Jeroen Frijters describes himself as an “accidental” hacker, a guy who trips over security holes the way a pedestrian stumbles over a sidewalk crack. In July the Dutch software engineer discovered the Grand Canyon of sidewalk cracks: a serious vulnerability in Java, one of the most widely used programming languages and a building block of many websites. He reported the flaw to Oracle, which oversees Java.
About nine months later, that bug has enabled the largest malware attack ever to target Apple computers. Since the end of March, more than 600,000 Macs have been infected by a virus known as Flashback. The attack, disclosed on April 4 by a little-known Russian antivirus company called Doctor Web, has mainly affected computers in the U.S. That includes a few hundred Macs in Apple’s hometown of Cupertino, Calif., suggesting some employees at the world’s most valuable company may have caught the virus. The incident has shattered the sense of invulnerability felt by many users of Apple products, which generally face fewer security risks than those running Windows.
Even more dismaying to Apple fans: The company may have been able to do a lot more to prevent the outbreak. Oracle works closely with Microsoft on security issues, and after the company developed a fix for 14 security holes, including the one Frijters discovered, it released a software patch directly to Windows users in mid-February. Those patches are like beacons for criminals, who compare the code before and after the fix to home in on the underlying flaw and then develop ways to exploit it on unpatched computers. Apple, which insists on issuing its own Java patches, waited nearly two months before distributing a fix. The company has announced it’s working on software to detect and remove the malware from infected machines.
“Waiting that long was unacceptable given the severity of the vulnerabilities,” says George Kurtz, former chief technology officer of antivirus software maker McAfee and now chief executive officer of CrowdStrike, a security startup. It’s not clear why Apple didn’t work with Oracle to release a patch earlier, but Kurtz says it’s in line with the tech giant’s famed desire for control. “Apple marches to the beat of its own drummer,” he says. “It makes great hardware, it makes great software, and it controls everything from start to finish. I don’t think it likes doing anything that’s not on its own timeline.” Apple and Oracle declined to comment.
The malicious code is from a family of password-stealing programs originally spotted last year, says Liam O Murchu, manager of operations for Symantec’s security response unit. The owners of infected computers could be exposed to identity theft and fraud. Doctor Web reports the virus can also alter Google search results, displaying spam links instead of actual ones.
Boris Sharov, CEO of Doctor Web, says the number of infected machines started leveling off soon after Apple’s software update. Normally, new patches temporarily cause an uptick in attacks since they publicize the underlying flaw, and not all users update their computers at once. Apple may have been helped by its practice of distributing patches to all of its machines, even those using pirated software, and frequently reminding users when they have updates waiting. Also, Apple stopped installing Java by default last year, putting fewer computers at risk.
Sharov says the most likely explanation for the abrupt end to the virus’s spread is that the criminals gave up. To be effective, a virus must be able to send and receive information to a remote server controlled by the hackers. Once Flashback was discovered, security researchers and Apple began identifying and shutting them down. (In its zeal to stem the virus’s spread, Apple accidentally tried to take down a Doctor Web server that was mimicking the hackers’ command-and-control machines to study the malware.) Frijters says the debacle should be a wake-up call for Apple. “I think it’s pretty lame that they can’t manage a coordinated release with Oracle,” he says. “They seem to believe in their own marketing message, that Macs can’t get viruses.”