The Flashback malware, which has been attacking Macs in various forms, using multiple techniques since September, 2011, has been especially effective in the past couple of months. Much attention has been paid to the Java vulnerabilities that Flashback uses, in the most recent versions, and the need for Mac users to apply security updates to Java. But there is another question that needs examining: where does the Flashback malware come from?
If you’re expecting us to out the cyber-criminals who create and distribute Flashback, you won’t find that here. What we’re interested in, however, is how Flashback is distributed. This malware comes from infected web sites, but which web sites are infected, and is there any way to avoid them?
Topher Kessler, writing recently on CNET, points out that it is likely that Flashback has been distributed via infected WordPress blogs. WordPress is the most popular blogging platform (the Mac Security Blog uses WordPress), and estimates suggest that from 30,000 to 100,000 blogs are infected.
Just as Mac users are vulnerable by not applying security updates on their Macs, blogs, too, can be vulnerable. Kessler writes:
the responsibility also falls to those who are running their own personal blogs and other software on hosting services that may be hijacked and used to spread malware.
Security updates are common and necessary. They don’t suggest any inherent weakness in a platform or program, and vulnerabilities and flaws are found all the time. But once these issues are discovered, hackers find out about them, and work to find ways to exploit them. Even though these vulnerabilities get patched, the number of people who don’t apply updates remains large enough that they are excellent targets.
Whether it’s your Mac or your blog, you should check for security updates regularly, and make sure to apply them. Whether it is for Mac OS X, or for third-party software; whether it is for your blog or its plug-ins, keeping things up to date helps everyone. In many ways it’s like being vaccinated; while the infections of WordPress blogs don’t affect the blogs, they can pass on malware to your friends, family and other readers.
As Kessler concludes:
To help stem the use of personal sites to spread malware, if you have your own Web blog for which you manage the blog software, be sure you keep your software up-to-date and configured with proper security settings to prevent exploitation of it and the users who visit it.