Attackers behind the Flashback and SabPub malware likely reverse-engineered a Java vulnerability patched for Windows almost two
months ago by Oracle.
Apple, which normally refuses to comment on any vulnerabilities in its products until after it's released a fix, broke with tradition by last week confirming that it was coding an OS X upgrade to nuke Flashback.
===> According to various security firms, approximately 600,000 Macs had been infected by Flashback, which makes it the largest malware infection to ever hit OS X users. <===
In addition, Kaspersky managed to tie the botnet to six malicious Microsoft Word documents that it's seen in the wild, two of which drop the SabPub vulnerability, and four of which drop the MaControl bot, which appears to be an earlier effort by the same virus writers. One key difference, however, is that MaControl didn't target the Java vulnerability exploited by Flashback and SabPub.
===> Another is that SabPub managed to remain active for about six weeks before anyone detected it. <===