Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Updates Java To Include Flashback Removal

samzenpus posted more than 2 years ago | from the protect-ya-neck dept.

Botnet 121

Fluffeh writes "In the third update to Java that Apple has released this week, the update now identifies and removes the most common variants of the Flashback malware that has infected over half a million Apple machines. 'This Java security update removes the most common variants of the Flashback malware,' Apple wrote in the support document for the update. 'This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.'"

Sorry! There are no comments related to the filter you selected.

All apple machines were infected? (0, Troll)

gatfirls (1315141) | more than 2 years ago | (#39667311)

You'd think would have been offline or something. ;)

EMPLOYERS: Listen up! Hear some TRUTH. (-1)

Anonymous Coward | more than 2 years ago | (#39667599)

Did you know?

Fat people are unhealthy (duh). In fact they are so unhealthy that on average, fatties will miss 20 days more work per year than healthy workers due to sick days. On average this translates to about $6,300 per year in lost productivity, of course this cost is in addition to the wage/salary you pay them.

Right now if you are an employer looking to hire workers, you are in luck because it is a buyer's market. Do yourself a favor. Don't hire fatties. I am not a lawyer and this is absolutely NOT legal advice, but anyway, as long as you don't tell the fat slob that you refused to hire them because of their inability to put the fork down, you probably won't have to worry about some bed-wetter crying about discrimination.

After all, said bed-wetter who wants you to hire fatties in the name of "fairness" isn't prepared to pay you the $6,300 per year per fat worker to cover your losses, consistent with the fine liberal tradition of being very generous with other peoples' money. Nor is said bed-wetter going to donate 20 days per year of their own time to cover your losses. So fuck them, why should they have a say in the matter? Let them invest their own money in what they believe.

Re:EMPLOYERS: Listen up! Hear some TRUTH. (-1)

Anonymous Coward | more than 2 years ago | (#39668549)

fat people are fucking disgusting

Re:EMPLOYERS: Listen up! Hear some TRUTH. (-1)

Anonymous Coward | more than 2 years ago | (#39669103)

So are girls with big tits...

first (-1)

Anonymous Coward | more than 2 years ago | (#39667339)

to remove

Why do this (-1)

Anonymous Coward | more than 2 years ago | (#39667359)

the update now identifies and removes the most common variants of the Flashback malware

'This Java security update removes the most common variants of the Flashback malware,' Apple wrote

Thanks for the intro sentence that adds nothing.

infected over half a million Apple machines (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#39667447)

I thought this was only the initial number put out to draw ad-clicks. The revised number is now half of that.

Re:infected over half a million Apple machines (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#39674159)

Don't know who modded this offtopic but the number of infected machines seems germane to the discussion. And AC's correct that the infection rate was dropping rapidly [msn.com] even before this tool hit :

"The number of Macs infected by the Flashback malware has gone down by more than half, from 550,000 to 600,000 computers last week to 270,000 in the last 24 hours, Symantec said Wednesday."

Now whether this is because of an overestimation of the original infection or due to the Apple community being energized and taking action (or a combination of the two) is up for discussion.

No way! (0, Troll)

Anonymous Coward | more than 2 years ago | (#39667461)

Macs don't get viruses!

Re:No way! (5, Informative)

Kenja (541830) | more than 2 years ago | (#39667481)

Macs don't get viruses!

Almost no computer gets viruses anymore. Trojans & malware on the other hand...

Re:No way! (0)

Anonymous Coward | more than 2 years ago | (#39667885)

Macs don't get viruses!

Hello Artie McStrawman.

Re:No way! (0)

Anonymous Coward | more than 2 years ago | (#39670477)

Didn't you get shot down when you said this before?

http://apple.slashdot.org/comments.pl?sid=2777497&cid=39634231

I'm new to this conversation but... (4, Funny)

Lord_of_the_nerf (895604) | more than 2 years ago | (#39667533)

...I was wondering why the art department at work and the guy who makes my coffee was pissed.

Re:I'm new to this conversation but... (-1)

Anonymous Coward | more than 2 years ago | (#39667793)

Oh, mod points, my kingdom for mod points!

Re:I'm new to this conversation but... (4, Funny)

Anonymous Coward | more than 2 years ago | (#39667987)

I think you wanted "were pissed." Apparently you don't work in the communications department. I'll bet the guy who makes your coffee would have gotten it right.

Re:I'm new to this conversation but... (0)

Anonymous Coward | more than 2 years ago | (#39668841)

So... good grammar leads to low-paying jobs? Good to know.

Re:I'm new to this conversation but... (0)

Anonymous Coward | more than 2 years ago | (#39668971)

Maybe the art department is a single person who also makes his coffee.

