Taking Responsibility for Malware

May 3rd, 2012

There’s a report this week that Microsoft’s security researchers have discovered malware that, curiously, might impact Mac users of Office. I say might, because the vulnerability was supposedly fixed back in 2009 by patching Office 2008 and Office 2004. If they weren’t patched, the exploit could potentially impact users of Mac OS versions prior to Lion.

It doesn’t appear to involve Office 2011, which had a recent SP2 update that cured a number of ills, followed by a second version that repaired an Outlook database bug introduced in the original update.

Now the problem with this story is that it gives the impression of blaming the potential for malware infection on the Mac platform, even though the infected app was built by Microsoft. That Lion is not susceptible also indicates that Apple has worked towards making OS X more secure. But, at the end of the day, only Mac users with an older version of Office, who haven’t kept it up to date, may potentially be impacted — that is, if they’re still using an older version of OS X.

I’d blame that one on Microsoft, although some might suggest that Apple needs to do more in protecting Mac users from security vulnerabilities.

This takes us back to the recent Flashback malware, said to have infected hundreds of thousands of Macs around the world. Apple is getting hit hard in some quarters for failing to deliver a fix in a timely fashion.

Now the source of this security lapse was a vulnerability in Java, an application development environment that’s owned by Oracle. Technically, it’s not a problem with OS X, but due to an issue involving a third-party product that used to be bundled with OS X. However, these days, Apple no longer includes Java — or Flash for that matter — as part of the core OS installation. If you open sites that require either, or launch a Java app, you’ll be presented with a prompt to download and install the required software.

I suppose it would be the same as Apple being accused of lax behavior because of a Flash problem, but Adobe now handles distribution of Flash direct to users on the major computing platforms.

With Java, however, Oracle only recent took over the responsibility for ongoing development and updates for the OS X version. Until then, it was Apple’s responsibility to update in a timely fashion. At the same time, the vulnerable version of Java was patched by Oracle weeks before Apple released an update. That update wasn’t released independently by Oracle, though they should be taking on that task from here on out.

So the real question is who should be blamed for all those Flashback-infected Macs? Is there anything Apple could have done to push the release to Mac users faster, or did they have to wait for the fixed code from Oracle first, and test it to make sure that the new release didn’t cause any new problems on a Mac? I don’t pretend to have the answer, because Apple isn’t telling.

I’m glad they finally fixed the problem, although third-party malware detection tools came out first. However, Apple hasn’t been very forthcoming in their responses, or even their responsibility. Although they don’t exactly tell Mac users that they do not need to install security software, they don’t make a big case in support of such a move.

Yes, the Gatekeeper feature in OS X Mountain Lion will make it more difficult to run potentially infected apps, assuming two of the three options are selected. The third will give you no warning of any potential problem. But Gatekeeper would not have prevented a Mac from being infected with Flashback which, in later versions, was available as a drive-by applet that would open in a Web browser. Only disabling the ability to run Java applets would have prevented that from happening until the Java fix was in.

Certainly, Apple is taking measures to make OS X more secure. The sandboxing feature that will soon be required of all apps available from the Mac App Store, would potentially prevent malware-ridden apps from infecting other apps or the system. And there are other under-the-hood features that have improved OS X’s security profile. So I do not accept the claim that Apple may be years behind Microsoft in protecting Mac users. Clearly the truth lies elsewhere.

But maybe Apple’s relative silence on the matter is one key issue reason why security researchers, and tech pundits in general, believe that Apple isn’t doing enough to keep the Mac platform as safe as possible. Maybe it took Flashback to serve as a wakeup call.

Yes, it is true the recent malware outbreaks were caused by vulnerable software not built by Apple. But that may be a distinction without a difference for most Mac users. Besides, security researchers, shouldn’t confront the situation where sending evidence of malware to Apple is a one-way street, with everything going on, little coming out.

Maybe Mountain Lion’s arrival will signal a difference. I hope so.

| Print This Article Print This Article

One Response to “Taking Responsibility for Malware”

  1. blad_Rnr says:

    I just wanted to say that Microsoft finally got Outlook right after the horrible SP2 update fiasco that I ranted about a few weeks ago, along with you. Office 2011 for Mac SP2 (14.2.1) makes Outlook run as it should have all along. Much faster booting up, no spinning beach balls of death, everything is just much quicker when using it. I was about to go back to Entourage 2008 (if I could have). But kudos to Microsoft for finally paying attention to us Mac users and fixing the issues with Outlook…after over a year of pain.

    Now the malware issues with older versions of Office is another issue…

Leave Your Comment