OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Flashback using Java vulnerabilities

Published February 10th, 2012 at 4:19 PM EST , modified March 5th, 2013 at 2:35 PM EST

According to Intego, a new variant of Flashback has appeared that is taking advantage of Java vulnerabilities and a new social exploit.  Most concerning is the fact that the malware is apparently able to infect a Mac without any user interaction at all!  As I haven’t seen any other reports of this new trojan yet, we’re going to have to rely solely on Intego’s report.

Their report says that the trojan relies on vulnerabilities in Java that allow it to get a foot in the door and get itself installed without the user’s assistance.  This is more virus-like behavior than trojan-like, which is extremely concerning.  Fortunately, the fix appears to be easy – update Java, since the latest version has patched these vulnerabilities.  This can be done as simply as opening Software Update and installing any Java updates that are available.

If you have the most recent version of Java, this malware will try a third trick, which involves installing a self-signed certificate.  If you approve the certificate, evidently the malware becomes capable of installing itself.  It is unclear how this works from Intego’s report.  However, users should be cautioned not to automatically allow certificates to be installed if they don’t know why they’re being asked.

For those who have upgraded to Mac OS X 10.7 (Lion), Java is not installed by default.  It sounds like the entire delivery mechanism for this malware relies on Java.  If that is correct, then you are safe if you haven’t installed Java yet.  If you aren’t sure if you have Java installed, open the Java Preferences app in the /Applications/Utilities folder.  If you see a message like the one shown below, you don’t have Java, and should be safe from this malware.

Intego’s information is quite vague on what versions of Java are vulnerable, so it’s difficult to say for sure what version of Java is safe.  And, of course, I don’t have Java installed myself!  🙂  However, from what I’ve been able to determine, the latest version of Java available through Software Update is 1.6.0_29-b11-402.  Java Preferences should report the version you have installed, as should entering “java -version” in the Terminal application.  Whether this version is the one that Intego is saying has patched the vulnerabilities, though, is unclear.

Update: See more about this malware in Flashback infections becoming widespread.  Also note that I strongly recommend turning off Java in your web browser’s security preferences!

Tags: , , ,

This post is more than 90 days old and has been locked. No further comments are allowed.