Re:I'm new to this conversation but... (1)

Lord_of_the_nerf (895604) | more than 2 years ago | (#39669143)

I'm happy to accept that I added art department late and should have to revised ;) I think that makes me marketing...

Re:I'm new to this conversation but... (1)

Lord_of_the_nerf (895604) | more than 2 years ago | (#39669151)

Or even have just revised that. It's not a good day for me.

Re:I'm new to this conversation but... (1)

idontgno (624372) | more than 2 years ago | (#39674577)

Hurry up and make up to the guy that makes the coffee. You need your fix. Badly.

Re:I'm new to this conversation but... (1)

heroid1a (1898046) | more than 2 years ago | (#39671189)

I think you wanted "was pissed off". pissed == was under influence of alcohol wheras: pissed off == angry Ah, you colonials...

Re:I'm new to this conversation but... (1)

Cro Magnon (467622) | more than 2 years ago | (#39672133)

At least he didn't say "pissed on" which means something else entirely.

Re:I'm new to this conversation but... (1)

citab (1677284) | more than 2 years ago | (#39673473)

Nope.... in the states ... "pissed" does mean "angry" ... same as "pissed off" ...

ah, you former imperialists ...

Re:I'm new to this conversation but... (0)

Anonymous Coward | more than 2 years ago | (#39671705)

I know, aren't English Majors just so precious? :)

immature=no java (5, Interesting)

Anonymous Coward | more than 2 years ago | (#39667539)

So to fix the problem, they say lets disable java by default. They are new to the security game.
Lets say using adobe photoshop had a vulnerability, apple's defense is disable the running of photoshop when launching a ps file withotut prompting?

It's like preventing your child walking without your permission every time and then when their grown up and able to make their own decisions and decide to walk, you say, oh you have not walked in a while, you can't walk again.

Re:immature=no java (2, Insightful)

mug funky (910186) | more than 2 years ago | (#39667671)

apple's design philosophy is to progressively remove features, so this fits quite well.

(anyone wanting to knee-jerk at my assertation - give me a counter-example)

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39667695)

(anyone wanting to knee-jerk at my assertation - give me a counter-example)

I don't have a counter-example, but I do have a teapot in orbit between the Earth and Mars to sell you, CHEAP......

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39669827)

(anyone wanting to knee-jerk at my assertation - give me a counter-example)

I don't have a counter-example, but I do have a teapot in orbit between the Earth and Mars to sell you, CHEAP......

If it has free shipping I'll buy it.

Re:immature=no java (5, Informative)

BasilBrush (643681) | more than 2 years ago | (#39668257)

What, you mean a new feature? Wikipedia is your friend, there's a long list of new features for every major OSX version.
e.g.
http://en.wikipedia.org/wiki/Osx_lion [wikipedia.org]

Re:immature=no java (0)

mug funky (910186) | more than 2 years ago | (#39668991)

well... they removed some of the crashes i guess.

i was thinking more hardware and software. Final Cut Pro X is a recent example. they added some interesting stuff if you're shooting multi-cam, and broke EDL, XML, backward compatibility, the ability to share projects and removed Color entirely.

hardware wise... if they could remove the home, power and volume buttons they would. they lost me as a supporter when they removed the "reset" button - an arrogant statement that their (then OS 8.6) machines will never crash and hence never need the kill button. had to wrench the fuckers out of the wall. God help you if you had a laptop.

Re:immature=no java (1)

viperidaenz (2515578) | more than 2 years ago | (#39669651)

You can just remove the battery from the laptop... unless its a macbook air...

Re:immature=no java (1)

datavirtue (1104259) | more than 2 years ago | (#39674591)

Or a Macbook Pro....

Re:immature=no java (4, Informative)

tlhIngan (30335) | more than 2 years ago | (#39669763)

I agree what they should have done is remove java entirely.

They did. Java and Flash have no longer been shipped with OS X for ages now. The primary reason is people keep reinstalling OS X and thus those vulnerable versions. Far better to let the user download and install the latest and greatest from Adobe and Oracle.

Final Cut Pro X is a recent example. they added some interesting stuff if you're shooting multi-cam, and broke EDL, XML, backward compatibility, the ability to share projects and removed Color entirely.

Well, Final Cut Pro X is a completely new rewrite. Apple's tradition is new rewrites of software is to get the basics working rock solid first, then add back missing features. This has been true since OS X was first released and didn't have half the stuff (e.g., DVD player) that OS 9 it shipped with also had. It happened again with QuickTime X - there's a reason why OS X supported a dual install of QT X and QT 7. FCP X is more of the same. They also retargeted it for prosumers rather than pros And yes, they still sell FCP 7 - but only by phone sales.

hardware wise... if they could remove the home, power and volume buttons they would. they lost me as a supporter when they removed the "reset" button - an arrogant statement that their (then OS 8.6) machines will never crash and hence never need the kill button. had to wrench the fuckers out of the wall. God help you if you had a laptop.

