04-05-2012 11:55 AM - edited 04-05-2012 11:59 AM
We have gotten several questions about this, so I thought I would post here publicly. Normally, it's policy to not comment on threats added to our definitions, since we consider it part of our job--we don't like to toot our own horn, so to speak. But this has received a fair amount of press. See here:
For those unfamiliar, the implementation of Java in Mac OS X has a vulnerability that lets a malicious Web site gain access to your Mac. When you visit a Web site with the maliciou Java applet, it downloads a trojan to your Mac. If you run the trojan, it sets up a "bonet" that can remotely control your Mac, all just by visiting a harmful Web page.
Norton will protect you in the following ways:
You can make sure you have the latest virus and vulnerability poteection definitions by running LiveUpdate manually, but these definitions should have been downloaded already. No further action should be necessary unless you are already infected. You can enable the additional protection Norton DeepSight provides by changing it to block outgoing connections.
04-05-2012 03:38 PM - edited 04-05-2012 03:39 PM
Does this apply to SEP too or is there a link to where this is addressed for SEP Mac clients? My Information Security Officer is wanting to know what Symantec is doing to address this, but this is the only info I can find from Symantec relating to the newer, java based variants.
04-05-2012 03:41 PM
SEP includes antivirus protection, so the information above regarding Norton AntiVirus applies. However the other features are not part of SEP yet.
So in short, SEP will detect this threat using the managed antivirus features in SEP.
04-06-2012 06:05 PM
Just to verify, the SafeWeb/Safe Surfing feature is not available if you only use (recent versions of) the Safari browser, correct?
Perhaps it would help to list the browsers that are/aren't supported, so no one is mislead by thinking they're protected from these harmful web pages (or phishing attacks), when they actually aren't?
Also, as Ryan mentioned, DeepSight only blocks incoming connections by default. You'd need to go to the Firewall's advanced settings to enable DeepSight to also block outgoing connections.
04-07-2012 01:25 PM
I have gotten a couple of private messages here and via e-mail asking how to know if you are protected from this threat.
Please look for the following Vulnerability Protection signature(s):
Web Attack: JRE Concurrency CVE-2012-0507 3
Web Attack: Malicious Java Download 4
Web Attack: Malicious Java Download 6
These signatures all block the Java applet from running when you visit an infected/malicious Web site.
You can also check for this signature:
This signature blocks the trojan that is downloaded by the Java applet.
04-10-2012 04:53 PM
I'm not in Security Response, so I can't really comment on how many samples we have, nor how many detections we have gotten, as that data is all closely guarded by Security Response.
However, if you have a sample of a virus, any kind, you are encouraged to submit it to https://submit.symantec.com/websubmit/retail.cgi
Be sure to use "Flashback" in the Symptoms.