Less than a day after reports began surfacing that the Flashback trojan was hitting Mac OS X machines, Apple today released a fix to stop the latest variant of the password-stealing malware. The update closes numerous vulnerabilities in Java 1.6.0_29, including a serious hole that allowed an untrusted Java applet to help spread the malicious code.
The quick turnaround is yet another indication of the widespread threat posed by the continously mutating Flashback malware since millions of Web pages run on Java, and computers can become infected merely by a user visiting a malicous page.
Earlier today Threatpost reported that Mozilla made an unsual move to blacklist all but the most recent version of Java to protect users who may not be aware of the flaw and attacks. Flashback is believed to target Safari and Firefox Web browsers.
The Apple product update is available for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.3 and Lion Server v10.7.3. According to Apple,” the most serious of the vulnerabilities allowed an untrusted Java applet to execute arbitrary code outside the Java sandbox.” The patch also addresses numerous other Java vulnerabilities.
Despite taking less than a day to issue the update after security researchers publicly announced the trojan had hit the Mac platform, numerous security sites have also noted that Oracle released a patch to fix the Java flaw for Windows in February.
“For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” the company said in its advisory.
Prior to today’s patch release, security researchers began urging Apple users to disable Java on their Mac machines to avoid widespread infection. Flashback initially was discovered last fall disguised as an Adobe Flash Player installer and has since mutated into various stealth forms — all designed to steal passwords and gain access to online financial accounts.