Does a modern PC have a reset button these days? Most of the time if it hard locks, you hold the power button a few seconds and it turns off. You then hit it again to turn it on. Reset's kinda useless since most people found they needed to mollyguard their PCs. Hell, an office full of white box PCs on the floor is a tempting target around family days - little buggers go running off and pushing all the buttons on a PC, including reset. Anyhow, old Macs had them, but they were pin-holes to prevent exactly that sort of problem. (You needed it if you wanted to get into the debugger).

Re:immature=no java (-1)

Anonymous Coward | more than 2 years ago | (#39668359)

How about a knee to the ass, jerk.

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39669167)

Removing features is hell of a lot better design philosophy than the "add useless bloat till it explodes" philosophy that open source uses.

Re:immature=no java (1)

Robert Zenz (1680268) | more than 2 years ago | (#39670705)

That seems to be everyones philosophy of late: Apple, Microsoft, the Gnome Devs, Canonical, the guys which design Android...for crying out loud, I even can't find fitting shoes anymore because they all look the same.

Re:immature=no java (2, Insightful)

codepunk (167897) | more than 2 years ago | (#39667751)

I agree what they should have done is remove java entirely.

Re:immature=no java (3, Interesting)

Anonymous Coward | more than 2 years ago | (#39667911)

You have 3 pieces of software that constantly gets patched for security holes found and they are....

1) Java - Not installed in OS X by default anymore. Doesn't get installed unless its requested like running Adobe Apps, etc.

2) Flash - Not installed anymore by default

3) Quicktime - Rewritten from the ground up starting with QT X. QT 7 and back has always been a security breach.

Re:immature=no java (3, Funny)

utkonos (2104836) | more than 2 years ago | (#39667965)

You're missing one: Adobe Acrobat (PDF).

Re:immature=no java (2, Informative)

ColdWetDog (752185) | more than 2 years ago | (#39668065)

PDF's are handled internally by Preview.app. It doesn't have the functionality of Acrobat reader but it also doesn't have the attack surface.

Re:immature=no java (0)

pankkake (877909) | more than 2 years ago | (#39668235)

Re:immature=no java (1)

Anonymous Coward | more than 2 years ago | (#39668407)

Wow. A whole hole. That's equivalent to the patchwork software that is Adobe Reader.

Re:immature=no java (5, Informative)

cbhacking (979169) | more than 2 years ago | (#39670847)

As of 2010, Adobe Reader was kicking Preview's ass on security. No, that's not a joke. Nor is it fanboyism; I don't use either one. It's just a plain and simple fact. The probable reason? Adobe, like Microsoft, has had many years of being a high-profile target, and has put a lot of effort into finding and fixing security bugs. Apple, quite frankly, has not.

http://net-security.org/secworld.php?id=9725 [net-security.org]
Watch the second video, and jump ahead to 8:57 (almost the end) if you want a simple comparison.

For the lazy, here's the basic facts: Preview had from the same set of 1400 PDFs downloaded from the web, run through a mutational fuzzer to produce 2.8 million test files. Preview had 7 times as many unique crashes as Adobe Reader, and at least 3 times (more realistically, probably 10 times; at worst, 20 times) as many exploitable bugs.

When a guy like Charlie Miller (very well-respected security researcher) can find 7 security bugs in Apple's code for each one he finds in Adobe's (using the exact same test cases), Apple has a serious security problem.

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39672291)

For the lazy, here's the basic facts: Preview had from the same set of 1400 PDFs downloaded from the web, run through a mutational fuzzer to produce 2.8 million test files. Preview had 7 times as many unique crashes as Adobe Reader, and at least 3 times (more realistically, probably 10 times; at worst, 20 times) as many exploitable bugs.

A crash is not the same thing as an exploitable bug (although they often go together).

It's much better for programs to rigorously check their input, and while it's nice to fail gracefully, I would much rather have a crash than an exploit.

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39672379)

As of 2010, Adobe Reader was kicking Preview's ass on security. No, that's not a joke.

As of 2011, Preview has been sandboxed; the PDF renderer is isolated and can't touch the filesystem. (This is much the same technique as is employed by Adobe in Reader Protected Mode.)

Re:immature=no java (2)

makomk (752139) | more than 2 years ago | (#39670837)

I think the attack surface of Preview.app actually extends into the OS X kernel itself. One of the iPhone jailbreaks used a kernel-level PDF exploit and it was apparently in code shared with the desktop version.

Re:immature=no java (1)

Anonymous Coward | more than 2 years ago | (#39669035)

It seems silly to blame Java when the entire purpose of Java is to serve as an execution platform for general purpose software. That's like saying "hey we should get rid of executable software, because it could pose a security risk."

