Java updates for Flashback avoid OS X Tiger and Leopard
Apple has fixed the vulnerability through which the Flashback malware attacks Mac systems, but only in supported versions of OS X, not Tiger and Leopard.
To help tackle the recent Flashback malware threat, Apple released a couple of updates for the Java runtime in OS X to bring it up to the latest Java release (version 1.6.0_31), which patches the vulnerability being exploited.
The updates are available for OS X 10.6 and 10.7 systems that have Java installed; you can update your system by using the Software Update utility in the Apple menu. However, so far there have been no updates to patch older versions of OS X such as Tiger and Leopard, which come with Java runtimes installed and therefore are vulnerable to Flashback.
When OS X Lion was released, Apple stopped supporting prior versions of OS X, so it's not very likely that Apple will release an update to patch Java on these systems. Therefore, if you use an older Mac you'll need to take alternative steps to protect it.
- Upgrade your Mac
If you are running an Intel-based Mac, you should be able to upgrade to at least OS X Snow Leopard, and apply the latest Java patch. You should be able to find Snow Leopard online from Apple's Online Store (as it is still required for upgrading to Lion). - Disable Java
If you can't upgrade your system, then for now the best option is to disable Java. As mentioned in prior coverage of Flashback, you can do this through the Java Preferences utility or the preferences of your Web browser.
Unfortunately, for now, if you are still using an older PowerPC-based Mac system, then to protect against Flashback you will need to disable Java, as these systems can only be upgraded to a maximum of OS X 10.5.8. While the Flashback malware is suspected to have only been built to attack Intel-based systems, that isn't known for sure.
In OS X 10.4 and earlier there is no option to disable the Java runtime in the Java Preferences utility; however, you can still do so within your Web browser. This will allow local Java applications to run, but will prevent Web-based applets from running. - Safe browsing
A final step you can take to protect your system is to pay more attention to safe browsing practices. This is a good idea even if you have fully patched your system. For example:
- Avoid spam links
Never click links in e-mail spam or similar content online, such as ads and pop-ups. - Avoid download offers
If a popup claims you must download an update (especially if it's for a common third-party software package like Adobe Reader or Flash) then avoid it and go directly to the developer's Web site (in this example, Adobe) to install any offered updates. If you see a window that looks like Apple's Software Update, then close it down and invoke Software Update manually through the Apple menu. - Avoid scare tactics
If you see a sudden warning that you need to buy or do something or else your computer will be infected or harmed, avoid the offer and investigate it further. You can always ask for help on the Apple discussion boards to get feedback from very experienced Mac users on what to do. - Disable plug-ins unless needed
Many people may have Java and other plug-ins configured on their systems to manage online content. To see what plug-ins are installed on your Mac, select Installed Plug-Ins from the Help menu in Safari. From here you can remove any you don't use from the /Library/Internet Plug-Ins/ folder.
Questions? Comments? Have a fix? Post them below or
email us!
Be sure to check us out on Twitter and the CNET Mac forums.