Russian security company Dr. Web said on Wednesday that it estimates over 600,000 Macs have been hijacked by the malware and joined in a botnet. About half of the infected computers are located in the U.S., the company said, and about 20% are located in Canada.
F-Secure chief research offiicer Mikko Hypponen via Twitter observed that with an installed base of about 45 million Macs, Flashback appears to have infected about 1% of the Macs out there, making it comparable in terms of reach to the Conficker malware in the Windows world.
[ Read Apple Investigating New iPad Wi-Fi Problem. ]
Dr. Web says that attackers first began using the CVE-2011-3544 and CVE-2008-5353 vulnerabilities in February, and then moved to another vulnerability, CVE-2012-0507, in March.
Apple often has been criticized for not responding fast enough to security vulnerabilities and this incident shows the tradition continues. Security reporter Brian Krebs notes that "[Apple's] lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don't need to be concerned about malware attacks."
Oracle patched CVE-2012-0507 in February. However, Apple distributes its own version of Java, previously bundled with OS X and presently as an optional download in Lion (OS X 10.7).
Apple used to claim, "Mac OS X isn't plagued by constant attacks from viruses and malware" because the operating system was "designed with security in mind." It has since qualified its assertions about security and now states, "A Mac isn't susceptible to the thousands of viruses plaguing Windows-based computers."
Even that statement appears to be questionable given that software such as Oracle's Java, Adobe's Flash, and Apple's own iTunes--all of which have had publicly exploited vulnerabilities--can be found on both Mac and Windows machines.
A few things.
1. Screw you Oracle. Java is just not the same anymore. (The virus's method of attack is the Java plugin in Safari).
2. Nonetheless, its still Apple's problem because Oracle did issue a patch to the Java plugin, and Apple didn't push out an update to Safari fast enough. So I can't let apple off the hook on this one either. The vulnerability was fixed by Oracle in February, but no patch was pushed forward until this week. Shame on them on taking so long.
Apparently this virus has infected the same percentage of Macs as Conficker did against Windows. Freaking Conflicker. Anyway, for those out in the Mac community, update that Java plugin. If you can't update it, then be sure to get a virus scanner or disable it.