The software can be installed without your knowledge if your Java runtime isn’t up to date. But, it can also be installed with the latest version of Java if you agree to trust a bogus root certificate that claims to be signed by Apple Inc.

There’s no indication of how widespread this problem is but the only things you have to remember are, keep your software up to date and don’t trust root certificates if their signature cannot be verified.

(Via 9 to 5 Mac.)