News

Apple Patches Java Flaw

• By John K. Waters
• April 10, 2012

Apple says a Java update the company released on April 3 fixes the headline-grabbing security flaw exploited by the Flashback Trojan botnet that exposed thousands of Macs running OS X version 10.7 and 10.6 to hackers.

Flashback relies on a Java vulnerability to download itself onto the target machine and give control of that machine to the attacker. But it also uses computer servers hosted by the malware's authors to perform many of its critical functions, the company noted. Apple said it is joining forces with "ISPs worldwide" to disable this command and control network. The company is also developing software that will detect and remove the Flashback malware.

Flashback first appeared in September 2011 as a variant of a fake Flash Player installer. The new threat was reported by a number of security companies in February, many of which noted that, unlike its predecessor, this version did not require user interaction. Systems are infected after a user is redirected to a bogus Web site from a compromised resource or via a traffic distribution system, explained Russian security firm Dr. Web, which is credited with the initial attack report. JavaScript code is then used to load a Java-applet containing an exploit to the hard drive of the infected machine.

A known vulnerability, the Flashback variant is listed as CVE-2012-0507 on the National Vulnerability Database.

Dr. Web estimated 600,000 Mac machines worldwide were exposed to the malware. On April 4, the firm reported that 550,000 machines, mostly in the U.S. and Canada, had been infected and were part of the botnet (a cluster of compromised machines linked by an attacker to work together as one computer).

"This once again refutes claims by some experts that there are no cyber-threats to Mac OS X," the company wrote on its Web site.

The growing popularity of Macs among both consumers and enterprises has drawn the interest of malicious hackers, who all but ignored the platform for decades. ADTmag editor Chris Paoli recently reported that the BlackHole exploit kit has been updated specifically to exploit this Java vulnerability. Security firm F-Secure reported the threat in a blog post, noting that Oracle released an update in February that patched the vulnerability for Windows, but not for Macs.

Apple announced last year that as of the release of Java for Mac OS X 10.6 Update 3, "the Java runtime ported by Apple and that ships with Mac OS X is deprecated. Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X." Deprecating the custom-ported Java packages for the Mac left them in place, but without support, and with a strong recommendation for developers to avoid it. Both Apple and F-Secure have advised Mac users to disable their Java clients for protection in the short term from Flashback.