Re:immature=no java (-1)

Anonymous Coward | more than 2 years ago | (#39670673)

"It seems silly to blame Java when the entire purpose of Java is to serve as an execution platform for general purpose software."

    This is so wrong. The purpose of Java is to allow previously sloth-like programmers to be even more indolent, gulping down Slurpees and peeing in the corners of their Mother's basement, and then on Slashdot- once they improve their aim.
    My first exposure to Java was when our historically brain-dead HR dept. hired a contractor to create a parking permit app. If I actually owned an Alvis, I might have appreciated its inclusion in the drop-down menu. But on my old Power Mac it took twenty minutes to load. The few PC's that we had were somewhat faster. Our Suns and Alphas never ran that crap at all. The app was written on a PC; which probably comprised less than 10% of our installed base.
    Except in HR, of course.
    The contractor was eventually let go. The Java app was rewritten in an afternoon by a bored Post-Doc, and then went on to putter away for a couple of years before the Badge office went back to personal applications, with proof of Drivers License, registration, and insurance required.

    I've wanted an Alvis, especially a convertible for some time now. I would have willingly put up with 20 minutes to get a permit for one. But I only had a lowly Mercedes pickup at the time.
    It wasn't on the drop-down menu

Re:immature=no java (1)

datavirtue (1104259) | more than 2 years ago | (#39674739)

What in the hell are you talking about?

Re:immature=no java (1)

petermgreen (876956) | more than 2 years ago | (#39674321)

It seems silly to blame Java when the entire purpose of Java is to serve as an execution platform for general purpose software.

That was one purpose of it but not the only one and not the one that has caused the controversy.

Another purpose from java was to provide a SANDBOXED execution platform for running untrusted software (such as applets from the web) while preventing it from damaging the users system. The problem is getting a sandbox like this right is hard and every so often a flaw is discovered that lets malicious code break out of the sandbox.

Re:immature=no java (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#39674285)

I agree what they should have done is remove java entirely.

Java is not installed by default in Lion, the latest version os OSX. The users is prompted to install it the first time he opens a webpage containing an applet or the first time he invokes "java" on the CLI.

Re:immature=no java (2)

Concerned Onlooker (473481) | more than 2 years ago | (#39667851)

They're disabling applets, not Java. That would be like prompting if you wanted to open a recently downloaded ps file in your analogy.

Re:immature=no java (4, Informative)

BasilBrush (643681) | more than 2 years ago | (#39668177)

No, the fix to the problem was to ship the latest Java build which had closed the vulnerability. And then to follow that up with an update that removed any infection already there.

Java is deprecated. As a development platform for OSX it was deprecated going on for a decade ago. And as a platform supported by Apple, back in 2010. With the current version of OSX it doesn't even ship as standard. It only gets downloaded and installed for the minority of people that actually use some software that needs it.

Nevertheless, the only part that is getting switched off when it's not been used for a while is the browser plugin. And reenabling it if required is easy.

Basically it's a bit like Flash - being helped on the road to complete obsolescence because it's not needed and tends to have vulnerabilities.

Perfectly sensible.

Re:immature=no java (-1, Troll)

pankkake (877909) | more than 2 years ago | (#39668271)

Not everyone pays to have the latest Apple service pack. So a lot of Macs had support for Java applets.
No matter how you want to distort the facts, the fix was there and it took Apple two months (and a lot of media coverage) to have them ship it.

Re:immature=no java (1)

CheerfulMacFanboy (1900788) | more than 2 years ago | (#39672513)

Not everyone pays to have the latest Apple service pack. So a lot of Macs had support for Java applets. No matter how you want to distort the facts, the fix was there and it took Apple two months (and a lot of media coverage) to have them ship it.

Linutix shouldn't be too smug about taking time fixing known holes [slashdot.org] - 6 years is hard to beat, even if it weren't a root exploit in the kernel.

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39668695)

As a development platform for OSX it was deprecated going on for a decade ago.

No it wasn't, and it still isn't.

And as a platform supported by Apple, back in 2010.

Wrong again, in fact back in 2010 they made the announcement that Apple will work with Oracle on Java SE 7 and future versions where Apple will contribute most of the key components, tools and technology including HotSpot JVM, class libraries, networking stack and the foundation for a new graphical client.

Re:immature=no java (1)

BasilBrush (643681) | more than 2 years ago | (#39671543)

You must be a Java developer. And you're kidding yourself. It's in black and white.

"Note: As of the release of Java for Mac OS X 10.6 Update 3, the Java runtime ported by Apple and that ships with Mac OS X is deprecated. Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X."
https://developer.apple.com/library/mac/#documentation/Java/Conceptual/Java14Development/00-Intro/JavaDevelopment.html [apple.com]

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39672501)

You must be a Java developer. And you're kidding yourself. It's in black and white.

