Flashback and Mac OS X security

I’ve had several people inquire about the security of their Mac, particularly since the media began exploiting the Flashback trojan with sensational titles and coverage that I refuse to link to. If you want a good summary of the Flashback trojan, Macworld has an excellent writeup: What you need to know about the Flashback trojan. As for what you should do, read on.

We need to remember that absolute security is impossible to attain. Safety and security are more accurately described in degrees. What we mac users are accustomed to is a greater degree of security than other PC users. So long as we employ a bit of caution when downloading, we can surf the big bad internet with very little concern.

That’s not so say we’ve had absolutely nothing to worry about. Every year, there’s been an exploit or two and the page view generators declare that “The Mac is no longer secure.” Never mind that no platform is secure. Such facts do not generate page views. Here in reality, we Mac users have seen three primary vectors of security exploits on the Mac platform: QuickTime, Flash, and Java.

  • QuickTime: There have been quite a few QuickTime exploits, often as the underlying open source applications discover and patch exploits. Apple has been pretty good about getting these patches applied and pushed out to users quickly. Software Update is easy to use so most users see and install these updates.
  • Flash: Flash is the gift (to those with malicious intent) that keeps on giving. For a while, it seemed that Flash Player needed to be updated every week to remain secure, where by secure we meant it had no known vulnerabilities. A few years back, I realized that nothing I cared about required Flash, so I manually deinstalled it. John Gruber has a few tips for going Flash free. The benefits I noticed from disabling Flash were the disappearance of animated ads, faster page loads, greater battery life, and a cooler laptop. I was pleased when Apple shipped Lion without Flash and Java. With Flash use on the decline, the internet is already a better place.
  • Java: For the same reason that Java is popular in enterprises (write once, run anywhere), Java is popular with malware authors. Apple has a history of slow Java updates which you can read about at Macintouch. The short version is that just like Flash, Java updates on the Mac require cooperation with a third party (Oracle, and previously Sun). That often delays the release of new features as well as security fixes for Java on the Mac platform.

The only web site I use that utilizes Java is one bank, and it uses Java only for its online check deposit feature. Since I rarely use that feature (there’s an App for that), and having Java enabled poses real security risks, I have little reason to have Java enabled in Safari. Apple has made it very easy to disable Java: Safari -> Preferences -> Security -> Enable Java and click that checkbox off. I recommend that everybody does the same. It is comparably easy to disable Flash and Java in FireFox, Chrome, and Opera. Doing so inoculates you from nearly all internet nasties.

In summary, Mac users can continue to eschew antivirus software and still remain reasonably secure, so long as we employ three basic precautions: apply security patches that Apple releases, disable Flash, and disable Java. This is the way it has been for years. The thing that has changed the most regarding Mac security is that now it’s easier than ever to live without Flash and Java.