Apple’s solution to the Flashback trojan problem is an interesting one, even though I suspect it’s going to annoy some people.
The firm has released three Java updates in rapid succession, none of which appear to fix the original flaw that made the Flashback trojan viable. But the third update did include a removal tool for known versions of the malware. And it introduced something novel.
It switches off support for Java applets – precisely the thing Apple has been encouraging users to do for a while now. You can switch it back on again, via System Preferences, but if you don’t use Java for 35 days, it switches off again.
Yesterday, I argued that the real significance of Flashback wasn’t that it is Mac malware (it’s not the first, although it is the first worth worrying about), or even that a single piece of malware had achieved 600K+ infections (impressive, as I said, but it pales alongside the likes of Conficker or ZeuS). Yes, those are note-worthy, obviously, but nothing like as significant as the bigger message, which is to do with how we’re making ourselves vulnerable through software we don’t even use.
Apple’s ‘use it or lose it’ approach could be seen as a form of whitelisting. And it makes a lot of sense. If you have software on your system you’re not using there’s a higher than normal probability that it’s not fully patched. You can’t trust users to harden their systems. Hell, you can barely trust them to keep their anti-malware software up to date. So why not have the system itself police the software?
There will be complaints. Many, I suspect, will come from geeks with a ‘hands off my system’ attitude. Geeks love to spend hours configuring their computers (I know I do). But, numerically speaking, they – oh, okay, we – form a negligibly small percentage of users.
All this underlines the point – missed by so many, including a large number of tech news sites that are getting their panties in a bunch over this – that this not about platforms, it’s about software. We’ve seen for some time now that malware – and many other forms of attack – have moved up the stack. In their excitement over seeing Macs being infected, many commentators seem to have missed the fact that PCs were also affected, because this is a cross-platform problem.
I’ve seen a suggestion that this incident should put paid to ‘magical thinking’ by Mac users that their systems are somehow immune. There are Mac users out there who still think that, certainly. And Flashback might be a useful wake-up call for them. But the gist of my post yesterday was about ‘missing the point’, and even to raise the issue of ‘Mac users’ (versus, by implication, Windows users) is to fail to grasp the real issue.
We need to stop thinking so narrowly about platforms and shift the focus higher. Hell, a lot of the online security issues people face these days don’t even involve software vulnerabilities – phishing and fake-AV exploits are essentially social engineering attacks. Focusing too much on platforms leads people to think that there’s a purely technical solution available. Just install anti-malware software and you’re good to go, right? Well, wrong. Security will only come from people taking responsibility for their systems, their habits and their attitudes.
Mozilla has taken another tack with the kinds of vulnerabilities that led to Flashback. One of its engineers, Jared Wein, has created a ‘click to play’ option for plugins. Aimed at technologies like Java and Flash (a notorious vector for malware) this would allow users to prevent the loading of such content unless the user specifically allows it – each time for each page – by clicking on an ‘allow’ button.
There are plugins already available that do this for Flash, and which already have the ability (due to be added to Wein’s solution) of allowing automatic loading on a site-by-site basis. I’ve used Flashblocker for some time in Firefox because there’s very little Flash content on the web I want to see and an awful lot that I don’t.
In theory, this approach would prevent drive-by infections. But it’s far from perfect, as it ignores human nature. We know only too well that people are willing to click through warnings in order to get content they think they want. Many people barely even register the warning dialog thrown up by Windows’ User Account Control (UAC) before clicking to allow the installation of software.
That’s why Apple’s approach, even if it seems a little Draconian, might be a better one for the majority of computer users, even if it’s only a small contribution to security on the net.