Last year, we started seeing new threats in the wild that targeted the Mac. As recent as last week, new publicity about the Flashback Trojan initiated a new wave of concern. It was reported widely in online media that a large number of machines (estimated at around 600,000) have been infected.
Apple, knowing the importance of resolving the Flashback issue, has offered two Java updates in the past week, plus a Flashback Removal Tool. (More on that here.)
Now there is a new threat for the Mac. The new Mac Trojan is simply referred to by Kaspersky as “Backdoor.OSX.SabPub.a” or “Sophos as OSX/Sabpab-A.” Like Flashback, it is primarily an exploit of the Java operating environment. Unlike Flashback, the new Trojan requires no user interaction to install. The Trojan uses a documented exploit in Java, Exp/20120507-A6, to execute arbitrary code for the sake of command and control of the Mac, using the infected machine in a bot-net and sending information back to the command and control center.
What is the Java exploit? In Java, the AtomicReferenceArray is a way of allowing many different files in a database of sorts to be accessed by many functions and update in real time. It is used to protect the files instead of locking the whole database when one client is modifying information in the database. The exploit is not built on what this does but where.
In most operating systems and browsers, the Java functions are sandboxed, running in an environment with no access to the main operating system. The AtomicReferenceArray is not sandboxed adequately and has system level access on the machine. Due to this level of access outside of the sandbox environment, the malicious code can gain access to the system and thus the ability to write data to the system and create its own directories (the Malware).
As these threats have reared their head on the Apple platform, who’s ultimately responsible for the security of the operating environment in the future? Apple has slowly been removing Java from newer versions of the OS. In October of 2010, Apple released a note to the developer community discussing how they had deprecated the version used and that a Java environment may not be supplied with the OS in the future (true, Lion does not come with Java, but can be installed if necessary).
As Java is phased out, it will become less and less of a likely vector for infections of Trojans and malware on the Mac, but for now, it is still part of many users’ systems.