Apple has released an update to its Java runtime engine to, among other things, fix a vulnerability that’s been exploited by variants of the Flashback malware. Doctor Web, an antivirus software developer in Russia, says as many as 600,000 Macs have been infected with the malware. We run down what’s known about Flashback and how you can protect yourself.

We love the CrashPlan backup program and service because of all the places it can store your data, but we’ll be the first to admit that CrashPlan has a somewhat odd interface that benefits from the kind of thorough documentation that only Joe Kissell can provide.

Security firm Elcomsoft has released a white paper detailing weaknesses when short passwords with mixed characters or longer ones solely made up of numbers are used with many iOS password-keeping apps, including 1Password, LastPass, and mSecure. The impact of these weaknesses is limited to start with, and not a risk unless someone is out to get your passwords in particular.

If you use Google Docs heavily or don’t already have a good IMAP-based backup of your Gmail account, look into Golden Hill Software’s CloudPull, which makes local backups of the important data in your Google account.

Nick Bilton of the New York Times reports that a loophole in iOS’s security infrastructure enables apps you have allowed to determine your current location to access all the photos on your device (presumably due to the location information stored within photos). Although there are no known instances of this capability being abused in the wild, a proof-of-concept app commissioned by the New York Times showed that it could upload photos to a remote server once it had been given location permission. Apple will likely fix this soon; in the meantime, we recommend turning off unnecessary permissions in Settings > Location Services.

For a second time, Apple has extended the deadline for requiring App Store developers to sandbox their apps. Unfortunately, this delay does little to ease the problems that surround the sale of apps that do not fit Apple’s distribution model.

Find My Mac was unavailable on Michael Cohen’s iMac ever since the feature was first introduced — until he found the easy fix.

The Flashback malware, which has evolved significantly since its discovery in September 2011, now uses sufficiently subtle infection methods that non-technical users could easily fall prey to it. Worse, neither Apple’s XProtect malware detection system nor the forthcoming Gatekeeper in Mountain Lion can stop the current Flashback variant.

Tonya Engst discusses raising children in the age of screentime as part of the “Parenting in the Mobile Internet Age” panel discussion from Macworld | iWorld 2012, moderated by Chuck Joiner of MacVoicesTV.

Two sets of researchers revealed that insufficiently random choices of the prime numbers from which encryption keys are derived for Web site SSL/TLS certificates mean that the private parts of the keys can be derived. Fortunately, it’s not a flaw in an algorithm, and seems to affect only a small number of sites. Read the whole explanation in Glenn Fleishman’s account at Boing Boing.

OS X 10.8 Mountain Lion introduces a new security feature to help users install downloaded software only when it comes from trusted sources. This is the first major advance in consumer security to protect users from being tricked into downloading malicious applications.

On the desktop side, Mac OS X 10.7.3 is just another bug fix update (along with some welcome new language support). But for those using Lion Server, the 10.7.3 update provides new features and an improved interface, along with plenty of bug fixes.

In the November issue of The Atlantic, James Fallows shares the story of how his wife’s Gmail account was hijacked and what they went through to recover years of stored messages. It’s a compelling tale that will hopefully bring home the need for secure passwords and offline backups of cloud-based data.

The folks at GadgetTrak have taken their camera-tracing database service out of beta and given it the name CameraTrace. You can search for serial numbers embedded in billions of uploaded photos for free, or pay $10 per camera for an active trace.

A new tool from domain name lookup service OpenDNS secures your Mac’s connection to the firm’s servers when translating a human-readable name into its IP address, as Glenn Fleishman explains at Macworld. This prevents a host of malicious activities that can occur when third parties tamper or poison the values returned for a DNS request. It’s free, and it works with OpenDNS’s free and paid offerings.