"Note: As of the release of Java for Mac OS X 10.6 Update 3, the Java runtime ported by Apple and that ships with Mac OS X is deprecated. Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X."
https://developer.apple.com/library/mac/#documentation/Java/Conceptual/Java14Development/00-Intro/JavaDevelopment.html [apple.com]

Java is not deprecated. Apple's port is. OpenJDK 7 is rolling out with partial, up-to-date, MacOS X support in the next release (update 4) and full support in the subsequent release (update 6). Java under Mac has just gotten better, not worse! You should experience much fewer cross-platform problems now that all ports are maintained by the same vendor.

Re:immature=no java (1)

sproketboy (608031) | more than 2 years ago | (#39673125)

Learn to read:
"Apple will work with Oracle on Java SE 7 and future versions where Apple will contribute most of the key components, tools and technology including HotSpot JVM, class libraries, networking stack and the foundation for a new graphical client."

This is exactly what Apple does. The difference is only that they are no longer including Java by default on OS/X.

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39672611)

As a development platform for OSX it was deprecated going on for a decade ago.

No it wasn't, and it still isn't.

The Cocoa-Java bridge (what you would use if you were using Java "as a development platform for OSX') has been deprecated since Tiger, about seven years ago

And as a platform supported by Apple, back in 2010.

Wrong again, in fact back in 2010 they made the announcement that Apple will work with Oracle on Java SE 7 and future versions where Apple will contribute most of the key components, tools and technology including HotSpot JVM, class libraries, networking stack and the foundation for a new graphical client.

Your statement is absurd. The HotSpot JVM is Sun technology which Oracle owns and Apple uses under license.

Since the beginning of OS X Apple maintained an official port of Sun's Java. In 2010, Apple announced that it would not guarantee future availability of this Apple port for OS X.

A month or so later, Apple announced that it would be donating the components for that port to the OpenJDK project and that all future development of Java for OS X would be done as part of OpenJDK. In other words, Apple has washed its hands of Java and turned over the code to the community.

Re:immature=no java (1)

datavirtue (1104259) | more than 2 years ago | (#39674819)

Apple has washed its hands of Java and turned over the code to the community.

It is about fucking time. Java developers rejoice the world over.

Re:immature=no java (1)

Robert Zenz (1680268) | more than 2 years ago | (#39670727)

Java is deprecated.

Please don't tell me you're a .NET developer...pretty please...

Re:immature=no java (1)

Jesus_666 (702802) | more than 2 years ago | (#39671209)

No, a Mac user.

Apple used to support Java as a first-class citizen. It was one one level with Carbon (the OS 9/OS X UI toolkit) and Cocoa (the OS X UI toolkit). Carbon has been deprecated because, well, it was only intended to make the switch from 9 to X easier and 9 has been dead forever. Java has been deprecated, too - it's now a second-class citizen like on other platforms and Apple's only officially backed environment for OS X development is Cocoa.

So it's not deprecated as in "you shouldn't use this anymore" but as in "it's no longer considered a core part of our ecosystem". It lost a status it never had elsewhere. Well, except Android, of course.

Re:immature=no java (1)

Robert Zenz (1680268) | more than 2 years ago | (#39671247)

Oh, then forget that I wrote something...

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39670739)

"Java is deprecated."

    You have it wrong, like so many recent code monkeys; the right phrase is "Java is depreciated." This phrase is less wrong, but since the recent misuse of deprecated has exploded, due, ironically, to a badly edited Sun report back in the '90's, I doubt now that the Language can be repaired.
    Along with deprecated, please avoid the misuse of decimate and outlier.

    Otherwise, as for the content of your post, you are thoroughly correct

Re:immature=no java (0)

Anonymous Coward | more than 2 years ago | (#39671495)

Go away, troll.

Everyone who is anyone knows that deprecate comes from "to pray against; ward off", as opposed to depreciate "lose value".

Posting for the benefit of people who are, obviously, not anyone, and might be baffled by your bullshit.

Re:immature=no java (2)

BasilBrush (643681) | more than 2 years ago | (#39671573)

Deprecated is in multiple dictionaries with the exact meaning I used. Therefore you are unquestionably wrong.

You're also wrong about depreciated. That's not the meaning that is intended when software professionals use the term deprecated.

Re:immature=no java (1)

randomsearch (1207102) | more than 2 years ago | (#39671285)

> Java is deprecated.

What?

only the beggining (2, Interesting)

thoper (838719) | more than 2 years ago | (#39667557)

apple's "security through scarcity" is starting to fade away as they gain marketshare. any popular OS will get viruses, malware, trojans, etc.

will mac os get a stonger walled garden as a result? i hope not as i was about to buy my first mac.

