By Roel Schouwenberg
For a few days now I’ve been asking myself the following question: Which is more important: The fact we had a 500k-strong OSX botnet fly under the radar or the culprit that enabled the malware to infect so many machines? Every time the answer is clear – Java has become an absolute focal point in the cyber threat landscape. It plays a major role in attacks against every major platform, including mobile.
It’s quite clear that Java/Oracle has become the new Adobe. But where Adobe has been (successfully) investing heavily in techniques such as sandboxing it remains awfully quiet on Oracle’s side. It becomes even more painful when you consider that Java was the first third-party application/(browser) plug-in the bad guys really went after back in 2005. It was only after successes against Java that the criminals started going after the Adobe (and other) products.
Somehow, we’ve let Sun/Oracle get away with doing next to nothing to improve the situation for the better part of a decade. Shame on us, and shame on them.
Going back to the Mac/OSX Flashback malware – I think it’s clear nobody expected quite so many infected machines out there. With few people on OSX running security software it’s very hard to get an accurate reading for how many threats there are in the wild.
Obviously, the situation is worse than anticipated. We’re talking about an epidemic roughly the equivalent of Conficker here, when you look at the percentage of each user base infected with the specific malware. That’s just amazing.
Many people are still under the impression that you need to give up your root password to get infected with Flashback. I want to reiterate this is no longer the case. Flashback is also installed via drive-by downloads exploiting Java vulnerabilities. Java has irreparably tarnished the image of OSX as free from malware. It’s never been free of malware, but we now have a huge botnet to further damage the myth of a malware-free OSX.
It’s been some time coming. The MacDefender FakeAV and DNSChanger epidemics from last year were a turning point and a sign of things to come. Apple only patched a Java security vulnerability – which was being exploited by Flashback – last week. That’s seven weeks after the other platforms received their respective patches. Unfortunately, this is the norm rather than the exception when it comes to patches for third party code in OSX.
If anything, I hope Flashback serves as a wake-up call for Cupertino. This gap needs closing. It should be crystal clear to everyone now that OSX is a real target. While no longer including Java from OSX Lion onwards is a good move, it doesn’t solve the bigger problem.
Even if Apple closes the patch gap the cross-platform Java problem remains. Oracle really needs to step up its game. Its security team should have an easy time getting the necessary resources. After all, these days Microsoft and Adobe generally get praised for their approaches to security. So there’s really no excuse for Oracle here.
Until the day comes where Oracle visibly commits to security the best course of action is to uninstall Java. Regardless of what platform you’re on. Hopefully that will encourage Oracle to improve the overall security of its products.
If you do need Java – for instance if you’re running the Android emulator – then make sure you disable the Java plug-in for your browsers.
It would be great if the Java updater would respect the browser plug-in settings. Going through your browsers after each update to disable the newly enabled plug-in is something which is easily forgotten.
Roel Schouwenberg is a senior security researcher at Kaspersky Lab.