It seems to imply that once the link is clicked it downloads and runs the payload automatically, but this is rather hard to believe (I would guess that there is some user action required).

Is the article correct?

User action is required; the applet needs permission to get outside of its sandbox, so a standard "This applet wants permission to access your computer and data, Approve or Deny?" dialogue is presented.

Drive by download & execute vulnerabilities exist in Java for many browsers.

So yes, it is possible for the "trojan" to work as described.

If "as described" includes running automatically (without user permission), then you'd be incorrect in this case. This particular trojan doesn't include any privilege escalation exploits, so the user must confirm a couple of security dialog boxes (including keying their password) before the trojan can install.

This is not entirely true. There will be only 1 popup asking the user's permission to "run" java code through the browser. After that, the applet can download anything on the box it needs and execute it.

The applet has full access to the local filesystem with the same priviliges the original user has. If needed the hackers can further exploit the machine, by escalating user priviliges with some corrupt scripting..

One click is enough to seriously damage your machine, be careful;) This is what the popup looks like in Firefox http://www.ussu.ca/studentgroups/JavaApplet.jpg

FTA:

> A new trojan horse has cropped up that affects Mac OS X (and Windows as well).

Perhaps noteworthy in the title.

Windows users might not consider a new trojan as noteworthy news ;)

Chrome users, enter 'about:plugins' in your address bar to disable Java.

(Users of other browsers, you can usually find what you need in preferences.)

From another source, clicking on link appears to shown a certification error dialog[1].

[1]: http://www.macrumors.com/2010/10/27/new-java-based-malware-t...

What antivirus/security software do other HNers use on their Macs, if anything?

ClamXav for a manual full scan every so often; probably a waste of time.

I find LittleSnitch (outbound firewall) reassuring to let me moderate which applications are allowed to connect to what.

Right now, common sense.

I'll move to Arch if I need to install anything else that remotely resembles bloat.

Common sense is also enough on Windows, except when it isn't.

First, Apple isn't removing Java from OS X. They will stop shipping their customized version of Java in several years.

Second, every popular piece of software has vulnerabilities. So if this warrants the removal of Java, you should remove Safari and the BSD kernel from OS X as well.

"There is no way to remove the BSD layer without removing the entire OS"

Yup, that's the joke I was making... grandparent comment would have us remove all our software...

There is an awful lot of enterprise software that is built on Java, and security vulnerabilities are going to happen, be it in Java or in Safari or any other piece of software you happen to use.

I'd like to see a list of OS X apps using Java. Some may be using Java apps without knowing it. Some P2P apps come to mind.

If by "remove" you mean "not install as a default component of the OS" then yes.

Underlying requirement: that the user running the applet is an administrator (and while this is the default modus operandi as per the installation procedure of OS X, not every OS X user continues on this path).

The user is also alerted when the applet tries to run, and they would need to approve the privilege escalation request for the applet; it has an untrusted, self-signed cert.

If true, this is a huge omission from the article. Got a source?

Sure, here's a couple with less breathlessness, and more details:

http://www.intego.com/news/trojan-horse-os-x-koobface-a-affe...

http://www.tuaw.com/2010/10/27/security-alert-new-trojan-hor...