Developers behind the Flashback trojan for the Mac have updated it to exploit a vulnerability in the Java software framework that has yet to be patched for machines running Mac OS X, an antivirus firm warned on Monday.
Flashback.K, as the latest variant is called, is able to hijack Macs even when users don’t enter an administrative password. Instead, it does this by exploiting a critical Java vulnerability classified as CVE-2012-0507, F-Secure researchers wrote in a blog post. Although Oracle released a fix for the security threat in February, a patch has yet to be released for OS X users. That’s because Apple distributes Java updates itself and the company has yet to make one for the specific flaw, or indicate when it plans to do so.
Flashback first surfaced in September as a trojan that masqueraded as an installer for Adobe’s Flash Player. Over the past few months, it has taken on increasingly sophisticated features, including the ability to bypass built-in OS X malware protections and attack code that exploits long-ago patched Java vulnerabilities. The version analyzed by F-Secure is the first known time Flashback has exploited a vulnerability for which no fix is currently available.
Although Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. Some security researchers have for years criticized Apple for lagging behind Microsoft and Linux distributors in releasing Java updates to its users. F-Secure has recently joined others in counseling Mac users to disable Java on machines that don’t regularly use it. The antivirus provider also has provided instructions for checking if your Mac is infected.
Attacks that exploit CVE-2012-0507 recently went mainstream when they were added to automated exploit kits such as Blackhole. Once it infects a Mac, Flashback changes the contents of some of the webpages it displays.
View the original here:
Mac Flashback trojan exploits unpatched Java vulnerability, no password needed