Fortinet Blog | News and Threat Research

As of late, Apple has been looking a little more like Windows. Or at least,  feeling the pain known all too well by its Redmond-based counterpart.

In recent days, the seemingly impenetrable Mac OS X platform was pummeled by not one, but two information-stealing attacks typically reserved for Windows.

One of those in-the-wild attacks was a gaping Java vulnerability that enabled cyber hackers to install the Flashback Trojan onto victims’ Mac OS Xs.

The Flashback Trojan stealthily made its way onto users’ Windows machines last fall by disguising itself as an Adobe Flash Player installer and has since mutated to adapt to various other platforms, such as the Mac OS X. Once installed, the malicious applet is designed to steal victims’ login credentials as well as financial and other sensitive data, which it subsequently hands over to cyber criminals waiting on the other side of the installed backdoor.

The latest Flashback variant contains an additional updater created in the victim user’s home folder, along with a property list file enabling the malware to execute every time the user logs in.

Oracle had patched the flaw for Windows, Unix and Linux back in February but had yet to repair the same vulnerability for the Mac OS X, enabling a six-week window of opportunity for entrepreneurial-minded cyber criminals.

The critical nature of the attack and potentially rapid pace at which it could spread prompted Apple to take a page out of Microsoft’s book and scramble to create a new version of Java for Snow Leopard (OS 10.6) and its latest Lion (OS 10.7) OS. The release updates Java to version 6 update 31.

While Apple did indeed wait for the flaw to be actively exploited before making a move to repair the damage, the company responded with remarkable speed—releasing the patch just a day after it had announced that the Trojan had actively hit the Mac OS X platform.

Until the update is installed, (or even if it already is), many researchers and security types are advising users to just disable Java altogether on their Mac in order to prevent the infection from spreading further, arguing that the application heightens security risk and is largely unnecessary when surfing the Internet, with the exception of some e-banking Websites.

Meanwhile, researchers at AlienVault discovered another strain of Mac malware—dubbed the MacControl Trojan—which dropped information-stealing malware onto users’ machines that gave hackers a free pass to snoop around their files and Web activity at their discretion.

The MacControl attack exploits a critical Microsoft Word vulnerability dating back to 2009, and as with most of the flaws Microsoft deems “critical,” enables remote code execution.The malicious Word doc, which was first detected in the midst of a Chinese-based spam campaign targeting Tibetan activists, poses as a letter claiming to inform the victim about human rights abuses imposed on Tibetans by the Chinese. Along with the decoy file.doc, unsuspecting users who open infected Word documents unintentionally install a Trojan horse that opened a back door for remote hackers.

The threat is particularly irksome due to the fact that it installs silently on users computers, without requiring any of the usual prompts for credentials, clearly circumventing security requirements and defying users’ expectations.

But beyond that, the MacControl Trojan also represents one of the first strains of malware that exploits a remote code execution flaw in Microsoft Office.

Both attacks are nothing new for Windows users, who have been dealing with and defending their machines from infected Office documents and Java vulnerabilities for years. And the reality might hit Mac users in the face like lead brick that the time has come to—gasp–install a separate antivirus on their systems. While there are still considerably less threats for the Mac than Windows, the days when Apple could rest on its laurels as the “secure” platform might be coming to an end. And Cupertino might just have to face the music and start making a concerted effort to educate its users about security while beefing up its own security posture. It might be a hard lesson to learn, but in the end, manning up a bit never hurt anyone.