LinkBack URL
About LinkBacks
Reply With QuoteThankee Brains ; downloaded and installed .
Still stuck in 1984
Unpatched Java leaves Macs vulnerable, thousands infected. Sec Update now available
Malware culprit found.
A series of vulnerabilities found in Oracle's Java 1.6.0b29 back in February has left Mac OS X users vulnerable to a browse-by malware attack under the name "FlashBack" for the past two months as Apple delayed releasing a security patch to bring their code in-line with Oracle and version 1.6.0b31.
According to Apple's security bulletin released today:
The package delivered by the Java applet places two copies of the payload into the system, and adds them as launchagent entries where they are executed at next boot, receiving their runtime authorisation as part of the log-in procedure.Multiple vulnerabilities exist in Java 1.6.0b29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
According to F-Secure, the malware payload currently has a zero detection rate on Mac OS X by all anti-malware suites, including clamxav, Sophos and Trend Micro. Technical details and disassembly of the malware package can be found here.
One of the more common signs of infection is the presence of files called ".mkeeper", with another similarly-named file in ~/Library/Extensions. To check, you will need to use a third-party directory search tool such as Devon Software's free "EasyFind", which physically walks the entire directory structure including system-level and hidden files for search items.
Apple have released -- two months after the vulnerability was patched in all other JRE distributions -- a Critical Security Update for all users of Mac OS X 10.6 Snow Leopard and Mac OS X 10.7 Lion. Check your Software Update now.
Last edited by Brains; 4th April 2012 at 09:48 AM.
Tune into Psymbiensis, 24/7 chill music streaming straight to your desktop.
Cornell University says, "Watching TV shows makes you stupid." Break the addiction, visit White Dot today.
Wi-fi is a health risk, please use sparingly and with caution.
Thankee Brains ; downloaded and installed .
Thanks for the info.
Mac Plus user
Thanks for the info,
Using software update (as usual) I installed the update 'Java for OS X 2012-001' but immediately software update then wants to install 'Java for OS X 2012-002'.
What gives? No mention of this second update on Apple support site... I'm suspicious and have not installed 'Java for OS X 2012-002'.
---------- Post added at 12:37 PM ---------- Previous post was at 12:01 PM ----------
Just found a discussion on this 2nd Java update over at Whirlpool and one poster found: "The -002 update takes the (Lion) version from 1.6.0_31-b04-413 to -414 so some changes have obviously been made." This version number is found in the Java Preferences utility (should be in your Utility folder).
I went ahead and installed the 2nd update and no obvious problems so far. The version number on the JavaVM reported by System Information under Frameworks is '14.2.1'. Hopefully Apple will update their support site and knowledge base soon.
Instructions on how to check if your Mac has been infected:
How to Check for the Flashback Trojan in Mac OS X
This is disappointing - two months after everyone else?Originally Posted by Brains
Cheers
Mick
Electric Sheep
The second update is Lion only and not too different. This email was posted to the Java-dev mailing list by an Apple employee:Java developers,
Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.
For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.
We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.
Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.
Banned
Install Little Snitch.
It offered protection against this particular trojan and it is a good idea to keep an eye out for unauthorised external links.
Apple deserves to get its hand smacked for being so slow to fix what was a major breach of security. It is symptomatic of their current attitude to users. Can't be bothered working on something if there isn't a buck to be made, taking their users for granted and presuming they are too stupid to notice. The latter is unfortunately pretty much the case, judging on what I have seen in the Apple Stores and on Apple's support forums lately.
Electric Sheep
There is a comprehensive article about it here & below is an AppleScript for checking whether you're infected or not.
Select everything in the "Code" box, copy it and then paste it into an AppleScript Editor (in your Utilities folder) document. It just runs the commands listed in this F-Secure article & tells you if there is any infection:Code:property removalInstructionsURL : "http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml" property notFoundString : "does not exist" property goToWebButton : "Go to Web Site" property authorString : "Check for Flashback by Richard Morton 2012" -- distribute freely, give credit set {insLibFound, safariInfected, firefoxInfected} to {true, true, true} -- initialise some variables try -- check the system do shell script "defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES" on error errMsg number errNum if errMsg contains notFoundString then set insLibFound to false end try try -- check Safari do shell script "defaults read /Applications/Safari.app/Contents/Info LSEnvironment" on error errMsg number errNum if errMsg contains notFoundString then set safariInfected to false end try try -- check Firefox do shell script "defaults read /Applications/Firefox.app/Contents/Info LSEnvironment" on error errMsg number errNum if errMsg contains notFoundString then set firefoxInfected to false end try if insLibFound or safariInfected or firefoxInfected then -- sucks to be you set userChoice to button returned of (display dialog "Your Mac appears to be infected with the Flashback trojan." & return & return & "F-Secure have instructions for removing it. Click \"" & goToWebButton & "\" to read them now." buttons {goToWebButton, "Not Now"} default button 2 with icon 0) if userChoice is goToWebButton then open location removalInstructionsURL else display dialog "Your Mac does not appear to be infected with the Flashback trojan." & return & return & "Make sure you have the latest security updates installed - select \"Software Update…\" from the Apple Menu - and consider disabling Java." buttons {"OK"} default button 1 with icon 1 end if
Posting Permissions
MacTalk is Australia's largest online community for all Apple related news, podcast, forums, reviews and much more!
Join the discussion now!