On April 4 Russian antivirus company Dr. Web revealed that over 600,000 Macintosh computers are infected with Flashback trojan and Apple reacted somewhat slowly, waiting until April 10 to published a support knowledge base article HT5244 ("About Flashback malware") which states that it is developing software that will detect and remove the Flashback malware.
A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs.
Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. By default, your Mac automatically checks for software updates every week, but you can change that setting in Software Update preferences. You can also run Software Update at any time to manually check for the latest updates.
Apple is developing software that will detect and remove the Flashback malware.
In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.
The knowledgebase article goes on to say that Macs running Mac OS X v10.5 or earlier can be protected from the malware by disabling Java in your web browser(s) preferences.
Apple doesn't provide a timetable for the release of the disinfectant software but presumably it will come in the form of a Security Update in the coming days or weeks.
The problem is that this is simply too long. Apple should have acknowledged the problem within a day or two, then released a patch within a week. Today marks one full week since the announcement of the Flashback malware and Apple still hasn't released the patch -- which is unacceptable.
Sure, you can update your Java or disable it outright, but non-technical users are unlikely to do this. I know several users that have their Software Update frequency set to "weekly" and many that wait or never install innocuous and generic sounding updates like "Java for Mac OS X 10.6 Update 7."
The problem is that Apple sugarcoats the issue and goes out of its way to hide the fact that "Java Update 7" fixes a serious malware vulnerability that steals user names and passwords to popular websites by monitoring your browsing habits.
The days of Apple's "security by obscurity" model are over. The company's profile has been raised to the point that it has officially arrived on hacker's radar. Apple's reputation hangs in the balance on how quickly it handles the Flashback (and other) malware and there's a lot at stake.
If Apple doesn't act swiftly and decisively on Flashback its squeaky-clean image as the malware-free computer platform will quickly become tarnished and Macs will be viewed in the same light as the virus-riddled Windows machines that it mocked in its sixth "I'm a Mac" television commercial (circa May 2006, below) -- which would be a shame.
An aside: A total of 66 "I'm a Mac" television commercials were created and run from May 2006 to October 2009. All were directed by Phil Morrison of Epoch Films for TBWA Media Arts Lab.
Update 2012-0413: Apple has released "Java for OS X 2012-003" today which "removes the most common variants of the Flashback malware."