Apple released a software update last night for Java in order to remove the most common variants of the Flashback malware.
The update for OS X Lion 2012-003 configures the Java web plug-in to disable the automatic execution of Java applets, according to an Apple statement. Apple said that users may re-enable automatic execution of Java applets using the Java Preferences application and if the Java web plug-in detects that no applets have been run for an extended period of time, it will again disable Java applets. Another was released for Mac OS X 10.6 Update 8.
Wolfgang Kandek, CTO of Qualys, said that the releases were "quite innovative" as the new version does not fix any vulnerabilities, but instead addresses two of the current Java on Mac landscape problems.
He said: “It erases the known variants of the Flashback Trojan and it automatically disables Java when it has not been used for the last 35 days. Users have to then re-enable it manually (in Java Preferences) when they need it.
“This is exciting and to my knowledge nobody has done something like this before. It makes total sense to me: we have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security conscious users will do so. Given the task of monitoring Java use to the computer itself is a great idea and it will be interesting to see how user acceptance will work out.”
Paul Ducklin, head of technology for Sophos Asia Pacific, was critical of the lack of documentation about the patch from Apple or what variants of the malware it finds, and said that it does not give any visual indication that it had run at all.
He said: “Also of course, it won't protect you against reinfection, and it won't protect you against any other Mac malware. So there you have it. Apple's Java distribution and the Flashback malware addressed in one go. Unless you have OS X Leopard (10.5) or earlier. If you do, you're still out of luck – no patches for you.”
Mac security firm Intego said that Java is fast becoming a new vector of attack for malware, and Flashback has notably used Java in several different ways by taking advantage of known or unpatched vulnerabilities to get through a Mac's defences.
“Java applets are not affected by Mac OS X's quarantine system. This means that Mac users do not get a warning dialog when Java applets are downloaded as objects in a web page. This also gets around Apple's Xprotect malware scanning system, which does not scan objects in web pages,” it said.
Apple previously released a patch for a flaw in Java at the start of April to close a dozen holes in Java 1.6.0_29.