European Union Flag
European Apple Users Information & Support
LOGIN
CrashPlan for Small Business
RSS Feed Icon
via fetchrss.com
The next event is:
Technology For Marketing 2017

From 27 September 2017
to 28 September 2017
More events…

macOS 10.12 Sierra
FREE
Amazon UK Mac Software Affiliate Link Discounted Shopping via QuidCo
Maclocks.com Love It-Lock It

The Flashback Malware Threat And Java

by Graham Needham (BH) on 10th April 2012

The recent Flashback trojan that targeted an unpatched (now patched for Mac OS X 10.6 and later) security hole in Java (Java Runtime Edition - JRE) has caused a lot of fuss and a lot of misinformation so I thought it wise to write this blog piece. Firstly let me point out that the malware and attack was serious so all Mac users should read this.

The Flashback malware is a trojan it is not a virus i.e. it does not spread from one computer to another automatically. However, it was and still is a serious threat to the Mac platform. It is definitely a wake up call to all those Apple users that think they are safe simply because they are using an Apple Macintosh (which has never been true). It is still safer to use a Mac than Windows but computing has risks especially if you use the internet and/or you don't practice safe computing!

So here's a frequently asked questions guide to Flashback and your Mac.

Flashback/Java FAQ

Q. I use a Mac so I'm safe from nasty malware aren't I?
A. NO!
Q. What is malware?
A. Malware is a general term used for any software that is malicious i.e. software that gets on your computer to do bad things like steal your passwords/take control of it.
Q. What is a virus?
A. A computer virus is a computer program that can replicate itself and spread from one computer to another. Flashback is not a virus, it is a trojan.
Q. What is a trojan?
A. A computer Trojan horse, or Trojan, is a standalone malicious program which may give full control of infected PC to another PC. It may also perform typical computer virus like activities. Trojan horses may make copies of themselves, steal information, or harm their host computer systems.
Q. If Flashback is a trojan and not a virus how does it get on my computer?
A. One version of Flashback (there are over 10 different versions of this malware attack) attempted to use a security hole in Java (now patched for Mac OS X 10.6 and later if you've installed the latest Java update). This can happen simply by visiting a web site - it could even be a well known web site that you visit regularly that could be serving a malicious advert! Similar attacks have been propagated through Google Images before!
Q. I thought software needed to ask for my administrator password to install itself on a Mac?
A. This is usually the case, but this version of Flashback was clever enough to try to use Java that is potentially already installed on your computer in an attempt to bypass this restriction.
Q. How can I tell if I am infected by the Flashback trojan?
A. Download and use F-Secure's free Flashback checker/removal script.
A. Or Kaspersky Lab have set up a web site where you can check your computer's Hardware UUID against the known infection database.
A. Or download and use Norton's free Flashback checker/removal script (Intel Macs only).
A. Or download and use Kaspersky Lab's free Flashback checker/removal tool (Intel Macs only) [removed 12/04/2012].
A. Or go to the F-Secure web site and follow their instructions very carefully.
Q. If I am infected by the Flashback trojan how do I remove it?
A. If you are running Mac OS X Mac OS X 10.6 or 10.7 update your Java (Java 8 for OS X 10.6 / Java 2012-003 for OS X 10.7):
Java is no longer supported/updated for Mac OS X 10.6 or earlier so you are recommended to disable it and read up on securing older operating systems
  • See our separate article regarding Java for instructions on updating Java 7 and later or how to disable Java 6 and earlier.
A. If you are running Mac OS X 10.7 and you do not have Java installed use Apple's free Flashback malware removal tool (Mac OS X 10.7 without Java only).
A. Or download and use Kaspersky Lab's free Flashback checker/removal tool (Intel Macs only) [removed 12/04/2012].
A. Or download and use Norton's free Flashback checker/removal script (Intel Macs only).
A. Or go to the F-Secure web site and follow their instructions very carefully. A. If you are running Mac OS X 10.5 on an Intel Macintosh use Apple's free Flashback malware removal tool (Intel Macs only).
Q. I thought Macs were safe?
A. No, they were never "safe". They are "safer" than Windows but you still need to practice safe computing especially if you use the internet.
Q. So what's Apple doing about this?
A. They've released a Java update (Java 8 for OS X 10.6 / Java 2012-003 for OS X 10.7) that fixes the Java security hole, detects and if found removes the Flashback malware. See Apple's technical support document.
Q. How can I tell which version of macOS / OS X / Mac OS X I am running?
A. Go to Apple menu (top left) > About This Mac > check the version reported for macOS / OS X / Mac OS X.
Q. How can I protect myself from the Flashback (I) trojan?
A. If you are running Mac OS X 10.6 or 10.7 update your Java:
Java is no longer supported/updated for Mac OS X 10.6 or earlier so you are recommended to disable it and read up on securing older operating systems
  • See our separate article regarding Java for instructions on updating Java 7 and later or how to disable Java 6 and earlier.
A. If you are running Mac OS X 10.5 switch Java off completely and/or switch off Java in all the web browsers that you use (see How to Disable Java on Mac OS X below for instructions).
A. If you are running Mac OS X 10.4, 10.3, 10.2 or earlier you cannot switch Java off completely so switch off Java in all the web browsers that you use (see How to Disable Java on Mac OS X below for instructions).
Q. Once I have updated Java am I safe?
A. You are safe from this particular version of the Flashback trojan. However, the trojan may get updated or you may be subject to other malware attacks so to help you practice safe computing you should:
  1. See our security articles.
  2. Follow us on Twitter for security alerts.
  3. Keep your Apple software up to date.
  4. Keep all your web browsers including Safari, Firefox and Chrome up to date.
  5. Keep your web browser plug-ins up to date (Flash is a common attack vector).
  6. If you use Adobe Acrobat (Reader) keep your Adobe software up to date (PDF files are a common attack vector).
  7. If you use Microsoft software e.g. Office keep your Microsoft software up to date (Word, Excel and/or PowerPoint files are a common attack vector).
  8. Consider using anti-virus software on your Macintosh computer (see the list below).
Q. Should I use anti-virus software?
A. The Mac is "safer" than Windows but the reality is that malware exists for Macs so you should seriously consider running anti-virus software especially as some of them are free.
Q. What else do you recommend?
A. If you do not use Java for every day use you might as well switch off Java in the operating system completely. Also, switch off Java in all the web browsers that you use (see below). Consider using anti-virus software on your Macintosh computer.

