Reports say up to 600k boxes have been hosed, and if recent statements out of Cupertino are any indication, Apple staffers are running around like the proverbial headless chickens trying to contain this outbreak.
It seems the Apple security team has taken a leaf out of Microsoft's book -- they're targeting Flashback's C&C servers and will issue a removal tool through its software update service.
"The Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions," today's statement reads. "Apple is working with ISPs worldwide to disable this command and control network."
Apple tardily released a patch for the Java vulnerability that allowed this malware to propagate in the first place. But considering Java is a bottomless pit of vulnerabilities, you might want to disable it system-wide. You can actually do that on OS X -- it's under Java preferences in System Settings.
