Security experts have long warned that [Apple’s] delay in delivering Java patches on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms that they were right. — PC World magazine
Last week I argued that a Macintosh-based botnet currently being distributed via Word document would likely change distribution methods, perhaps to a PDF document, in order to spread itself more effectively.
That, to my knowledge, hasn’t happened, but today I learned of the above example of Mac malware doing exactly that, jumping from Java vulnerability to Java vulnerability.
The reason I bring this up is to show the trend has arrived. It’s not that Macintoshes are becoming less secure; malware writers are starting to apply what they’ve learned on Windows systems to Macs.
Thankfully, Java can be disabled on a Mac, and to Apple’s credit the current version, Mac OS X Lion, or 10.7, whichever you prefer to call it, doesn’t come with Java enabled by default. Keep Java disabled, and you’re safe from this exploit.
I uninstall Java on all of my machines, regardless of operating system, unless I have a program that specifically needs Java. Rule #1 of security, regardless of what system you’re using, is to disable or uninstall things you don’t use.
If you really want to be paranoid, you can harden OS X to DoD standards, but it seems the DoD is running a couple of years behind. They still haven’t finalized their settings for OS X 10.6, let alone 10.7. The DoD is still living in the Leopard days. Though if you’re adventurous, you can try to adapt their settings to version 10.7.
But that’s a task for overachievers. I stand behind the advice I gave last week: Use virus scanning, use web-based e-mail with its own virus scanning, and don’t open unexpected e-mail.