Dispatches hit the cyber street the Flashback Trojan was hitting Mac OS X machines. Apple wasted no time as they released a fix to stop the latest variant of the password-stealing malware.
The update closes vulnerabilities in Java 1.6.0_29, including a serious hole that allowed an untrusted Java applet to help spread the malicious code.
The quick turnaround is yet another indication of the widespread threat posed by the continuously mutating Flashback malware since millions of Web pages run on Java, and computers can become infected merely by a user visiting a malicious page.
The Apple product update is available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3 and Lion Server v10.7.3. “The most serious of the vulnerabilities allowed an untrusted Java applet to execute arbitrary code outside the Java sandbox,” Apple said. The patch also addresses other Java vulnerabilities.
Despite taking less than a day to issue the update after security researchers said the Trojan hit the Mac platform, security sites also said Oracle released a patch to fix the Java flaw for Windows in February.
“For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” the company said.
Prior to the patch, security researchers began urged Apple users to disable Java on their Mac machines to avoid widespread infection. Flashback first hit the street last fall disguised as an Adobe Flash Player installer and has since mutated into various forms — all designed to steal passwords and gain access to online financial accounts.
In a related development, Mozilla blacklisted all but the most recent version of Java to protect users who may not be aware of the flaw and attacks. Flashback targets Safari and Firefox Web browsers.