Apple Issues ‘Cool’ Fix For Flashback

Thomas Brewster,

Despite getting slammed by some corners of the security industry over Flashback, Apple gets praise for its “innovative” Java update

Apple has released yet another update to counter the Flashback Trojan, but has done something rather innovative this time around.

Rather than issuing a fix for any vulnerabilities, Apple has released a new version of Java for Mac OS X 10.7 and 10.6 that erases known variants of Flashback, whilst automatically disabling Java when it has not been in use for the last 35 days. If users want to enable Java again, they will have to go into Preferences and make the necessary alterations.

“This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application,” Apple said in itsd advisory. “If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.”

‘Exciting’ Apples

Apple has been criticised for its response over the Flashback malware, with Trend Micro’s Rik Ferguson saying it was “misguided to believe that the simple act of not talking about publicly disclosed, and worse actively exploited, vulnerabilities will protect your customer.” Yet CTO of Qualys, Wolfgang Kandek, has praised Apple’s latest move.

“This is exciting and to my knowledge nobody has done something like this before. It makes total sense to me. We have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security conscious users will do so,” Kandek said in a blog post.

“Given the task of monitoring Java use to the computer itself is a great idea and an excellent experiment in computer security. It will be interesting to see how user acceptance of such a measure will work out.”

Some still have reservations over Apple’s move. F-Secure’s chief research officer Mikko Hyponnen tweeted: “Apple’s Flashback fix is 66MB. Ours is 39kB. Just sayin’.”

Flashback bot numbers have been plummeting over the past few days. Symantec reported yesterday that the number of bots had been cut to 270,000 as of 11 April. Infections had peaked at around 650,000. Now Apple has taken this fresh step, and security companies have set up various sinkhole operations to kill off the botnet, this Flashback operation should be killed off soon.

Apple is working with ISPs to dismantle the botnet, but the company’s first steps created something of a snafu. The iPhone maker asked for one of security company Dr Web’s domains to be closed. The domain was being used by Dr Web as part of its sinkhole operation.

Think you know security? Test your knowledge.