Anti-Virus Software For Macintosh Computers

NOTE: A lot of anti-virus software is free for "home" or "non-commercial" use, otherwise there is an upfront license cost to pay plus possibly a monthly/yearly subscription - please check your licensing requirements and the possible ongoing costs before making any purchases.

More information on Java for Mac OS X

How to Disable Java on Mac OS X

Java Security for Mac Users > How To Disable/Secure Java

Java RE v6 and earlier are end of life and are no longer supported/updated. If you are running Mac OS X 10.6 or earlier you are recommended to disable Java and read up on securing older operating systems.
Q. How can I tell which version of macOS / OS X / Mac OS X I am running?
A. Go to Apple menu (top left) > About This Mac > check the version reported for macOS / OS X / Mac OS X.
Securing/Disabling Java RE in OS X 10.7 or later
  1. Go to Apple menu > System Preferences > Java > (the Java Control Panel will open separately) > Security tab
    • If the Java preference pane does not exist you do not have Java RE v7 or later installed. Go to the disabling Java RE v6 instructions below.
    • If you have a Java preference pane and the Java Control Panel opens separately go to the "Security" tab in the control panel. If there is no Security tab you have an old version of Java RE v7 installed - update Java RE v7 first, then come back to these instructions.
  2. Set the 'Security Level' slider to "Very High".
  3. If you don't use Java untick "Enable Java content in the Browser".
  4. If you do use Java click "Advanced Security Settings" and configure as required for your Java usage.
  5. Now go to the 'Update' tab and tick "Check for Updates Automatically".
  6. Now go to the 'General' tab, click "Settings…" under 'Temporary Internet Files' and untick "Keep temporary files on my computer" and click "Delete Files…". Click "OK".
  7. You are now also recommended to switch off Java in your web browsers.
Disabling Java RE v6 in OS X 10.7 or later
  1. Go to Macintosh HD > Applications > Utilities > Java Preferences > General tab.
  2. NOTE: If you get a message stating 'To open "Java Preferences," you need a Java SE 6 runtime. Would you like to install one now?' click "Not Now" (you do not have Java RE v6 installed - go to disabling the Java plug-in in your web browsers).
  3. Make sure no Java versions are ticked under "On".
  4. Then go to the 'Network' tab and untick "Keep temporary files for fast access" and click "Delete Files…". Click "OK".
  5. You are now also recommended to switch off Java in your web browsers.
NOTE: If you need Java and have installed Java Update 2012-006 or later from Apple you will have no Java Preferences in Applications > Utilities or a Java plug-in so you are recommended to install Java RE v7 to give you the most up to date Java RE, a Java plug-in and a Java Preferences pane in System Preferences.
Disabling Java RE v5/v6 in Mac OS X 10.5 or 10.6
NOTE: Java will not work at all including locally installed applications that may require it.
  1. Go to Macintosh HD > Applications > Utilities > Java Preferences > General tab.
  2. Make sure no Java versions are ticked under "On".
  3. Then go to the 'Network' tab and untick "Keep temporary files for fast access" and click "Delete Files…". Click "OK".
  4. You are now also recommended to switch off Java in your web browsers.
Disabling Java RE in Mac OS X 10.4 or earlier
You cannot switch off Java in Mac OS X 10.4 or earlier and there is no Java Preferences so make sure you delete any (Java plug-ins and also switch off Java in your web browsers.

