Well, you’ve gotta admit, they’re persistent.
Per Macworld and F-Secure, the Flashback Mac trojan uncovered by security firm Intego last year can now infect your computer from little more than a visit to a website.
Originally, Flashback masqueraded as an installer for Adobe’s Flash Player. Since then, the malware has changed tacks at last once since then, instead pretending to be a Mac software update or a Java updater.
The latest variant, discovered by security researchers at F-Secure and dubbed OSX/Flashback.K, takes advantage of a weakness in Java SE6. That vulnerability, identified as CVE-2012-0507, allows the malware to install itself from a malicious website the user visits, without needing the user to enter an administrator’s password.
No fix is currently available for this vulnerability on the Mac, although the hole was patched in Java for Windows back in February. Unfortunately, Apple has long been criticized for lagging behind Windows when it comes to updating Java for security patches. However, given that Apple rolls out updates every few months, it seems likely that the company will distribute a patch in the not too distant future.
Until then, F-Secure suggests users deactivate Java on their Macs. The company has also given instructions for checking if your system is currently infected by the Flashback Trojan.
It’s also worth noting that the Java vulnerability has recently been included in the popular BlackHole exploit kit used by many attackers.
While there’s no need for widespread panic, the fact that this latest version of the malware can install itself without the user’s password is enough of a reason for concern that some precautions are necessary. Disabling Java is a good step, but the first line of defense is, as always, to be cognizant of the websites you visit and use common sense.
Stay tuned fora additional details as they become available.
One reply on “Flashback trojan changes tactics, can now install on your Mac without a password”
I would think if it installs without credentials it would only affect the logged-in user? Or does the java vulnerability actually enable privilege escalation on OS X?