Apple has released a security update for Mac OS X that removes the Flashback Trojan, a persistent piece of malware that used a known flaw to infect an estimated 600,000 Macs in the past month.
In a security bulletin posted this afternoon (April 12) on the Apple Support website, Apple said the update "removes the most common variants of the Flashback malware " and "also configures the Java web plug-in to disable the automatic execution of Java applets."
Apple has been criticized in the security community for failing to stop Flashback from infecting so many machines using a known vulnerability in Oracle's Java software. The malware has existed in various forms since last fall.
The Java flaw was discovered in late January, and Oracle patched it on Windows and Linux machines Feb. 17. But Apple, which does its own Java updates, did not come out with a patch until April 3, after more than half a million Macs worldwide had been infected.
Java, in effect, creates an operating system inside an operating system in order to run Web-based apps and other functions across different platforms. It has a history of serious vulnerabilities. Many security experts recommend that it be disabled on both Macs and PCs unless absolutely necessary.
Apple seems to have heeded that advice. The security bulletin released today said: "Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets."
The security update will be pushed out automatically today to all Macs running Mac OS X 10.6 Snow Leopard and OS X 10.7 Lion.
Apple no longer supports Macs running OS X 10.5 Leopard, which includes all Macs based on the PowerPC architecture.
Late yesterday (April 11), and without any announcement, Apple began boosting security in the iTunes Store and the App Store to combat a persistent problem of hijacked Apple customer accounts.