Apple delivers Flashback malware hunter-killer

Third Java update in 9 days arrives as Apple scrambles to protect Mac users

Two days after Apple promised to decontaminate Macs infested with the Flashback malware, on Thursday the company delivered.

Yesterday's newest Mac OS X Java update includes a tool that will "remove the most common variants of the Flashback malware," Apple's advisory read.

On Tuesday, Apple for the first time acknowledged the Flashback malware campaign that exploited a Java vulnerability to infect hundreds of thousands of Macs. At the same time, Apple pledged to craft a detect-and-delete tool that would scrub compromised machines of the attack code.

Apple easily bested the time it took last year to come up with a similar tool, one designed to eliminate MacDefender fake security software. Apple released the promised anti-MacDefender tool a week after it announced those plans.

Thursday's update also disables automatic execution of Java applets in the Java browser plug-in; the exploit used by Flashback to infect Macs was hidden inside a malicious Java applet hosted on compromised websites.

One of the reasons Flashback was able to infect so many Macs was because the Java plug-in automatically ran the offered applet. Apple's move is a step toward disabling Java, the advice most security experts have suggested to users.

Users can circumvent Java's new off-by-default setting by configuring Java's preferences. But even then, Apple will intercede.

"As a security hardening measure, the Java browser plug-in and Java Web Start are deactivated if they are unused for 35 days," Apple said.

Java Web Start is an Oracle technology that lets users single-click launch a Java app from within a browser without first downloading it to the machine.

Java has an increasingly tenuous link to Mac OS X: Last July, Apple dropped Java from OS X 10.7, aka Lion, although it continues to issue Java patches for both Lion and Snow Leopard, or OS X 10.6.

In related news, Kaspersky Lab, one of the antivirus companies actively analyzing Flashback, pulled its free malware removal tool after reports that the utility was wiping some user settings.

Kaspersky launched the Flashback Removal Tool on Monday.

Also on Thursday, Symantec issued its own free detect-delete tool, posting a download link on a page touting its Mac-specific antivirus program, Norton Antivirus 12 for Mac.

Apple's latest Java update can be download from Apple's website for Snow Leopard or Lion: They weigh in at 80MB and 67MB, respectively. Mac OS X users with Java installed will be automatically alerted by Software Update.

Users running Leopard (OS X 10.5) or earlier must manually disable or remove Java from their Macs, as Apple no longer supports those older editions. That user pool is large: About one-in-six Macs are powered by an unsupported version of OS X.

More than 600,000 Macs have been infected with a new version of the Flashback Trojan horse that's being installed on people's computers with the help of Java exploits. How does this infection affect Apple's reputation for security?

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies