Mac users may have another set of drive-by downloads to contend with — and the only good fix might cripple your Web-browsing experience.
A year ago, the MacDefender Trojan tried to frighten Mac users into buying bogus anti-virus software, and flooded their browsers with porn if they didn't.
Today, the Finnish security firm F-Secure reported that the Mac Flashback Trojan, which has been steadily evolving since September, now exploits a flaw in the Java engine that many websites use to host games and other applets.
And just last week, security blogger Brian Krebs reported that attacks on the same Java vulnerability had been bundled into the Blackhole exploit kit, an off-the-shelf Swiss Army knife of malware that probes visiting browsers for various flaws until it finds a hole.
The Java flaw was discovered in mid-January and patched for Windows in February, but Apple has not yet bundled the patch for Mac OS X into its latest updates. That means any Mac running a Java engine can be infected just by visiting a corrupted website — no administrator password needed.
Anti-virus software may not do much good. An earlier version of Mac Flashback disabled Apple's built-in anti-virus software, and it's not clear whether the few and sparsely installed third-party anti-virus products for Macs block this latest version.
Until Apple rolls out a patch, F-Secure recommends that users of Mac OS X 10.7 Lion and 10.6 Snow Leopard completely disable Java on their machines, and provides instructions to do so. (Scroll past the images of scantily clad ladies to see the relevant information.)
One of F-Secure's methods may also work for OS X 10.5 Leopard, the latest version of OS X that many older Macs can run.