[ISN] Apple Delays, Hackers Play

From: InfoSec News <alerts_at_private>
Date: Mon, 16 Apr 2012 00:52:24 -0500 (CDT)
Forwarded from: Simon Taplin <simon (at) simontaplin.net>

http://www.businessweek.com/articles/2012-04-12/apple-delays-hackers-play

By Jordan Robertson
Businessweek
April 12, 2012

Jeroen Frijters describes himself as an “accidental” hacker, a guy who 
trips over security holes the way a pedestrian stumbles over a sidewalk 
crack. In July the Dutch software engineer discovered the Grand Canyon 
of sidewalk cracks: a serious vulnerability in Java, one of the most 
widely used programming languages and a building block of many websites. 
He reported the flaw to Oracle (ORCL), which oversees Java.

About nine months later, that bug has enabled the largest malware attack 
ever to target Apple (AAPL) computers. Since the end of March, more than 
600,000 Macs have been infected by a virus known as Flashback. The 
attack, disclosed on April 4 by a little-known Russian antivirus company 
called Doctor Web, has mainly affected computers in the U.S. That 
includes a few hundred Macs in Apple’s hometown of Cupertino, Calif., 
suggesting some employees at the world’s most valuable company may have 
caught the virus. The incident has shattered the sense of 
invulnerability felt by many users of Apple products, which generally 
face fewer security risks than those running Windows.

Even more dismaying to Apple fans: The company may have been able to do 
a lot more to prevent the outbreak. Oracle works closely with Microsoft 
(MSFT) on security issues, and after the company developed a fix for 14 
security holes, including the one Frijters discovered, it released a 
software patch directly to Windows users in mid-February. Those patches 
are like beacons for criminals, who compare the code before and after 
the fix to home in on the underlying flaw and then develop ways to 
exploit it on unpatched computers. Apple, which insists on issuing its 
own Java patches, waited nearly two months before distributing a fix. 
The company has announced it’s working on software to detect and remove 
the malware from infected machines.

“Waiting that long was unacceptable given the severity of the 
vulnerabilities,” says George Kurtz, former chief technology officer of 
antivirus software maker McAfee (INTC) and now chief executive officer 
of CrowdStrike, a security startup. It’s not clear why Apple didn’t work 
with Oracle to release a patch earlier, but Kurtz says it’s in line with 
the tech giant’s famed desire for control. “Apple marches to the beat of 
its own drummer,” he says. “It makes great hardware, it makes great 
software, and it controls everything from start to finish. I don’t think 
it likes doing anything that’s not on its own timeline.” Apple and 
Oracle declined to comment.

The malicious code is from a family of password-stealing programs 
originally spotted last year, says Liam O Murchu, manager of operations 
for Symantec’s (SYMC) security response unit. The owners of infected 
computers could be exposed to identity theft and fraud. Doctor Web 
reports the virus can also alter Google search results, displaying spam 
links instead of actual ones.

[...]


_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org
Received on Sun Apr 15 2012 - 22:52:24 PDT

This archive was generated by hypermail 2.2.0 : Sun Apr 15 2012 - 22:58:55 PDT