Apple has pushed two critical security updates to Java for Mac OS X this week in order to patch up some critical security loopholes found in the previous release of Java, version 1.6.0_29. The updates, which were released on Tuesday and Thursday of this week, are available via Software Update for Snow Leopard users running OS X 10.6.8 and Lion users running OS 10.7.3.
The updates were released after a Russian antivirus company, Doctor Web, discovered that Macs were vulnerable to the BackDoor.Flashback trojan, which saves an executable file on your Mac’s hard drive then downloads malicious code from a remote server.
The trojan has affected an estimated 600,000 Macs worldwide, with the majority located in the United States (around 55%), Canada (around 20%) and the UK (around 13%). An analyst at Doctor Web also reported that 274 of these infected computers were based in Cupertino, California – the same city as Apple’s headquarters meaning that some of Apple’s own computers may have been affected.
The trojan can only be downloaded through compromised websites which are mostly (dodgy-looking) online video sites ending in the domain name .rr.nu however according to Google search results at the end of March, some 4 million websites may be affected by the trojan, with some users reporting popular sites such as D-link may have also been compromised.
What is FlashBack?
BackDoor.FlashBack.39 is a trojan horse designed to exploit vulnerabilities designed to exploit a security loophole in Java on OS X. It has been around since September of last year and Oracle, the owners and developers of Java, patched up the issue back in February. Apple has only reacted to the issue after the vulnerabilities were exploited, and subsequently released two security patches this week. The company does not comment or disclose any security issues until a full investigation has been carried out in order to protect their customers, which may explain the gap between the issue being discovered and Apple’s reaction.
After you visit a compromised website, FlashBack installs and runs a small executable on your Mac, which subsequently scans for software (most of which would otherwise detect and remove the threat) in the following locations on your Mac’s hard drive:
- /Library/Little Snitch
- /Applications/VirusBarrier X6.app
- /Applications/Packet Peeper.app
If these files aren’t found, then the trojan uses a special routine which generates a list of control servers and installs the malicious code onto the user’s Mac, compromising overall system security.
How do I find out if I’m affected?
If you haven’t already done so, head over to Software Update and install the relevant security updates. However, this simply patches up the issue, and does not tell you whether or not your Mac is affected or not. The FlashBack trojan only affects Macs with Java installed. If you haven’t got Java installed on your machine, then you don’t need to worry.
If you’re running a commercial anti-virus software on your Mac such as VirusBarrier X6 or ClamXAV, then chances are the system would have detected and removed the threat. If not (or you just want to be sure), then F-Secure has provided a step-by-step guide on how to remove it manually – head over to their website for the detailed steps.
The FlashBack trojan infection has really highlighted vulnerabilities in OS X and Java, and begs the question as to whether Mac users are 100% totally protected from viruses. Although Apple has since responded to the threat, its response came two months after Oracle itself had detected and fixed the threat, giving the trojan plenty of time to spread and infect. The best possible advice really is to run a decent virus scanner on your Mac (there are excellent free ones, such as ClamXav) and regularly scan your computer for threats so they can be detected at the earliest possible stage.
As always, we’d love to hear your thoughts and comments on this issue. Are Macs now becoming more vulnerable? Was Apple’s reaction too late? Were you affected by the FlashBack trojan? Share your experiences in the comments section below.