OSX/Flashback.K: How to protect yourself
A fresh version of the Flashback trojan is making the rounds and is notable for one simple reason — it can install itself without any help from the user.
Flashback.K, as the latest variant is called, is able to hijack Macs even when users don’t enter an administrative password. Instead, it does this by exploiting a critical Java vulnerability classified as CVE-2012-0507… Although Oracle released a fix for the security threat in February, a patch has yet to be released for OS X users. That’s because Apple distributes Java updates itself and the company has yet to make one for the specific flaw, or indicate when it plans to do so — Ars Technica.
If you have Java installed and it’s turned on, you are vulnerable.
Gird your digital loins
That said, I keep Java up-to-date and turned off in Safari and Firefox by default simply because it’s so infrequently needed and associated with many bad things™, such as Flashback.k and other web-based attacks.
Apple has now issued patches — Java for OS X Lion, Snow Leopard Updates address Flashback.K…
Although Apple’s current version of Java doesn’t protect against Flashback.k, installing the most recent (November) update will protect you against Java_Rhino — Java updates for Lion and Snow Leopard.
Again, however, Java in general is so insecure that it always seems there’s another unpatched exploit circulating in the wild — I keep Java updated and turned off until I need it. To turn off Java in Safari, go to:
Preferences > Security > uncheck Enable Java (image above)
What’s your take?