Java vulnerability exposes thousands of Macs to hackers

By Kayla Reeves
Reporter

A vulnerability has been discovered for Java users that could give hackers complete access to your computer.

Java is a software package that allows users to run different programs on the computer, said Carl Flynn, director of marketing and communications for Information Technology and University Libraries.

Some of these programs are standalone applications, and others run in the browser, he said.

Once it is activated, the malware allows someone else to have the same access to our computers.

“Most of us have administrator access, which means we can do anything and everything on that computer. If you’re only logged on as a user, the exploits can only do what a user can do, and usually that’s not very much,” Flynn said.

The “Flashback trojan” can affect Mac OS X computers, which are known for their supposed immunity to viruses.

Apple intentionally stopped making their computers come with Java preinstalled because of issues like this, Flynn said.

The users have to choose to install any third party software and risk getting hacked.

Also, Flashback is malware and not a virus. Viruses typically attack machines on their own, while this has to be invited by visiting a malicious website, said Adam Sealey, senior information security analyst.

It uses a vulnerability commonly known as CVE-2012-0507 in some Java versions.

The hackers try to trick people into visiting websites that run a Java code to attack that vulnerability, Flynn said.

“They’ll make it look like they’re Wells Fargo Bank and they need you to update some information, so you click the link, but really it takes you to a site that’s set up to deploy,” he said.

Java versions five, six, and seven are all vulnerable, and the malware has reportedly affected more than 600,000 Mac computers worldwide, with a higher percentage in North America, Sealey said.

“I have tested this vulnerability in my lab and managed to obtain full control of a victim computer,” he said.

All users should ensure that they have the latest updating system installed and the latest Java version installed on their personal machines, and they should be protected, Flynn said.

He said students can go to http://flashbackcheck.com/ to see if their computer has been infected or go to https://github.com/jils/FlashbackChecker/wiki, a downloadable application for Mac OS that tests for infection.

To see which version of Java you have, visit javatester.org/version.html. If the version reported by this tool is 1.6.0_31 or higher, then it is up-to-date.

“There is one loophole here, and it’s pretty huge,” Flynn said. “Mac users still running Mac OS X 10.5, which was two updates ago, and have Java activated in their browsers should disable Java immediately. There’s no patch available for that one yet.” However, this version is relatively old, and not likely to be common, he said.

The public computers on campus are not likely to be affected because they use a particular package that minimizes vulnerability, and they have antivirus software installed, he said.

Information Technology Services will send notifications soon about how updates on Baylor-owned computers are handled.

It is too early in this malware’s development to determine who is behind it or what they plan to do with the infected computers, Sealey said, but once someone has control of your computer, they can do pretty much anything they want including identity theft, fraud, or release of sensitive information.