Home » Mac, Security, Software

OSX/Flashback.K: How to protect yourself

3 April 2012 2,434 views 4 Comments

Need another reason to turn off Java? Pretty much every list of things to do that make your Mac more secure includes the admonition to turn off Java if not JavaScript in Safari and whatever browsers you’re using.

A fresh version of the Flashback trojan is making the rounds and is notable for one simple reason — it can install itself without any help from the user.

Flashback.K, as the latest variant is called, is able to hijack Macs even when users don’t enter an administrative password. Instead, it does this by exploiting a critical Java vulnerability classified as CVE-2012-0507… Although Oracle released a fix for the security threat in February, a patch has yet to be released for OS X users. That’s because Apple distributes Java updates itself and the company has yet to make one for the specific flaw, or indicate when it plans to do soArs Technica.

If you have Java installed and it’s turned on, you are vulnerable.

Gird your digital loins

That said, I keep Java up-to-date and turned off in Safari and Firefox by default simply because it’s so infrequently needed and associated with many bad things™, such as Flashback.k and other web-based attacks.

Apple has now issued patches — Java for OS X Lion, Snow Leopard Updates address Flashback.K

Although Apple’s current version of Java doesn’t protect against Flashback.k, installing the most recent (November) update will protect you against Java_RhinoJava updates for Lion and Snow Leopard.

Again, however, Java in general is so insecure that it always seems there’s another unpatched exploit circulating in the wild — I keep Java updated and turned off until I need it. To turn off Java in Safari, go to:

Preferences > Security > uncheck Enable Java (image above)

Further, JavaScript is very, very buggy and prone to security issues, as well. Nevertheless, JS is used everywhere and turning it off can cause performance and compatibility issues.

One way of having your Javascript cake and eating it, too, is Drew Thaler’s JavaScript Blacklist (Safari extension) or a “noscript” extension.

What’s your take?

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.