Apple Patches Up Massive Java Security Leak

Apple has pushed two critical security updates to Java for Mac OS X this week in order to patch up some critical security loopholes found in the previous release of Java, version 1.6.0_29. The updates, which were released on Tuesday and Thursday of this week, are available via Software Update for Snow Leopard users running OS X 10.6.8 and Lion users running OS 10.7.3.

The updates were released after a Russian antivirus company, Doctor Web, discovered that Macs were vulnerable to the BackDoor.Flashback trojan, which saves an executable file on your Mac’s hard drive then downloads malicious code from a remote server.

The trojan has affected an estimated 600,000 Macs worldwide, with the majority located in the United States (around 55%), Canada (around 20%) and the UK (around 13%). An analyst at Doctor Web also reported that 274 of these infected computers were based in Cupertino, California – the same city as Apple’s headquarters meaning that some of Apple’s own computers may have been affected.


Flashback Virus

The FlashBack virus has affected an estimated 600,000 Mac users, most of which are located in the United States and Canada.

The trojan can only be downloaded through compromised websites which are mostly (dodgy-looking) online video sites ending in the domain name .rr.nu however according to Google search results at the end of March, some 4 million websites may be affected by the trojan, with some users reporting popular sites such as D-link may have also been compromised.

What is FlashBack?

BackDoor.FlashBack.39 is a trojan horse designed to exploit vulnerabilities designed to exploit a security loophole in Java on OS X. It has been around since September of last year and Oracle, the owners and developers of Java, patched up the issue back in February. Apple has only reacted to the issue after the vulnerabilities were exploited, and subsequently released two security patches this week. The company does not comment or disclose any security issues until a full investigation has been carried out in order to protect their customers, which may explain the gap between the issue being discovered and Apple’s reaction.

After you visit a compromised website, FlashBack installs and runs a small executable on your Mac, which subsequently scans for software (most of which would otherwise detect and remove the threat) in the following locations on your Mac’s hard drive:

  • /Library/Little Snitch
  • /Developer/Applications/Xcode.app/Contents/MacOS/Xcode
  • /Applications/VirusBarrier X6.app
  • /Applications/iAntiVirus/iAntiVirus.app
  • /Applications/avast!.app
  • /Applications/ClamXav.app
  • /Applications/HTTPScoop.app
  • /Applications/Packet Peeper.app

If these files aren’t found, then the trojan uses a special routine which generates a list of control servers and installs the malicious code onto the user’s Mac, compromising overall system security.

How do I find out if I’m affected?

If you haven’t already done so, head over to Software Update and install the relevant security updates. However, this simply patches up the issue, and does not tell you whether or not your Mac is affected or not. The FlashBack trojan only affects Macs with Java installed. If you haven’t got Java installed on your machine, then you don’t need to worry.

If you’re running a commercial anti-virus software on your Mac such as VirusBarrier X6 or ClamXAV, then chances are the system would have detected and removed the threat. If not (or you just want to be sure), then F-Secure has provided a step-by-step guide on how to remove it manually – head over to their website for the detailed steps.

What Next?

The FlashBack trojan infection has really highlighted vulnerabilities in OS X and Java, and begs the question as to whether Mac users are 100% totally protected from viruses. Although Apple has since responded to the threat, its response came two months after Oracle itself had detected and fixed the threat, giving the trojan plenty of time to spread and infect. The best possible advice really is to run a decent virus scanner on your Mac (there are excellent free ones, such as ClamXav) and regularly scan your computer for threats so they can be detected at the earliest possible stage.

As always, we’d love to hear your thoughts and comments on this issue. Are Macs now becoming more vulnerable? Was Apple’s reaction too late? Were you affected by the FlashBack trojan? Share your experiences in the comments section below.


  • Steve

    This is why I disabled java. And java isn’t actually a part of OSX. It doesn’t even come installed on lion.

    • http://cansurmeli.com C@N

      Second on that.

    • Jenn

      Good point. I do not think I even have apps that need that (unless Libre office does, but there are alternatives). Looks like a Google search is order to remove from Snow Leopard.

  • iThings

    Sure, Apple is fair because they didn’t make you install or use Java but what’s the point of disabling Java, Adobe Flash etc. and turning your Mac into an iPad ? Apple should include some better antivirus protection in their products if they still want to say it’s 100% safe. Someday some f*****s will release a trojan that will really do major damage around the world to scare people into buying their antivirus software for Macs. Until no one uses antivirus software then there are no major viruses because there’s no money to make on them.

    • Jeremy

      Why keep Flash? What good does it do? I uninstalled Flash, darn, i’m missing all of those relevant ads! I see zero reason for Flash to exist. 99% of it is ads and stupid embedded games on websites.

      • http://papermail.me Jacob Penderworth

        It slows things down, that’s what it does.

  • http://ipodtouchnews.co.uk Josh

    Why do you have a heading:

    “How do I find out if I’m affected?”

    Then go on to say:

    “However, this simply patches up the issue, and does not tell you whether or not your Mac is affected or not.”

    Just list the 3 terminal checks or at the very least link to somewhere that does such as the F-Secure site which also provides manual removal instructions.

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

  • Mr. Hilarious

    Hey, let’s scare some people, so they’ll by some antivirus software!
    Wheeling and dealing

  • Pingback: Yes Virginia, Apple’s really do get viruses! Apple Hit by Botnet Trojan, Proves Mac is Vulnerable « The 1000yr Old Man

  • Pingback: This Week in App News | Design City

  • Pingback: This Week in App News | Passcomms Computer Software

  • Michael

    “If you haven’t got Java installed on your machine, then you don’t need to worry.”.. Java is installed on all macs as default.

    • http://techinch.com/ Matthew Guay

      Actually, it isn’t pre-installed in Mountain Lion.

theatre-aglow
theatre-aglow
theatre-aglow
theatre-aglow