Disabling the Java plug-in In Your Web Browsers

NOTE: Java applets will not work in your web browser but locally installed Java applications may still work (see disabling the Java RE for your OS).
NOTE: You need to disable the Java plug-in for each and every web browser that you use/have installed.
  • Apple Safari - open Safari > go to Safari menu > Preferences… > Security tab > click "Plug-in Settings…" > untick "Java" in the list on the left
  • Apple Safari 5.1.9 (for Mac OS X 10.6) / 6.0.4 (for OS X 10.7/10.8) or later - open Safari > go to Safari menu > Preferences… > Security tab > untick "Allow Java" or you can tick it to enable it and you now have control of the Java plug-in for individual websites by clicking the "Manage Website Settings…" button
  • Google Chrome - Java is not supported (because NPAPI plug-ins are not supported)
  • Chromium - Java is not supported (because NPAPI plug-ins are not supported)
  • Mozilla Firefox - Java is not supported (because NPAPI plug-ins are not supported)
  • iCab - open iCab > go to iCab menu > Preferences… > Java icon > untick "Execute Java applets"
  • Omniweb - open Omniweb > go to Omniweb menu > Preferences… > Security icon > untick "Enable Java"
  • Opera - Java 7 or later is not supported - plug-ins cannot be disabled
  • Seamonkey - open Seamonkey > go to Seamonkey menu > Preferences… > select "Scripts & Plugins" on the left under the 'Advanced' heading > untick "Enable Plugins for Suite"
  • Maxthon - TO BE CONFIRMED
  • Yandex - Java is not supported (because NPAPI plug-ins are not supported)
  • Brave - Java is not supported (because NPAPI plug-ins are not supported)
  • Vivaldi - Java is not supported (because NPAPI plug-ins are not supported)
  • tenFOUR Fox - Java is not supported (because plug-ins are not supported)
REMOVING THE JAVA PLUG-IN FROM YOUR OS
NOTE: Java applets will not work in your web browser and they never will until you reinstall Java. Only follow these instructions if you will never use Java on the internet. If you are unsure simply switch off Java in all your web browsers.
  1. Go to Macintosh HD > Library > Internet Plug-Ins folder and remove/delete any of following items if they are present:
    • JavaAppletPlugin.plugin (alias/shortcut)
    • JavaAppletPlugin.plugin
    • JavaPluginCocoa.bundle
  2. Go to Macintosh HD > Users > your home directory > Library > Internet Plug-Ins folder too and remove/delete any of the above items if they are present.
NOTE: If there are multiple users on your computer you should remove the plug-in from each user account's Library.
NOTE: If you have OS X 10.7 or later your user Library folder is hidden. It can be accessed by going to the Go menu > Library while holding down the alt (option) key.
How to keep Java up to date on Mac OS X (if it is installed)

Java is no longer supported/updated for Mac OS X 10.6 or earlier so you are recommended to disable it and read up on securing older operating systems
  • See our separate article regarding Java for instructions on updating Java 7 and later or how to disable Java 6 and earlier.


Blog Post Author = Graham Needham (BH)
Blog Post Created On = 10th April 2012
Blog Post Last Revised = 31st August 2017 17:31
Blog Post URL = http://www.macstrategy.com/blog_post.php?11

This blog post is representative of the blog author's individual opinions and as such any opinions that may be expressed here may not necessarily reflect the views of everyone at MacStrategy or the holding company Burning Helix Limited.


See all blog postings for all countries