Quick protection for older Macs from the Flashback trojan
Most modern Macs have Java installed, so they could be vulnerable to the Flashback. While Apple posted a security fix for Mac OS X Lion and Mac OS X Snow Leopard, there are many millions of Macs running older software. Still there's an easy way to prevent a Java drive-by attack, besides pulling the plug.
Apple last week sent out the Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7 fixes in Software Update for the Flashback trojan.
There are reports that some 600K Macs have been infected, perhaps by some estimates 1 percent of the installed base of Macs. As I mentioned in a post last week, Mac OS X Lion and Snow Leopard are running on the majority of Macs. Still, Mac OS X Leopard and Tiger may be running on a quarter of Macs in the world.
See also: Installing antivirus on your Mac? | New malware epidemic exploits weaknesses in Apple ecosystem | Macs infected (a dream, dashed) | Lion OS making gains in Mac installed base
Likely, your machines are not infected. Before I installed the Apple updates, I checked my machines using the Terminal checking routine offered by the F-Secure website. It's the first part of the Manual Removal process.
For older machines running pre-Snow Leopard OSes that haven't been updated by Apple, there may or may not be a problem of infection. Still, to make sure, you can either disable Java in your web browser (in Safari it's a Security preference), or turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications. I understand that the Mac client for CrashPlan Pro requires Java.
In his excellent rundown on the Flashback trojan at Macworld, analyst Rich Mogull of TidBits and Securosis offered this analysis.
Drive-by attacks rely on vulnerabilities in Web browsers and other software—such as email and RSS readers—that view webpages. It’s not enough to run vulnerable software; that software needs to be exploitable, meaning it allows an attack to extend its tendrils into your system. Apple has been introducing a series of technologies—tools like Address Space Layout Randomization (ASLR), sandboxing, and DEP—to reduce the chances of exploitation even when a Mac is vulnerable and to limit the potential damage of an attack. But these technologies aren’t perfect, especially when complex programs that run Web content like Java or Adobe Flash are involved.
Apple clearly needs to start patching software that’s known to be vulnerable more quickly. After the success of Flashback, we can only assume the bad guys will move more quickly the next time they are given this window of opportunity. Cupertino should consider further sandboxing Safari. It should also explore the possibility of sandboxing Flash and Java independently; if the latter isn’t technically feasible, the company should work more directly with the vendors of those technologies to develop sandboxed Mac versions. Adobe recently added more-extensive sandboxing to Acrobat on Windows, and that has reduced the effectiveness of attacks.
The primary reason that there have been few malware attacks on the Mac platform is because most computers in the world run Windows. Sadly, that shield is weakening. However, I also believe that most casual hackers who use the Mac haven't wanted to hurt their platform of choice. People like the Mac, even virus writers. And the number of infected Macs is low compared with Windows.
Still, Flashback is a piece of commercial malware written by organized crime. For enough money, it appears now that even a Mac developer will write a trojan. Sigh.