial and unforgiveable vulnerability were relics, a lingering reputation among Mac users for being parochial and difficult.

Look at the coverage of data leaks in iOS apps, malware in Android and Apple app markets and routinely frank acknowledgments from even the most ardently faithful that the Mac is, indeed a computer, and, like all computers, is as vulnerable to code written with malice as they are beneficiaries of code written with smiling eyes and open hearts.

Unfortunately that's true only of a minority of, presumably, the savvier, more practical of Mac users. Judging from blog entries, explainers and dismissals of the potential of Macs to be abused, a substantial percentage of Mac users – maybe even a majority – still believe the Mac is invulnerable to malware, or simply prefer to behave as if it is.

A year ago InfoWorld ran a Cringlely column with the headline "The real Mac security threat isn't malware – it's Apple."

The sad part about that headline, for Apple customers if not Apple itself, is that the headline is as accurate now as it was a year ago. The pathetic thing is that it was just as true in 2008 and 2006 and 2000 and will probably be just as true in 2013.

Apple's malware problem isn't in the malware or the environment or even in the clueless unpreparedness of its customers (in which they're exactly equal to most Windows users).

Apple's malware problem is in its firm belief it's too special to have a malware problem and that anyone who says different is bitter and jealous and wrong.

It's not true that denial is always a bad thing. For people facing impossible odds, denial can be the only thing that allows them to preserve any hope.

Apple goes its own way on standards, however. On denial it sticks strictly with the caustic, negative, negligent variety that helps it insist it has done nothing wrong, needs to make no changes and doesn't have to worry about the little things others worry about – even if, by denying any responsibility, Apple shunts the responsibility away from itself and lays the penalty squarely on its customers.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies