Update 4/13/12: Run Software Update Again. See Mac Q & A: Yet Another Java Update
Yes, run Software Update. That will download and install the Java update for Mac OS X 10.6 Update 7. Go to the Apple menu and select Software Update. Let it run and download all updates. Some may take time to download, depending on your connection speed. And you may need to restart, too. See Mac OS X: Updating your software.
Software Update will take care of the security vulnerability, and if you have been hit, take care of the malware, too. The big problem with Flashback is that it runs on Java, and you don’t need to do anything to get hit except visit a website that is delivering the malware. The malware can steal personal information and also use your own Mac as a platform to send the malware to other users.
According to security experts, the “Flashback” botnet is growing at a rapid rate as a result of that ease of infection. The majority of the ~600,000 Macs hit by Flashback are in the U.S. and Canada. A security researcher even determined that some of the infected Macs are located in Cupertino, the U.S. city where Apple has its headquarters. So perhaps even Macs at Apple, Inc. have been hit.
The reason for the Java and malware problem is that Apple has bundled their own release of Java in OS X for years. But Apple has always lagged 6 months or more behind Oracle’s (the owner and main developer of Java) own release, and as a result, the security problems.
Update 4/12/12: Apple has a new document regarding Flashback and is “…developing software that will detect and remove the Flashback malware.” See About Flashback malware.
Java is installed by default on 10.6 Snow Leopard, but Apple stopped bundling Java by default in OS X 10.7 Lion. But Software Update will grab the security fix you need if you have Java installed on your Mac. Read the Apple Security Bulletin here: About the security content of Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7.
The best practice for all Mac users is to have Software Update run automatically; go to the Apple menu and select “System Preferences…” and then go to the Software Update icon in the “System” row. Select “Check for Updates” at least weekly. Daily is even better.
Even with 10.7 Lion (which doesn’t by default have Java installed), you may have been prompted to download and install Java if you have visited some websites. Java is a legitimate language in wide usage around the Internet for animations in Web browsers and many websites use Java to display information and graphics. For example, the National Weather Service uses Java to present weather radar imagery.
Java-based applets must get your permission to run on your Mac. And if you’ve been promoted to install Java, you’ve seen those warnings. If you see a popup that wants access to your Mac to run an Applet and you deny permission to an applet, you’re safe. But you won’t be able to use that functionality on that website.
For the most security and if you know you have installed Java on your Mac, you can turn it off in whichever web browser your use: either Safari (the Mac default browser), or Chrome (Google’s browser that many people use) or Mozilla Firefox. See Apple’s document on How to disable the Java web plug-in in Safari. For Safari, it’s easy: go to Preferences >> Security Tab >> and uncheck “Enable Java”.
For Firefox users: click Tools >> Add-ons disable the Java plugin(s). And for Chrome, in the address bar, type “about:plugins” or “chrome://plugins/”, scroll down to Java and select “disable”.
Important note: Java and Javascript are two different languages. You may see a checkbox or an option to disable Javascript. Leave Javascript on, as the Flashback malware doesn’t have anything to do with Javascript. And disabling Javascript will impact other features of your web browser. (Javascript has some security problems, but they don’t have anything to do with Flashback.)
If you’re a bit of a geek and can use Terminal, you can check and see if your Mac has been hit with Flashback and is part of the botnet. See Are you having a (Mac) Flashback? – F-Secure Weblog.
As Brian Krebs, the security consultant says: “If you don’t need Java, remove it from your system, whether you are a Mac or Windows user.” Check out all of his Java security bulletins at Java – Krebs on Security. He has a good point. I’ve written about the dangers of Java in the past; see Tips To Avoid Java Malware @ Mark Ratledge .com