If you haven’t heard or read about it, there have been many reports of late about something called the “Flashback” trojan infecting over a half million Macs worldwide. Flashback is a piece of ‘malware’ that was first seen in September of 2011. It uses a Java vulnerability to install itself, and does not require user interaction to be installed.
[There are links to read all the gory details of the issue at the bottom of this email, and everything I summarize below is gleaned from those three articles.]
To cut to the chase, I will first describe what to do to make sure you’re protected from Flashback, then I will tell you how to tell if you’ve been infected.
***First, ensure that you’ve installed the latest Java update, released by Apple this week (via Software Update). The update is called “Apple Java for OS X Lion 2012-002”. If Software Update reports that you’re up-to-date, it’s installed… [If you’re running an older operating system, like Leopard (10.5.x) or Tiger (10.4.x), I’m not sure yet if you’re even at risk. I will update you as I know more.]
Next, consider turning off Java altogether in Safari. Go to Preferences in Safari, and click on the Security tab, then uncheck the Enable Java checkbox:
UPDATE: Several folks have asked how to disable Java in Firefox. Here are the instructions:
Open Firefox’s preferences, go to the General tab, and then click on the “Manage Add-ons…” button in the lower right corner. That will open another Firefox window, showing a list of plug-ins, one of which is the ‘Java Applet Plug-in’. Disable that plug-in, and you should be good to go…
«««»»»
To be even more secure (and aside from your browsers), you could disable Java system-wide. I don’t recommend this, however, unless you’re positive you don’t use any Java-based programs (CrashPlan uses Java, for example). If you want to disable it, you will need to go to your Applications folder, find the Utilities folder within it, then a program called Java Preferences. Open that, and uncheck all the boxes under the General tab, as seen below:
***Now, to see if you’re infected by Flashback. Again, go to your Applications folder, find the Utilities folder within it, then a program called Terminal. Open it, then follow these steps:
Copy the line below, paste it into the Terminal window and hit return:
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
If you get this result: “The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist” that is good, but need to check one more thing.
Copy and paste in the following line and hit return:
defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
If you see this result: “The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist” then your system is clean.
***If your machine is infected, you have one of two options:
1) Follow the instructions at this link (which are fairly technical, and again involve use of the Terminal program):
…or…
2) Call me [970-417-8434] and I’ll try and walk you through the process over the phone…
Lastly, I’ve given you several things that you can do to make sure you’re protected from this and future Java-based exploits. However, if there’s anything we can learn from this entire episode it’s that the era of not having to worry at all about malware on a Mac is drawing to a close. Sad but true. At the same time, we’re a long way from needing to install anti-virus software on all our Macs. That said, if you feel like you want to install something in the way of an A/V tool on your computer, here are a few options to look at:
Sophos Anti-Virus for Mac Home Edition (free): http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx
ClamXav (free): http://www.clamxav.com/
VirusBarrier X6 ($50): http://www.intego.com/virusbarrier
I hope none of you read too much into all of this. As I said, it certainly doesn’t represent some sort of fundamental change in the overall security of your Mac. Apple certainly needs to take a lot of responsibility for the situation, since there was a patch available for the Java exploit for almost two months before they released an updated version. This experience will undoubtably be a wake-up call for the folks at Apple in charge of security updates!
Thanks!
John
Links to the articles that I used to research this information (if you want the best synopsis, read the first one):
Thanks for the heads-up on "Flashback" and all the detailed information you provided. I followed your very clear and precise set of instructions and I'm happy to report that both of my Mac's are updated with the latest version of Java and fortunately neither of them had been infected by this Trojan. Is there anything we should be doing to protect our mobile devices, i. e. iPad and/or iPhone?
Thanks,
Don Corder
This comment has been removed by a blog administrator.
Mike…
1) There are no symptoms on an infected computer. From what I understand, the trojan attempts to add a compromised machine to a random 'botnet', so it can be stealthily used for spamming, etc.
2) Yes, the latest update closed the vulnerability in Java that Flashback takes advantage of. That said, from what I've read, Java is not commonly used in web applets anymore, and could still be compromised again in the future. So probably a good idea to leave it disabled, at least until you come across a site you use that requires it…
Don…
The good news is that Java doesn't exist on iPhones & iPads, so no need to worry there. In fact, from what I've read, Android is much more susceptible to malware than iOS.
Good luck,
JC
Any need for Flashback concern yet for OS 10.5?
Thanks for the early heads up.
Sorry Sue…
I meant to mention that folks still running Leopard (10.5.x) or older have only one real option, and that's to disable Java (not Javascript, different beast altogether) in whichever browser you use. Follow the instructions in my original post, and call or email if you have more questions…
John