So just how bad is the recent Flashback outbreak of malware for Macs?

Getting hard data about any kind of malware outbreak is always tricky.

Security companies have to make estimates, which might be influenced by their desire to whip up enough fear to sell their software. And corporations rarely publicize details about their internal workings.

That’s why it was refreshing to see a recent blog post from the network security team (OxCERT) at the University of Oxford, which offered some insights into its experience with a large population of Macs.

“Over the past couple of weeks, OxCERT have been somewhat overwhelmed by Mac malware,” the post begins.

The group has dealt with scattered problems on Macs before, says author Robin Stevens. “But with Flashback,” Stevens says, “the game has changed forever.”

We are seeing huge numbers of attacks of the sort that Windows users have had to contend with for years. Apple users, and indeed Apple themselves, just have not been ready. We are dealing with what is probably the biggest outbreak since Blaster struck the Windows world all the way back in the summer of 2003. That time OxCERT dealt with around 1000 incidents; we have seen several hundred Flashback incidents and they keep on coming.

Oxford’s critique of Apple mirrors what I’ve been saying for a long time:

Apple’s contention that “Macs don’t get PC viruses” is “technically true, perhaps, but very misleading: PCs get PC viruses, Macs get Mac viruses which may be extremely similar to that common on PCs.”

OS X antimalware capabilities are “extremely limited and no substitute for a proper third-party antivirus system.” (Oxford supports Sophos for its users.)

Apple’s claim that it “responds quickly by providing software updates and security enhancements” is met with this dry retort: “As we’ve seen, this depends very much on your definition of ‘quickly’.”

And I was gratified to see independent support for an argument I made a few days ago. Apple’s support lifecycle is too short: “There is however a nasty catch with operating system updates, of which many users will be unaware: Apple security support lifetimes are much shorter than in the Windows world.”

That issue gets a full discussion in a second post:

To the best of our knowledge, Apple do not officially state their software support policy anywhere, but from what we can gather, only support the two most recent versions of OS X. Currently that is 10.6 (Snow Leopard) and 10.7 (Lion). 10.6 released in August 2009, which means that any Mac purchased prior to that date and not subsequently upgraded will be running a version which receives no security support. That’s for a system purchased under three years ago. Granted, users can upgrade – but at a cost. Users don’t like being told that they have to spend money. […] Now, granted, users can upgrade to a newer OS X release than their system came with. Plenty of users are unlikely to bother unless forced – their system seems perfectly adequate, why spend money and risk breaking it? One college has reported almost 50 systems known to their student registration system running OS X 10.5 or earlier.

The conclusion neatly mirrors my post the other day about the big gaps in Apple's security response:

Apple … have been complacent in terms of their attitude to security and support, especially when compared to their chief competitor. Microsoft have learned a huge amount from past mistakes, support their products for many years, and these days I feel do an excellent job. By comparison, Apple appear to be making minimal effort, and are putting their customers at risk as a result. …

I’d like to see from Apple the following: Timely security updates

Greater openness regarding security issues

Minimum hardware and software support lifetimes stated clearly up-front

Longer operating system security support lifetimes: at least five years

Hardware that runs a supported operating system version for longer: minimum of seven years perhaps?

In a separate report on Forbes, Andy Greenberg reports new data from the Russian security firm tracking the number of Flashback installations. The current number of infections is around 460,000, down from a peak of 700,000, with the botnet shrinking at a rate of about 100,000 a week.

Apple has still not issued any public statement on Flashback except for a small number of security bulletins.