There’s a piece of Mac malware, known as ‘Flashback’, that’s going around and takes advantage of a Java vulnerability in order to compromise and infect Macs online. Although the vulnerability isn’t Mac-specific, and was patched back in February, Apple has yet to distribute that update to everyone via Software Update, leaving everyone vulnerable.
Apparently the team behind this malware is quite efficient at updating it, and so they have been successful in spreading it around. Lion doesn’t come with Java by default, so unless you’ve manually installed it, you’re safe. If you have installed Java on Lion however, I don’t know yet whether Lion’s built-in anti-malware is being updated quickly enough to keep up with the new malware variants (although I highly doubt it).
If you are running Snow Leopard (or earlier), or Lion with a manually-installed Java, then the best thing to do is disable it. The majority of web users do not need Java on a regular basis. I recommend disabling Java system-wide by going to Applications > Utilities > Java Preferences and then unchecking all the checkboxes in the General tab. If you use Safari to browse, you can disable Java by going to Safari > Preferences > Security and unchecking ‘Enable Java‘.
Keep an eye out for an upcoming Java update from Apple.
[Updated] Seems all the talk about this has nudged Apple to act! They’ve released Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7. F-Secure have released a free Flashback remover tool, and Apple have announced they are also working on software to detect and remove Flashback malware.
Apple has released Java for Mac OS X 10.6 Update 4 and Java for Mac OS X 10.5 Update 9, patching a number of vulnerabilities in the Java virtual machine. The most serious of these may allow an untrusted Java applet to execute arbitrary code outside of the Java sandbox. Users with Java installed should update soon. Those of you who don’t have Java don’t need to worry. If you’re unsure, just check Software Update.
Apple recently announced that the version of Java ported by Apple for Mac OS X has been deprecated. Starting in Mac OS X 10.7 “Lion”, the Java runtime will no longer be installed by default, instead requiring users to install Oracle’s Java runtime should they require Java support. Apple also recently stopped bundling Flash with Mac OS X by default, with new MacBook Air and MacBook Pros shipping without Flash. The divesting of these two products will not only eliminate Java and Flash vulnerabilities on default installs of Mac OS X, it will allow users who install these apps to get updates quicker directly from Oracle and Adobe, instead of having to wait for Apple to release software updates.
Hit the jump for details of the Java update for 10.6.
Antivirus companies have discovered a new Java trojan horse, labeled OSX/Koobface.A (aka. Boonana), which spreads via social networks including Facebook, MySpace and Twitter. The Java applet masquerades as a video or photo gallery plugin, and requests access to the user’s computer.
If Allow is clicked, then the applet will attempt to obtain additional files from remote servers and join the computer to the Koobface botnet. Koobface is also known to try and steal credit card, and other personal information, from the user’s system.
I’d like to stress that this is a fairly non-event, and this kind of malware poses a low level of risk (hence the peaceful-looking blue triangle). It’s pretty clear that you shouldn’t allow websites, plugins and applets that you don’t trust, to access your computer. Just click Deny and that’s the end of it in this case. Snow Leopard does have some built-in anti-malware functionality, although I don’t know if or when it may be updated to detect Koobface. Either way, I wouldn’t run out to buy antivirus software just yet.
Note this trojan is not Mac OS X-specific, and also affects Windows and Linux systems.
Intego have a Security Memo with some additional details.
Following its release of Java for Mac OS X 10.6 Release 3 (10.5 R8), Apple stated that “the version of Java that is ported by Apple, and that ships with Mac OS X, is deprecated”. Apple has long been producing its own Java runtime, and Java was originally brought to Mac OS X with the aim attracting Java developers to the platform. Since Java application failed to take off, and Apple’s own Cocoa has proven to be extremely successful, they have no real incentive to maintain Java themselves.
This doesn’t mean that Java will disappear from OSX, but instead will allow third parties, such as Oracle (who recently purchased Sun) to provide their own Java runtime directly. The Java Preferences app will allow users to manage the different versions of Java that are installed.
From a security perspective, there is one distinct benefit of this change: faster updates. Apple has always been slower to release security updates, and this will allow those updates to reach Mac OS X users in a much more timely basis.