Last Updated on April 15, 2017 by Dave Farquhar
Security experts have long warned that [Apple’s] delay in delivering Java patches on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms that they were right. — PC World magazine
Last week I argued that a Macintosh-based botnet currently being distributed via Word document would likely change distribution methods, perhaps to a PDF document, in order to spread itself more effectively.
That, to my knowledge, hasn’t happened, but today I learned of the above example of Mac malware doing exactly that, jumping from Java vulnerability to Java vulnerability.
The reason I bring this up is to show the trend has arrived. It’s not that Macintoshes are becoming less secure; malware writers are starting to apply what they’ve learned on Windows systems to Macs.
Thankfully, Java can be disabled on a Mac, and to Apple’s credit the current version, Mac OS X Lion, or 10.7, whichever you prefer to call it, doesn’t come with Java enabled by default. Keep Java disabled, and you’re safe from this exploit.
I uninstall Java on all of my machines, regardless of operating system, unless I have a program that specifically needs Java. Rule #1 of security, regardless of what system you’re using, is to disable or uninstall things you don’t use.
If you really want to be paranoid, you can harden OS X to DoD standards, but it seems the DoD is running a couple of years behind. They still haven’t finalized their settings for OS X 10.6, let alone 10.7. The DoD is still living in the Leopard days. Though if you’re adventurous, you can try to adapt their settings to version 10.7.
But that’s a task for overachievers. I stand behind the advice I gave last week: Use virus scanning, use web-based e-mail with its own virus scanning, and don’t open unexpected e-mail.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.