14 April 2012

Check and protect your Mac or Linux computer from the "Flashback" Java trojan

Prior to OS X Lion, a Java interpreter came installed with OS X.  This allowed programs written in that language to be run; most often this enabled some web-related functionality.  Unfortunately Java seems to have recently stolen Adobe Flash's crown for vulnerability.  Successive security whoopses have driven Apple to remove both Flash and Java from its as-delivered builds of OS X (and of course neither was ever allowed on iOS).

That's great for folks buying new Macs and declining to install Flash and Java when requested by a website or software package.  But many (even most?) users do have these installed.  And a big Java vulnerability was discovered a couple of months ago.  Dubbed the Flashback trojan for its original packaging as a fake update to Adobe Flash (and how ironic is that?), it started life by infecting users' machines when they agreed to the seemingly-benign update.

Although Oracle, Java's owner, delivered a patch with reasonable speed, it took Apple seven weeks--and a disturbing outbreak of machines tainted from having visited infested websites, resulting in OS X's very first botnet--to issue an update.  The episode is a black eye for them.  It's an inauspicious performance by the internationally-regarded security guru they hired early 2011 as Global Director of Security.  And it's a sorry performance by the security-products industry as well, as the trojan flew under its radar the whole time, and then security firm Kaspersky Labs' removal tool turned out to have some unfortunate side-effects and was quickly withdrawn.  What a mess!

An official Apple remedy is available now, however, and given the severity of this outbreak it's essential that you update your Mac to eliminate the possibility of infection.  Do this even if you ran the terminal commands published by F-Secure, as there are reports of folks who'd been given the all-clear but later learned there was indeed an infection on their machines.

  1. First, check to see if your machine even has Java installed.  Open Safari, select Preferences from its menu, click the Security button, and see if you have an "Enable Java" check-mark available.  If not, you don't, then you don't have Java installed, and you win a beer.  If so, seriously consider un-checking it, as Java is rarely required today in this day of HTML5.  Note that despite its similar name, JavaScript is something else and is unrelated to this vulnerability.
  2. Next, close your browser and run Software Update.  Your Mac will churn for a moment or five, then ask for your administrator password, and the update (and any others) will install.  If the trojan is installed, it will be removed, and your Java installation will be updated with a less-vulnerable version.  (Still... uncheck that check-mark.  Seriously.)
  3. If, in Step 1, you found you did not have Java installed, out of an abundance of caution Apple has still made a Trojan-checking/removal tool available.  Go to http://support.apple.com/kb/HT5246 and download and run the tool they've made available.  You only need to do this if you do not have Java installed.

Non-Mac victims a concern

Ominously, Ars Technica reports that while the Mac was the most prominent victim of this malware, a couple percent of the victims logged by Kaspersky Labs were Linux, FreeBSD and Windows machines.  This isn't surprising, since Java's original allure was for write-once/run-everywhere universality, and in fact there's nothing platform-specific about Oracle's patch description.  

The small number of Windows infections is very probably a testament to the automatic update mechanism Oracle and Microsoft instituted for Windows.  An attaboy to them, then.  

More worrisome is the approximately one percent of victims logged from the free/open-source OSes.  It's not at all clear what to do or where to turn for checking and disinfecting those machines.  Towards the bottom of the Oracle patch-page previously referenced is a sizable risk matrix; as poster "UnSpawn" on the LinuxQuestions.org site helpfully notes:

The Oracle page also contains a list of CVE identifiers. So if you have a CVELIST=$('links -dump $URI | awk '/\| CVE-20/ {print $2}'|xargs;') then depending on your distribution you could check if those require fixing and if they are yourself. Per-CVE details are at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-yyyy-nnnn (or www.cvedetails.com/cve/CVE-yyyy-nnnn/) for Red Hat / Centos / Scientific Linux see https://access.redhat.com/security/cve/CVE-yyyy-nnnn (or 'yum --cve CVE-yyyy-nnnn'), for SuSE see support.novell.com/security/cve/CVE-yyyy-nnnn.html, for Ubuntu see people.canonical.com/~ubuntu-security/cve/CVE-yyyy-nnnn, for Debian and .*BSD see http://cvechecker.sourceforge.net and for others, well, you either know how to find your distributions SO bulletins or CVE listings yourself already or your distro maintainer(s) simply may not care.

At a minimum, update Java if you have it installed and constrain its activities as much as possible by taking a close look at your browser preferences, up to and including disallowing automatic execution of any scripts at all.  I'd imagine that antivirus utilities like Clam will now be watching for Flashback on the open-source platforms, too.

It's all a lesson to mind keep your machine updated whatever its OS, watch where you browse, and think carefully before installing software--even an update--unless you're certain of its source.

Another thing to consider is disabling system-level Flash and Java from your machine but keeping a copy of Google's Chrome browser handy.  Then you can rely on the built-in Flash and Java plug-in for that browser on those occasions when you need them.  This is what I do now-- I rely on Safari for 90% of my web work out of preference for its support of OS X Lion's gestures and its invaluable Reader Mode (with its nifty one-click send-article button, which emails articles all nicely formatted with source links and subject lines all filled-in).  Come across a site that requires Flash or Java?  Just copy the URL over to Chrome.  Best of all worlds.

UPDATE: Another Java-based trojan has been detected.  Called Backdoor.OSX.SabPub.a or SX/Sabpab-A, it is stymied by the latest Java patches (and of course by removal or disabling of Java).  One may surmise that Java vulnerabilities are all the rage among malware writers right now.  Another reason to take this seriously, then.