New Trojan variant can install without password

06.04.2012
Flashback, a Mac Trojan horse that's been in the public eye since it was uncovered by security firm Intego last year, has a new trick up its sleeve: It can now infect your computer from little more than a .

Originally, as an installer for Adobe's Flash Player--hence the name--but the malware has changed tacks at last once since then, instead pretending to be a or a Java updater.

The latest variant, discovered by security researchers at F-Secure and dubbed OSX/Flashback.K, takes advantage of a weakness in Java SE6. That vulnerability, identified as , allows the malware to install itself from a malicious website the user visits, without needing the user to enter an administrator's password.

No fix is currently available for this vulnerability on the Mac, although the hole was patched in Java for Windows back in February. Unfortunately, Apple has for lagging behind Windows when it comes to updating Java for security patches. However, given that Apple rolls out updates every few months, it seems likely that the company will distribute a patch in the not too distant future.

Until then, F-Secure suggests users . The company has also given is currently infected by the .

It's also worth noting that the Java vulnerability has recently been included in the popular used by many attackers.