(LiveHacking.Com) – Following the news that various exploit kits for Windows (including BlackHole) have been updated to integrate exploits for the Java concurrency vulnerability (CVE-20120-0507), it is now being reported that the OS X specific malware known as Flashback has also been updated to exploit the same vulnerability. The vulnerability was fixed in Java Version 6 Update 31, or Java 7 Update 3 on Feb. 15, 2012 but only on the Windows platform. This left Mac users vulnerable.
The latest version of OS X (10.7 – Lion) doesn’t include Java by default however it can be downloaded and installed when needed. The last update Apple released for Java was in November 2011. Secondly there is a portion of Mac users who have remained on OS X 10.6 Snow Leopard (which included Java by default). Apple has been quietly dropping support for 10.6 and it remains to be seen if any eventual Java updates include the older platform.
The exploit used by Flashback is based on a vulnerability in AtomicReferenceArray which allows the malware to disable the Java runtime sandbox mechanism. This is done by creating a special serialized object data which due to a logic error (and not a memory corruption) allows the attacker to run arbitrary code on the victim’s Mac. The exploit is very reliable.
Flashback, which is so named as the first variant was distributed as a fake Flash Player installer, uses Java vulnerabilities dating back to 2009 through 2011. But all the vulnerabilities have been previously patched, up until now that is. Now this latest variant can install itself on any Mac – even those with all the latest updates installed.
Although Oracle released the fix for the concurrency vulnerability back in February, Apple distributes its own self-compiled version of Java for Macs from Oracle’s source code and subsequent patches. However its release schedule is behind that of the Oracle builds for Java in Windows. It has long been said that this delay in shipping security related patches for Java on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms exactly that.
The best advice right now is for Mac users to disable Java completely unless it is absolutely necessary. You can find instructions on how to do this here.