Russian antivirus company Dr. Web announced yesterday that a growing number of Mac computers are infected with the Flashback trojan (over 600,000 machines) — malware that was originally uncovered last September as a fake Adobe Flash Player plugin installer. In the last few weeks, a version of this malware has evolved to take advantage of Java vulnerabilities and attack Mac systems. The malware package is designed to steal personal information by injecting code into Web browsers that allows it to harvest passwords and other information when a user visits a compromised website.
Apple released a patch yesterday for supported OS X versions 10.6 and 10.7 via Software Update, or you can go get the downloads manually from Apple Support at the links below.
According to CNET’s Topher Kessler:
OS X does not come with Java installed by default, and the latest versions of Java should be patched properly so anyone with new or properly updated systems should be safe from these threats; however, there are likely many people still running older versions of Java on their systems that are still vulnerable.
The site F-Secure also offers detailed information on the Flashback trojan with instructions for determining whether your Mac is infected and also for manual deletion of the malware (for advanced users).