2012-04-09

WARNING: "Flashback" trojan affecting many Mac users


If you haven't heard or read about it, there have been many reports of late about something called the "Flashback" trojan infecting over a half million Macs worldwide. Flashback is a piece of 'malware' that was first seen in September of 2011. It uses a Java vulnerability to install itself, and does not require user interaction to be installed.

[There are links to read all the gory details of the issue at the bottom of this email, and everything I summarize below is gleaned from those three articles.]

To cut to the chase, I will first describe what to do to make sure you're protected from Flashback, then I will tell you how to tell if you've been infected.

***First, ensure that you've installed the latest Java update, released by Apple this week (via Software Update). The update is called "Apple Java for OS X Lion 2012-002". If Software Update reports that you're up-to-date, it's installed... [If you're running an older operating system, like Leopard (10.5.x) or Tiger (10.4.x), I'm not sure yet if you're even at risk. I will update you as I know more.]

Next, consider turning off Java altogether in Safari. Go to Preferences in Safari, and click on the Security tab, then uncheck the Enable Java checkbox:


UPDATE: Several folks have asked how to disable Java in Firefox. Here are the instructions:

Open Firefox's preferences, go to the General tab, and then click on the "Manage Add-ons..." button in the lower right corner. That will open another Firefox window, showing a list of plug-ins, one of which is the 'Java Applet Plug-in'. Disable that plug-in, and you should be good to go...

«««»»»

To be even more secure (and aside from your browsers), you could disable Java system-wide. I don't recommend this, however, unless you're positive you don't use any Java-based programs (CrashPlan uses Java, for example). If you want to disable it, you will need to go to your Applications folder, find the Utilities folder within it, then a program called Java Preferences. Open that, and uncheck all the boxes under the General tab, as seen below:


***Now, to see if you're infected by Flashback. Again, go to your Applications folder, find the Utilities folder within it, then a program called Terminal. Open it, then follow these steps:

Copy the line below, paste it into the Terminal window and hit return:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

If you get this result: "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" that is good, but need to check one more thing.

Copy and paste in the following line and hit return:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

If you see this result: "The domain/default pair of (/Users/joe/.MacOSX/environment, DYLD_INSERT_LIBRARIES) does not exist" then your system is clean.

***If your machine is infected, you have one of two options:
1) Follow the instructions at this link (which are fairly technical, and again involve use of the Terminal program):


...or...

2) Call me [970-417-8434] and I'll try and walk you through the process over the phone...

Lastly, I've given you several things that you can do to make sure you're protected from this and future Java-based exploits. However, if there's anything we can learn from this entire episode it's that the era of not having to worry at all about malware on a Mac is drawing to a close. Sad but true. At the same time, we're a long way from needing to install anti-virus software on all our Macs. That said, if you feel like you want to install something in the way of an A/V tool on your computer, here are a few options to look at:

ClamXav (free): http://www.clamxav.com/
VirusBarrier X6 ($50): http://www.intego.com/virusbarrier

I hope none of you read too much into all of this. As I said, it certainly doesn't represent some sort of fundamental change in the overall security of your Mac. Apple certainly needs to take a lot of responsibility for the situation, since there was a patch available for the Java exploit for almost two months before they released an updated version. This experience will undoubtably be a wake-up call for the folks at Apple in charge of security updates!
Thanks!
John
Links to the articles that I used to research this information (if you want the best synopsis, read the first one):