What is the difference?
OS X suffers from the same security flaws as Windows, and can be exploited just as maliciously by cyber criminals, says Antti Tikkanen, director of security response at F-Secure Corp., a Helsinki-based provider of security research and antivirus software. "From the pure operating system viewpoint, I don't think there is a big difference between recent versions of Windows—Windows 7, in particular—and OS X with regard to security," he says.
Given that the amount of effort required to successfully break into a Windows PC or a Mac is roughly the same, it comes down to economics. Cyber attackers want to infect as many computers as possible without investing more money to buy new types of malware—which can cost hundreds or even thousands of dollars—and without having to acquire new skills required to write malware for more than one platform, according to Tikkanen. Although malware that targets Windows PCs has existed on the black market for years, there is no real market for OS X malware or for tools designed to write OS X malware, he says, adding, "This is what keeps the scale of attacks against OS X low: the current attackers need to build their own tools, and this limits the number of bad guys that will go after you."
Apple is making Java software patches as well as a Flashback-removal tool available on its Web site. Some security vendors have set up Web sites to test whether a Mac has been infected. Flashback found its way onto Macs by exploiting a flaw in Java, which translates certain Web applications into code that can executed by different operating systems, including OS X and Windows. Apple's patches, however, will work only for Macs running OS X Lion and Mac OS X 10.6 (Snow Leopard). Still, about 17 percent of Mac users—roughly 10 million people—are running older versions of OS X not eligible for any security updates. Those ineligible for a patch have been advised by a number of security experts to disable Java in their Web browsers, at least until they can update to Java's latest version.
Apple had known about the Java vulnerability since January, when Oracle Corp. (which owns the rights to Java after purchasing Java creator Sun Microsystems in 2009) issued a patch to correct the problem. Apple, however, does not use Oracle's patches and chose to write its own version, which it did not make available until April 12. Flashback did much of its damage during those three months.
Java has proved itself a security liability over the years, in part because most computer users do not regularly install the security patches required to keep the bad guys out of their computers, says Marcus Carey, security researcher for Rapid7, a Boston-based information-technology security services firm. The situation is worse for Mac users because they generally do not install antivirus software, which serves as another layer of protection, he adds.
Flashback's greatest legacy will likely be as a security wake-up call for Mac users. "The attitude that Mac does not have malware is dated," Tikkanen says. "So Mac users should follow the same safety precautions as Windows users. My tip for both Mac and PC users would be to switch off Java if you don't need it, and remember to update the rest of your software."