updated 05:10 pm EDT, Thu April 12, 2012
Java for OS X 2012-003 update pulls Flashback
Apple fulfilled promises of a cure for a rare Mac exploit on Thursday evening by posting another key Java update. Java for OS X 2012-003 for Lion owners, and Java for Mac OS X 10.6 Update 8, both actively remove the "most common variants" of Flashback. Loading the update automatically scans for Flashback and, if it's found, lets the user know that it was pulled.
On Lion only, the update will disable the Java browser and Java Web Start if they haven't been used in 35 days. Users can always reenable them, but the code now won't run by default, preventing users from auto-infecting themselves with any Java-related exploits.
Flashback was the first real large-scale Mac malware instance. Although specific to Java and not the Mac, 98 percent of the infections were Macs, owing in part to a slower patch response. Apple has been making up for lost time by first patching against the exploit and the new removal tool, but it contrasts with Microsoft's semi-rigid "patch Tuesday" practice, where it often fixes any security bugs on a regular monthly interval and often has fixes for surprise attacks within a few days. For Microsoft, however, the faster update cycle came only after a series of major malware outbreaks and having to heavily rework Windows security.
Flashback itself was rendered inert fairly quickly by directing any successful exploits to safe servers.