Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Apple Releases Flashback Malware Removal Tools

A pair of Java updates from AppleJava for OS X Lion 2012-003 and Java for Mac OS X 10.6 Update 8 — remove the most common variants of the Flashback malware from Mac OS X 10.7 Lion and 10.6 Snow Leopard (see “How to Detect and Protect Against Updated Flashback Malware,” 5 April 2012). The Lion update also temporarily disables Java applets in Web pages. You can use Software Update to install the appropriate update or download it directly.

Since the Java updates by definition require Java, which is optional in Lion, Apple separately released a Flashback removal tool for Lion users that you can run even if Java has never been installed. It must be downloaded and run manually.

When you install the appropriate Java update, the Flashback removal tool runs automatically in the background and notifies you if a Flashback malware variant is found and removed; otherwise, the installation proceeds without comment.

Apple also says that, in Lion, the update immediately disables the Java browser plug-in and Java Web Start, effectively preventing the unintentional use of Java applets in a Web browser. Since the restriction is enforced within the Java browser plug-in itself, it applies to all installed Web browsers in Lion, not just Safari.

To re-enable Java for use in Web pages, you must use the Java Preferences program, found in /Applications/Utilities. But even after you re-enable Web page use, Lion disables Java again after 35 days if it isn’t used at least once on a Web page during that time. Apple’s intent is to prevent Java from being used as a drive-by vector for malware infection among users who don’t need Java active for Web pages.

Although Apple labeled these updates as pertaining to Java, their sole purpose is to remove Flashback and disable the browser plug-in; the rest of Java appears to be unaffected.

If you use Firefox, you may receive an error when you check whether the Java plug-in is up to date after applying Apple’s update. This is a cosmetic caching problem that doesn’t affect security. To learn more about Firefox’s incorrect reporting of the installed Java plug-in version, see “Fix Firefox to Show Updated Java Plug-In” (10 April 2012).

Estimates from anti-malware vendors put Flashback infections at over 600,000 at their height on 6 April 2012. Symantec said that it measured fewer than 300,000 infected machines on 11 April 2012, due to the use of manual removal instructions and automated tools. Apple was tardy in releasing an update in its version of Java for the bug exploited by Flashback’s programmers, which Oracle had patched in the main Java tree for other platforms about two months prior.

Apple provided protection against earlier versions of Flashback using an anti-malware feature built into Lion and Snow Leopard. Called XProtect, this feature checks downloaded programs on first launch (using Launch Services) for signatures matching known malware based on a list Apple maintains. Since the current version of Flashback exploits Java directly and circumvents Launch Services, XProtect is unable to stop this particular infection.


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about Apple Releases Flashback Malware Removal Tools
(Comments are closed.)

Good article and all, but what does the author think about this move? Personally, I like it a lot. It kinda forces people that actually use Java to be aware they are using it.
Adam Engst  An apple icon for a TidBITS Staffer 2012-04-13 07:10
I'm not the author, but in general, I think it's a good thing, given how heavily Java has been targeted by the bad guys. It's ironic, since one of the main goals of Java was to create a sandbox in which apps could operate without affecting the surrounding operating system.

That said, I also think this plays into Apple's overall strategy to push developers into using only Apple technologies, and I'm a little uncomfortable with that. For instance, would we have software like CrashPlan if Java didn't exist to enable cross-platform support?

The more Apple deprecates Java, the less developers will consider it for Mac programs, and that may be a bad thing in the long run.
Glenn Fleishman  An apple icon for a TidBITS Staffer 2012-04-13 07:19
This only affects Java on Web pages, not Java in Mac OS X as a whole. So CrashPlan will continue to run, and other Java-based apps will work.
Adam Engst  An apple icon for a TidBITS Staffer 2012-04-13 20:50
Yes, I'm not suggesting that this affects any current Java software, just that it's another small step in the direction of Apple deprecating cross-platform development tools.
This disables iCal server access in a client browser, part of Apple Server services, since it uses Java and a browser to access and add events to the iCal server.
Nicholas Barnard  2012-04-24 01:47
Two thoughts:
1. This'll cause problems for some online services, such as Smartsource which use Java to print coupons. Given how likely that their users aren't technically savvy this is going to cause them some grief on the OS X platform.

2. Is it possible to disable the auto-disabling of the web plugin? I'm pretty savvy, already block Java by using Marc Hoyois's Click to Plugin extension. I probably manage not to use Java in the browser every 35 days, but there are times when I want it, and rebooting the browser is problematic..
Adam Engst  An apple icon for a TidBITS Staffer 2012-04-24 05:47
Yes, and Lynda Cook on TidBITS Talk reported that some of AT&T's iPhone account Web site also relies on Java in the browser, which caused all sorts of trouble when attempting to manage her account.

I'm not aware of any way to disable the automatic disabling of the plug-in.