Flashback malware evolves to exploit unpatched Java vulnerabilities

The Flashback Trojan horse is a fairly recent malware package developed for OS X that attempts to steal personal information by injecting code into Web browsers and other applications on an OS X system. When these programs are then launched, the malicious code attempts to contact remote servers and upload screenshots and other personal information to them.

This malware was initially found in September 2011 while being distributed as a fake Flash Player installer (hence its "Flashback" name). In in the past few months it has evolved to exploiting Java vulnerabilities to  target Mac systems.

While the exploits used by recent variants of the Flashback malware have been for older, patched vulnerabilities, over the weekend another variant surfaced that appears to be taking advantage of Java vulnerability (CVE-2012-0507) that currently is unpatched in OS X.

For OS X systems with Java installed, simply visiting a malicious Web site containing the malware will result in one of two installation routes, both of which have been characteristic of prior variants of the malware. First it will ask for an administrator password, and if supplied it will install its payload into target programs within the /Applications folder. However, if no password is supplied, then the malware will still install to the user accounts where it will run in a more global manner.

While Apple does have a built-in malware scanner called XProtect, which will catch some variants of the Flashback malware, this scanner will not detect files being executed by the Java runtime, so these latest Flashback variants bypass this mode of protection.

This shortcoming of XProtect, coupled with Java for OS X currently being unpatched, might be concerning; however, in most cases Mac users should be relatively safe. Starting with OS X 10.7 Lion, Apple stopped including a Java runtime with OS X, so if you have purchased a new system with OS X 10.7.0 or later, or have formatted and reinstalled Lion, then you will, by default, not be affected by this malware.

However, if you do have Java installed on your system, then for now the only way to prevent this malware from running is to disable Java. This can be done in the Security preferences in Safari, or by unchecking the Java runtime entries in the Java Preferences utility.

Even though new Mac systems cannot be affected by this malware in their default configurations, this development does outline a problem with how threats are handled in cross-platform runtimes such as Java. When vulnerabilities like the one here are discovered, they are often distributed among malware creators via exploit kits like Blackhole, which offer tools and code that make developing malware far easier for the criminals to do.

Because of the availability of these kits, even if the runtime for one platform is patched, then any lag in development for the other platforms (as is the case with Java on OS X) will provide a larger window of opportunity for malware developers to take advantage.

It appears this is exactly what the criminals behind the Flashback malware are doing, and as a result it puts those who use Java at an increased risk.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.