Mac Malware Exploiting Java Vulnerability
04/10/2012 - Local observations section updated.
Flashback is Mac-specific malware first reported in the Fall of 2011. This malware has recently been updated to exploit a critical vulnerability in Java and install itself without user intervention. Details on the Java vulnerability can found at http://support.apple.com/kb/HT5228 .
This malware can sniff network traffic for user credentials as well as disable security tools which may expose its presence on the system. Recent updates to the malware enable silent install via web browsing redirects, however in the past this malware has also masqueraded as Apple Software Updates or Adobe Flash updates.
All versions of Mac OS X running Java 1.6.0_29 or older versions. Mac OS X 10.5 does not have a patch for the most recent Java vulnerability.
Security engineers have detected a number of hosts potentially infected with the Flashback malware. Compromised hosts have been identified using a combination of DNS logs and user-agent strings used by this malware. Compromised hosts will be blocked from the network and owners will be notified through normal incident response channels.
Users of OS X 10.6 should ensure "Mac OS X 10.6 Update" is applied. Users of 10.7 should ensure "Java for OS X Lion 2012-001" is applied. It is unclear at this time if 10.5 will be patched, therefore, users of 10.5 are strongly encouraged to disable Java entirely.
Users should also consider disabling Java entirely. This can be done in Applications -> Utilities -> Java Preferences. In the General tab, unselect the checkboxes under "ON".