Yes, you do. You will need to run Software Update again. This latest update will actually disable the Flashback malware and protect your Mac from it, too. And this latest update also introduces some new Java settings for 10.7 to take more of a proactive stance against Java malware (more below).
For 10.6 Snow Leopard, running Software Update will update Java to V.8. For 10.7 Lion, it will update Java only if you have Java installed. If you run Software Update and see no Java Updates, then you’re OK. (10.7 Lion ships without Java, and so if you have installed Java for other programs, like Adobe’s Creative Suite, Photoshop, etc., you will see the update in Software Update.)
There’s an interesting aspect to the 10.7 update: it will deactivate the Java browser plugin if Java has been installed. One of the reasons Flashback infected so many Macs so fast is that Apple’s Java browser plugin automatically ran the Flashback applet without telling the user. That’s a proactive stance for Apple, one that I think has been needed for some time.
From Apple’s document About the security content of Java for OS X 2012-003 and Java for Mac OS X 10.6 Update 8
For 10.7 Lion:
As a security hardening measure, the Java browser plugin and Java Web Start are deactivated if they are unused for 35 days. Installing this update will automatically deactivate the Java browser plugin and Java Web Start. Users may re-enable Java if they encounter Java applets on a web page or Java Web Start applications.
For 10.6 Snow Leopard and 10.7 Lion:
This update runs a malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.
Apple has been finding out the hard way that they have historically dropped the ball on security. Last year, it took Apple a week to release a security update for the malware attack involving fake antivirus software called MACDefender. This time, the response was much faster, and I expect to see Apple start to think how they can be more of a leader in security, rather than a follower.
But still, Apple needs more transparency. CNN Money writes in Apple’s Flashback fixes: Three belts and a pair of suspenders that “What Apple didn’t do was tell users that the tool existed. Not with a software update, not with a press release. It isn’t listed on the Mac App Store and it doesn’t show up in a search of the Apple website. And if you do somehow find and install it on your computer, it will disappear into the underlying code, making its presence known only if Flashback shows up. If Apple is going to operate in the malware-ridden Internet as it is — as Microsoft (MSFT) has for years — a little transparency would be appreciated.”
Unfortunately, if you’re running Leopard (OS X 10.5) or earlier, you must manually disable or remove Java, because Apple no longer supports those older versions. It would be good if Apple issued an update for these older versions, because many people still use them.
There is good news as a result from all the updates Apple has issued, according to Symantec, the security company. From OSX.Flashback.K — Infections Down to 270,000 | Symantec Connect Community: On April 13th, “…we (Symantec) have estimated that the number of computers infected with this threat in the last 24 hours is in the region of 270,000, down from 380,000.” And that’s down from a high of ~600,000 when Flashback first came on the scene last week.
So now with this latest Java update, if you have installed Java for Adobe products or other non-web browser applications, you’re safe for the time being. Still be wary of Java applets that ask permission to run in your web browser. Only run them on sites you know to be safe, like your banking site and others that show a clear and correct URL in the address bar.
And realize that Apple should be much faster with issuing security updates in the future.