NEWS FROM THE LAB - Monday, April 2, 2012

Mac Flashback Exploiting Unpatched Java Vulnerability Posted by Brod @ 12:07 GMT

Note: We have shipped a free Flashback removal tool

A new Flashback variant (Mac malware) has been spotted exploiting CVE-2012-0507 (a Java vulnerability). We've been anticipating something like this for a while now.


Oracle released an update that patched this vulnerability back in February… for Windows.

But — Apple hasn't released the update for OS X (yet).

It appears that the Flashback gang is keeping up with the latest in exploit kit development. Last week, Brian Krebs reported that the CVE-2012-0507 exploit has been incorporated into the latest version of the Blackhole exploit kit. And that's not all. Though it is unconfirmed, there are rumors of yet another available exploit for an "as-yet unpatched critical flaw in Java" on sale.

So if you haven't already disabled your Java client, please do so before this thing really become an outbreak. Check out our previous post for instructions on how to disable Java on your Mac.

Our previous instructions on how to check whether you are infected with Flashback is still applicable. However, for this variant, there is an additional updater component that is created in the infected user's home folder. By default it is created as "~/.jupdate".

A corresponding property list file is also created so that it will execute every time the infected user logs in. By default, the property list is created as "~/Library/LaunchAgents/com.java.update.plist".



However, these filenames may be different in the actual infected system as they are configurable by the malicious webpage delivering the exploit:


Visit our Flashback.K description for more information.

MD5: 253CAE589867450B2730EF7517452A8B

Update: Apple has published a security update for Java. See: support.apple.com/kb/HT5228 for details.