New Mac malware exploits old Java hole

Security specialist at Sophos reports that it has discovered new Mac malware which exploits the same Java hole in Mac OS X that was also used by the "Flashback" malware and has since been closed by Apple. The backdoor trojan is called "OSX/Sabpab-A" and is said to establish a HTTP connection to a command & control server once it has infected a computer. According to Sophos's Graham Cluley, attackers then have the ability to execute arbitrary commands, upload and download files, and take screenshots on infected systems. From there, it receives and runs instructions to download other malicious components that can be used to log keystrokes, enroll the infected host in a botnet, and so on. Clues in the malware suggest that it is still under development.

The security firm says that, like Flashback, OSX/Sabpab-A spreads via the web; apparently, simply visiting a malicious web page on a Mac with an unpatched version of Java is all that's required to become infected. Sophos provides no further details on the distribution of the malware but has given it a low "prevalence" rating.

The appearance of another Mac-focused malicious program will be more bad news for Apple corp., which has long marketed its Mac systems as safe from viruses, worms and other kinds of malicious code. The appearance of SabPub suggests that Mac-focused malware may become an endemic problem for Mac systems, as it is for those running Microsoft Windows.

Users can protect their systems by installing the latest Java updates, which fixes the problem and automatically disables the Java web plugin by default; users can re-enable this via the Java Preferences application (Applications ➤ Utilities ➤ Java Preferences).