Mac users with Java installed should act quickly to install the latest version of Java from Apple. The security flaw is already being exploited by the Flashback Trojan in drive-by download attacks.
Apple updated Java to version 6 update 31 for OS X 10.6 (Snow Leopard) and 10.7 (Lion) on Apr. 3. The update addressed 12 vulnerabilities in Java, which could be exploited by malicious Websites to run code using the privileges of the current user, Apple said in its security notice. Oracle fixed the same security flaw for Java for Windows, Linux, and Unix back in February.
The new Mac malware, a variant of the Flashback Trojan, did not require user interaction to infect computers. Malicious Websites exploited a specific Java vulnerability (CVE-2012-0507) that allowed Flashback.K to download itself on to Macs without user awareness in a drive-by download attack. Once installed, the malware displayed a dialog window to ask the user for the administrative password, according to an analysis by researchers at F-Secure. Even if users didn't enter the password, it was too late, as the malware was already resident on the computer.
The Flashback.K is "one of the first cases of drive-by exploitation we have seen for OS X," Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.
Russian security firm Dr. Web (Google Translate) claimed over 550,000 Macs have been infected with this version of Flashback. Mikko Hypponen, chief scientist of F-Secure, said on Twitter that F-Secure was unable to confirm or deny the number at this time.
Once on the computer, Flashback.K injects itself into the Safari Web browser and modifies the contents of certain Web pages to trick users. There are reports that exploits for the Java vulnerability has been recently added to the Blackhole exploit kit, which means it has become even easier for criminals to launch malicious Websites that can take advantage of the flaw.
"It appears that the Flashback gang is keeping up with the latest in exploit kit development," F-Secure said.
Even though Lion does not ship with Java by default on new installations, many Mac users installed it manually, often because a Website required the platform. When they got to those sites, they were prompted to download and install Java, and may have forgotten since then that they have it on their Macs.
Apple has long maintained its platform was safe from malware. In the past year, malware developers have started developing attacks specifically for the Mac OS X. Just last week, AlienVault warned of malicious Microsoft Office for Mac files that appeared to be targeting non-governmental organisations in Tibet.