Re:only the beggining (1)

viperidaenz (2515578) | more than 2 years ago | (#39669673)

Wait a bit longer and you'll only be able to install Mac software you bought through iTunes.

Re:only the beggining (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#39674475)

apple's "security through scarcity" is starting to fade away as they gain marketshare. any popular OS will get viruses, malware, trojans, etc.

will mac os get a stonger walled garden as a result? i hope not as i was about to buy my first mac.

The next release of OS X (Mountain Lion) will warn people when trying to run unsigned apps [panic.com] . Apps sold through the Mac App Store will be signed and devs will be able to get their app signed by Apple for free without having to distribute through the App Store. Unsigned apps will also still run if you tell the system to do so. The fact that Apple are doing things shows they will not go full-on walled garden like with iOS but are still trying to get some of its advantages to their users by choosing this middle path.

user error will continue (0)

Anonymous Coward | more than 2 years ago | (#39667615)

And the problem will persists once a user's experience is interrupted by allowing various applets and allows any to run any time, or blindly accepts the running of unknown applets.

Leopard and earlier (1)

SilverCanary (670633) | more than 2 years ago | (#39667737)

Except for Macs running Leopard or earlier of course. Those will probably never be patched.

Re:Leopard and earlier (2)

DurendalMac (736637) | more than 2 years ago | (#39668729)

If an Intel Mac is still running Leopard or earlier then I would have to wonder why. SL will run on any Intel Mac, is superior in nearly every way, and is a whopping $29. If it's a PowerPC Mac, then rest easy, because nobody is going to write malware designed to run on them. What's the point? They're a sliver of the Mac market and that number is going to get any bigger.

Re:Leopard and earlier (1)

DurendalMac (736637) | more than 2 years ago | (#39668741)

Er, isn't going to get any bigger. Curse you lack of an edit button!

Re:Leopard and earlier (0)

Anonymous Coward | more than 2 years ago | (#39669537)

If an Intel Mac is still running Leopard or earlier then I would have to wonder why. SL will run on any Intel Mac, is superior in nearly every way, and is a whopping $29.

It's not $29 if you're running something earlier than Snow Leopard, tack on another $100 to that price. So it's more comparable to the older XP-generation of which many still haven't upgraded to 7 but MS still supports them even though XP is a far less secure and far less stable OS.

Re:Leopard and earlier (1)

viperidaenz (2515578) | more than 2 years ago | (#39669703)

... and will continue to support XP for another two years.

The core OS is still pretty secure (3, Interesting)

Grayhand (2610049) | more than 2 years ago | (#39667745)

Most of the problems have been related to people installing software from the internet manually and things like Java. I'm not saying anything pro or con about Apple I own both Mac and Windows machines so I have no horse in this race. Like Linux the core OS is pretty sound I just wish Microsoft had bitten the bullet and made the leap when they did the Vista overhaul. It was a pretty brave move for Apple at the time to switch the OS and it paid off in the long run. Add ons like Java are always going to be a source of headaches. All I know is I rarely have trouble with my Macs but the PCs are another story. One of mine I had to surrender for internet use because it got nailed by a redirect and I tried everything and short of redoing the OS there was no way to scrub it out. I find it safer to use Mac for web surfing and downloading things like software and I use a lot of licensed photos in my work. It's just my personal experience that I run into far fewer issues with the Macs.

Re:The core OS is still pretty secure (4, Interesting)

exomondo (1725132) | more than 2 years ago | (#39668115)

Most of the problems have been related to people installing software from the internet manually and things like Java.

That's pretty much the case with all platforms, compromise the user and you compromise the security of the system. All the email attachment malware, screensavers, etc... are user exploits and it doesn't matter what platform they are on, of course modern operating systems require explicit privilege escalation but again that's up to the user.

Add ons like Java are always going to be a source of headaches.

What do you mean 'Add ons'? You mean 3rd party software? Or in this case not even that since it's Apple that maintains Java releases for OSX.

All I know is I rarely have trouble with my Macs but the PCs are another story. One of mine I had to surrender for internet use because it got nailed by a redirect and I tried everything and short of redoing the OS there was no way to scrub it out. I find it safer to use Mac for web surfing and downloading things like software and I use a lot of licensed photos in my work. It's just my personal experience that I run into far fewer issues with the Macs.

I'm equally as careful whether i'm running Windows or OSX, i'm not going to be naive and just install anything downloaded from the net or visit questionable sites on either platform because - as these recent publicized events have highlighted - neither platform is completely secure and it would be pretty irresponsible to tell users that they don't have to worry about security just because it's OSX, best to be just as careful no matter what you use. Sure there are less known issues with OSX - even less for most linux or BSD distros - but as their marketshare increases we are seeing instances of infection increase so best to take as much care no matter which platform you're on.

