The variants of Flashback that utilized CVE-2012-0507 prior to being patched could install without user interaction but with only ad-click hijacking functionality to generate revenue. The CVE-2012-0507 exploit allows the untrusted Java applet to perform functions outside the Java security sandbox without user interaction. It should be noted that the Java sandbox is self contained and part of the Java implementation; it is not an implementation of the sandboxing used with other client side apps within OS X.
This Java exploit does not utilize memory corruption but instead leverages a logical error in the Java reference array to achieve code execution. The runtime security mitigation in OS X Lion don't prevent these types of exploits that rely on logical errors. This type of vulnerability is rare but does lead to reliable exploits when found.
Infecting Safari occurs in two ways:
1) Safari is infected when the info.plist file contained in its app bundle is modified; this requires password authentication. Specifically, the LSEnvironment entry in the info.plist file is modified. The payloads are loaded into Safari when launched.
2) The ~/.MacOSX/environmental.plist file is modified so that a filtering payload is loaded into every app that then loads the ad-click payload into the browser when the browser is launched. This method does not require password authentication. The modification to environment.plist includes adding DYLD launch variables.
It should be noted the environment variables added to environment.plist don't take affect until the user has logged out and then logged back in. This could be why so many machines reported themselves as infected to the C&C servers despite only 10,000 machines actively having Safari modifying ad-clicks to generate revenue. I do not believe that this limitation occurs with installation method #1, which could be why method #1 is the prioritized installation method.
Given that password authentication is not required to install the ad-click hijacking payload, the request for password authentication in method #1 may also have been intended for functions included in subsequent versions of Flashback. For example, logging keystrokes protected by NSSecureTextField (masked text entry such as passwords and banking credentials) would require password authentication given that Flashback didn't include a privilege escalation exploit within OS X.
Luckily, the ability to load DYLD launch variables from environment.plist has now been removed from Mac OS X as well as the issue with Java being patched.
http://support.apple.com/kb/TS4267
Subsequent patches to Java for Mac are going to be produced by Oracle and will be released along side patches for other operating systems.
I also know that a virus is only one type of malware...so let's not get into that whole can of worms!
