Apple has quietly released Java patches for OS X after users were left vulnerable to Flashback malware that had security experts so worried they recommended ditching Java.
Flashback uses a vulnerability in Java to infect computers, but although this vulnerability was known and patched for Windows users in February, Apple has only now released an update for OS X 10.6 and 10.7. While Java is owned by Oracle, which issued the earlier Windows patch, Apple has taken it upon itself to first vet any updates before they are rolled out to Macs, introducing significant delays between when a vulnerability is patched by Oracle and when that same patch is available to OS X users.
The malware authors turned their attention to Macs in early March, with Intego discovering that Mac users visiting certain infected websites were automatically infected. Intego also claims that Flashback was created by the same authors of the MacDefender Trojan.
F-Secure, which has been following the variants of Flashback and performing an analysis on them, urged users earlier this week prior to the patch, to disable their Java clients "before this thing really become an outbreak". Yesterday, the Internet Storm Centre advised users that the vulnerability had been rolled into the Blackhole Exploit Kit. Blackhole is an automated tool that finds vulnerabilities in websites and leverages these to attack users that visit the now compromised site.
Rapid7 security researcher and self-confessed Apple "fanboy" Marcus Carey, who works on the exploit tool and database Metasploit, wrote that Mac users were "wide open to exploitation if they are running the Java plug-in in their browsers", because it is so easy to use penetration testing tools like Metasploit to take advantage of the vulnerability.
Carey said that Mac users needed to realise that the notion that Apple products are hacker proof was a myth.
"Ladies and gentlemen, now is the time to pay attention because this myth is being busticated in a major way at the moment".
According to Carey, Apple users account for about 15 per cent of all internet traffic.
While Apple's patch should address Flashback's current method of attack, the ordeal may not yet be over.
Security blogger Brian Krebs said that he had already seen hackers on underground forums exchanging money for exploit code for a yet-to-be-reported critical flaw in Java. If this has not been addressed in the most recent patch and it works its way into the hands of Flashback's authors, it may be a matter of time before history repeats itself.
Mozilla recently released a patch to block older versions of Java from Firefox, however this has not yet reached OS X users and only provides a workaround for Windows users at the moment. Contributor Kev Needham wrote on Mozilla's Add-Ons Blog that blocking older versions of Java for OS X may be added at a later date.