Re:The core OS is still pretty secure (1)

grouchomarxist (127479) | more than 2 years ago | (#39668381)

What do you mean 'Add ons'? You mean 3rd party software? Or in this case not even that since it's Apple that maintains Java releases for OSX.

I'm not sure about the status of the current Java in OS X, but Apple previously announced that Oracle would be handling the development of Java for OS X for future OS X releases.

http://www.apple.com/pr/library/2010/11/12Oracle-and-Apple-Announce-OpenJDK-Project-for-Mac-OS-X.html [apple.com]

My guess is that this means Java resources at Apple are probably not significant and could explain why Apple took such a long time to release this patch.

Re:The core OS is still pretty secure (2)

exomondo (1725132) | more than 2 years ago | (#39668513)

I'm not sure about the status of the current Java in OS X, but Apple previously announced that Oracle would be handling the development of Java for OS X for future OS X releases.

http://www.apple.com/pr/library/2010/11/12Oracle-and-Apple-Announce-OpenJDK-Project-for-Mac-OS-X.html [apple.com]

Well from your link:
Java SE 7 and future versions of Java for Mac OS X will be available from Oracle. [apple.com]
Then in reference to the update targeting the current malware threat:
Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 [apple.com]

Even with the OpenJDK Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X [apple.com] so i'm still not sure what you're defining as 'Add ons', you mean anything outside of the kernel?

Re:The core OS is still pretty secure (0)

Anonymous Coward | more than 2 years ago | (#39670947)

That's pretty much the case with all platforms, compromise the user and you compromise the security of the system. All the email attachment malware, screensavers, etc... are user exploits and it doesn't matter what platform they are on, of course modern operating systems require explicit privilege escalation but again that's up to the user.

Not entirely the case here the nastiness of this malware comes from the fact that it does not require user interaction to alter a system though if you give it the go ahead it will do it system wide.

From an article on CNET

How does it work?

The Flashback malware injects code into applications (specifically Web browsers) that will be executed when they run, and which then send screenshots and other personal information to remote servers.

First step: Exploiting Java
When you encounter the malicious Web page containing the malware and have an unpatched version of Java running on your system, it will first execute a small Java applet that when run will break the Java security and write a small installer program to the user's account. The program is named something like .jupdate, .mkeeper, .flserv, .null or .rserv, and the period in front of it makes it appear hidden in the default Finder view.

In addition, the Java applet will write a launcher file named something like "com.java.update.plist", "com.adobe.reader.plist", "com.adobe.flp.plist" or even "null.plist" to the current user's ~/Library/LaunchAgents/ folder, which will continually launch the .jupdate program whenever the user is logged in.

In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app

If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

Second step: Downloading the payload
When the jupdate program executes, it will connect to a remote server and download a payload program that is the malware itself, and which consists of two components. The first is the main part of the malware that performs the capture and upload of personal information, and the second is a filter component that is used to prevent the malware from running unless specific programs like Web browsers are being used.

Third step: Infection
Once the malware and the filter are downloaded, the malware is run to infect the system. This is where users will see an alert about a software update and will be prompted to supply their passwords. Unfortunately at this point there is nothing to stop the infection, and whether or not a password is supplied only changes the mode of infection.

The root of the infection routine is based around hijacking configuration files in OS X that are read and executed when programs are run. One of these is called "Info.plist" located in the "Contents" folder within each OS X application package, and is read whenever that specific program is opened. The second is called "environment.plist" and is located within the user account in a hidden folder (~/.MacOSX/environment.plist), which can be used to launch parameters whenever any programs are opened by the user.

The first mode of infection is if a password is supplied, in which case the malware alters the Info.plist files in Safari and Firefox to run the malware whenever these programs are opened. This is the malware's preferred mode of infection, but if a password is not supplied, then the malware resorts to its second mode of infection, where it alters the "environment.plist" file. Then runs a downloaded .so from within a user profile whenever a user logs in.

So essentially it is one mean sofabitch piece of malware specifically targeting Apple users who do not have a frigging clue about security and who up until now have enjoyed "security through obscurity"

Hearing smug Apple fans say "I have a Mac so I don't need AV software" is about to come to an end especially after more and more wealthy Mac users get pwnd and find money missing from their credit cards.

The people who wrote this stuff are obviously very well funded criminals with the intent of going after the rich Apple sheep crowd. My prediction is that they will find more holes Mac OS X through things like Quicktime and use things like online Apple codec freebee porn files to infect Mac users computers.... If this is not happening already???? After all the codecs and file playlist info are all known quantity .xml scripted systems. Who is to say that similar holes do not exist right within the OS X xml engines. Xml is a scripted language that need a secure sandboxed environment to work and Apple sure as hell does not pay as much attention to security as they should!

