Java for OS X Lion 2012-003 update
Edit: 9:29am 13 Apr 2012 – Apple have just released “Java for OS X Lion 2012-003” – a security update that removes the most common variants of the Flashback malware, and also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.
A new variant of Java-based malware dubbed “Flashback” has been spreading rapidly on OSX – some reports suggested over 550 thousand Macs were infected as of 4 April 2012. It gains a foothold on a vulnerable system and can be used to download more malware at a later date.
There has been lots of publicity about Flashback, mainly because Apple contributed significantly to the problem by release a fix 8 weeks late. Ed Bott summarizes the situation very well in a blog post at zdnet.com.
It is caused by attackers exploiting several bugs in Java to trigger a “drive-by” infection of vulnerable computers. This means viewing a malicious website is enough to infect your computer. Java is used to run various applications and comes built in to most Apple computers. The official Apple support document (HT5228) is very brief – and only notes that that “Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7” fixes multiple vulnerabilities in Java 1.6.0_29. While Java is made by Oracle, Apple manages Java updates to OSX independently.
Lessons:
- Macs and OSX should not be viewed as “more secure” than Windows or other operating systems, especially since Apple has a history of being slow in releasing security fixes.
- Antivirus software should be installed on all computers – it is cost effective protection against most threats.
What you should do:
- Update immediately – on OSX go to the Apple Menu > Software Update.
- If you use OS X 10.5 or earlier, disable the Java plugin in your web browser, as Apple does not appear to be updating Java on these platforms. Instructions for Safari, Firefox, and Chrome.
- Consider installing Antivirus software on your Mac. There are many products to choose from, made by reputable vendors like Sophos, F-Secure, and Kapersky.
Detection and removal (Technical users only):
- Check the DYLD_INSERT_LIBRARIES environment variable in web browsers, or visit flashbackcheck.com or www.drweb.com/flashback/?lng=en to detect infected computers.
- Rebuild infected machines from known good media. Cleanup should only be opted for where a rebuild is prohibitively costly
- Manually cleanup the infection, or use a removal tool: We know of tools from Apple (via Software Update), Kapersky and F-Secure.