Apple malware: it's everywhere you don't want it to be, like in your computer. Or your browser. Malware usually has something to do with Java and Java applet-based applications. This week's latest Apple malware scare is no different. Over the past few days, there have been numerous reports about the Flashback.K, Flashback.K, a Mac trojan that exploits a critical Java vulnerability.
A trojan is a piece of malware that pretends to be a trusted piece of software to get you to click and install it. In this case, Flashback.K pretends to be an official Adobe Flash Player updater, and exploits a vulnerability in Java called CVE-2012-0507.
Luckily, there are a few ways to protect yourself and your Mac from getting this piece of Java malware installed on your system. Continue reading to learn how.
The first step to avoid getting malware on any system is to be careful when you’re surfing the web and downloading applications. Check out our article on how to safely browse the web to learn how to avoid malicious websites.
Java applications are inherently different than other applications on your Mac. Unlike traditional applications that are "compiled" by the software author and can only be run on specifically designed architectures, Java apps can run on any system with a JRE (Java Runtime Environment). This means that a piece of Java malware can affect Windows, Linux, and Mac systems.
Because Apple supplies the Java updates for the Mac, however, some of the updates to fix these vulnerabilities come in later than their Windows and Linux counterparts, making the Mac more susceptible to these issues. The point is: just because you have the latest version of the JRE on your Mac doesn’t mean you’re protected and without any vulnerability.
With Mac OS X Lion (10.7), Apple stopped distributing JRE with OS X. If you installed Lion from scratch and haven’t installed the JRE from within Software Update, then you’re protected. However, if you have a JRE on your system, you can disable it to be protected from Java applications being run on your Mac.
To turn off the JRE, navigate to Application > Utilities > Java Preferences. On the General tab, uncheck the “Enable applet plug-in and Web Start applications,” and then uncheck the “On” box for Java SE X (where X is the version of the JRE).
While you’re here, you can check which applications currently have access to run without prompting you beforehand by clicking on the Security tab. If you see an application you didn’t allow, click it, and then click on the minus (-) button at the bottom of the screen to remove it from this list, keeping it from running without prompting you.
The last way to protect yourself is to disable Java applets from running within your web browser. We’ve already disabled the Java system, but just to be on the safe side, you should disable Java in Firefox, Safari, or Chrome. Click here to learn more about disabling Java within your favorite browser.
Cory Bohon is a freelance technology writer, indie Mac and iOS developer, and amateur photographer. Follow this article's author, Cory Bohon on Twitter.
geocar
June 02, 2012 at 2:05pm
What I don't understand is what I would be disabling if I disable Java on my Mac. What applications use Java? I'd appreciate knowing the answer before I start disabling.
stewkeene
April 04, 2012 at 4:40pm
Hi Cory, just wanted to thank you for writing some really good information. I'm a heavy MAC user in my Real Estate business and I follow the MAC Life blog on an RSS feed and read a lot of stuff that comes up. You really provide us some "value" content and I appreciate and share that on my Facebook page with my friends and co workers at eXp Realty. Rock On! Stew Keene - Scottsdale and Phoenix Area Real Estate Specialist
muzll0dr
April 04, 2012 at 2:10pm
I'm sorry... doesn't disabling Java as a way to protect oneself equate with switching to a Windows computer to protect oneself from any OS X vulnerabilities? I know there are security holes in OS X (like any OS) so does that mean I should disable it? It just seems like flawed logic.
corybohon
April 04, 2012 at 5:02pm
If you don't use Java applications, then you don't really need the JRE enabled on your system. Java is just simply an add-on to the OS that makes the computer recognize and run Java apps. In fact, in Lion, Apple has stopped including any JRE in the default install. You have to download and install the JRE in a default Lion install in order to run any Java applications.
Disabling Java is simply a preventive step to keep maliciouly-crafted Java applications from doing any harm to your Mac until a fix can be released.
-Cory
Bittles
April 04, 2012 at 2:06pm
Didn't Apple push out a software update that addressed this exploit yesterday? When I checked software update yesterday, Java was one of the updates.
corybohon
April 04, 2012 at 4:57pm
Apple did push out a Java update the other day, but it isn't yet clear if they fixed this issue because the Security Updates website doesn't yet list this software update: support.apple.com/kb/HT1222
driverajr
April 04, 2012 at 1:57pm
Thanks for this most EXCELLENT and very useful tip...you are the BEST reporter here! : )
