The after effects of the Flashback Trojan are going to be felt for a long time to come. Although there’s been the occasional Mac malware announcement over the past few years, none was ever found to be rampant in the wilds of the Internet. Most were easily avoided by Apple’s basic security elements or by simple user actions like telling Safari not to immediately open so-called “safe” files after downloading them.
As a result, the Flashback Trojan caught a lot of people off guard – including individual Mac owners and some IT professionals who ought to have known better. It also highlighted deficiencies on the part of Apple when it comes to security.
First, let’s start with the basics. If you aren’t already aware, the Flashback trojan is a form of malware that can be installed on a Mac using vulnerabilities in an older version of Java. Apple has updated Java implementations for Macs running Lion and Snow Leopard and you can get these through Software Update . As we covered last week, you can check for evidence of infection pretty easily.
Note: Apple’s update doesn’t remove an existing infection – so you should check even if you’ve installed the updates.
The entire scenario proves that Macs aren’t immune to malware. It also proves that any illusions of “security by obscurity” – the idea that malware authors won’t target Macs because there are many more Windows PCs (and Android phones) to target – is nothing more than hopeful thinking. As John Martellaro from Mac Observer pointed out last week, this is a wake up call for Apple in terms of building real security into its products more than it has to date.
For businesses, this should be a simple challenge. Centralized antivirus software should have alerted IT staff to the presence of the malware. Whether through automated actions or IT-initiated processes, the virus should have been removed immediately. The process shouldn’t be any different than what occurs on as daily basis with Windows malware infections.
Yet, in many organizations, including many small businesses, that probably isn’t how the scenario has played out. The sense that Macs don’t get viruses often leads to IT departments – including those with techs specializing in Apple technologies – to take a somewhat lax approach to these issues compared to the effort and expense dedicated to combatting Windows malware.
Sometimes that means not installing antivirus software at all. More commonly, it means installing it but not setting an aggressive scan or update strategy. One common and rather dangerous approach is installing antivirus software that doesn’t connect to a centralized antivirus management console for an organization – the attitude being that it’s easier and cheaper to just install the consumer-oriented antivirus options, which “should be good enough.” As an IT professional and consultant, I’ve seen all of these attitudes in action over the years.
I actually once saw a Mac IT staffer uninstall an antivirus tool (a sorely out of of date one, I might add) thatkept alerting staff to Office macro viruses dragged over from documents created on infected PCs because “they can’t do much of anything on OS X.”
Those attitudes are outdated and they’re dangerous. Not only do Macs in businesses need antivirus software, they need software that can be centrally managed, which is widely available from both Mac-specific vendors like Intego as well as from the more common enterprise vendors. Centrally managed tools are the only way to be sure an organization Macs, PCs, and network are safe. They also ensure tools and virus definitions are up to date and can make it a relatively quick matter to both prevent and deal with infections.
This event is a wake up call to Mac usersand to IT departments that antivirus software is a need for a Mac as much as it is for any PC. It also raises the point that security can’t stop at company-owned Macs. If Macs come in through BYOD programs they also need to be included in an anti-malware effort.
Apple needs to be more forceful in suggesting antivirus software to its customers – or it needs to take over that responsibility itself. The company does build significant security capabilities into OS X – but they aren’t can’t replace antivirus software.