Hell if they would apply the updates to Java as Oracle releases them instead of rewriting it for their own purposes then they would not have had all this trouble with java. I do not see the same problems with late Java updates on either Windows or Linux. It is obvious that Java is a threat to them in the cell phone and embedded device market and they want to make it appear that Oracle and Java are the problem. Hell my Blueray player runs java on busybox, my cell runs on modified java and so do millions of other devices that compete with Iphone and Apple world wide.

It would seem that just blaming java is an excuse and a convenient one at that.

Sure Apple is trying to get ahead of the situation and control the content that Mac users download with their Itunes and apple store crap but the reality is that if organised crime can that easily infect Mac and possibly sell user info then it is only a matter of time before they realise that Mac users are essentially sheep ready to be sheared the same as WIndows users once were.

riddance (0)

Anonymous Coward | more than 2 years ago | (#39667867)

Honestly I can't possibly fathom a single good reason to allow Java in your web browser. Anyone dev incorporating applets for even the smallest, optional web functionality should raise eyebrows amongst his peers.

Re:riddance (1)

ColdWetDog (752185) | more than 2 years ago | (#39668091)

NOAA satellite loops are, unfortunately, done in Java and were last updated sometime before half of Slashdot's current user base were born.

Re:riddance (1)

b5bartender (2175066) | more than 2 years ago | (#39668493)

NOAA has actually migrated away from Java.........to Flash [noaa.gov] . (no, not kidding.) That's bureaucracy for you.

Re:riddance (0)

Anonymous Coward | more than 2 years ago | (#39670329)

Every bank in norway uses something called "BankID" for accessing services through the browser, and it's a programmed in java.

Re:riddance (1)

boristhespider (1678416) | more than 2 years ago | (#39672625)

It's also slow as fuck and pisses me off every time I have to log into my account, but it's an unescapable evil.

LOL (-1)

Anonymous Coward | more than 2 years ago | (#39667893)

I seriously laugh at all the fucking mac haters that post their ignorance in all these stories... Funny shit guys, thanks.

A genuine Achievement for Apple (0, Funny)

Anonymous Coward | more than 2 years ago | (#39667975)

They have managed to get a 'Flash' application going on their machines.

Phew (1)

Trogre (513942) | more than 2 years ago | (#39668187)

When this debarcle started, I mis-parsed an article heading and was worried Apple was trying to erradicate Flashblock, and had grave fears for the web.

Does It Tell You (0, Interesting)

Anonymous Coward | more than 2 years ago | (#39668389)

that you were infected? I'd like to know, I checked myself but could have missed it

Re:Does It Tell You (0)

Anonymous Coward | more than 2 years ago | (#39671037)

If you're infected, it tells you. Otherwise the update exits silently.

java sucks (0)

Anonymous Coward | more than 2 years ago | (#39668409)

flash and java, worst shit since windows

Least priv/option reset without consent is malware (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39668691)

They're trying to prevent malware by installing their own malware.

It is absolutely right to disable Java by default. Even the behaviour of disabling it if not used for a while COULD have been a useful feature IF they turned that behaviour on by default then provided an option to disable it. By taking it out of the user's hands they're just playing nanny. But like any nanny stuck in an office many years and many miles away they can't anticipate the needs of their entire userbase very well. They have just made it a pain for any user to use Java in a browser on their platform. No one needs a computer that decides not to obey settings the user had set (no matter how long ago). Think of what would happen if every setting on your computer set to defaults every week or two.

I can think of ways around this that don't require any technical savvy. Put a local Java applet in as your homepage for instance. But this is clunky. You should be able to say "no I really do know better" and turn on Java.

This is the problem when applying the principle of least privilege. It is also the principle of least innovation and the principle of most annoyance. The bottom line is no one needs access to a computer just to live and breath. Least privilege is oxygen, water, basic food. Wouldn't be much of a fun life.

Re:Least priv/option reset without consent is malw (0)

Anonymous Coward | more than 2 years ago | (#39670681)

They disabled automatic execution of Java applets (automatic execution can be re-enabled by the user). This is a good thing and is not malware. The issue here is that very few users "set" the initial setting, it was either automatic execution enabled (the previous default), or automatic execution disabled (the new default).

This patch then only effects users who have: 1. disabled automatic execution, 2. re-enabled it. This is probably a handful of users at most.

The issue here is that they probably did not store that the user had previously changed the setting. And so have no idea that the user isn't simply using the default setting — which is what it looks like. The only option this patch has is to set the new default and allow the user to change it back.

By your definition any software that changes its default settings after the user has set them is malware. While I would agree in some cases it is undesirable (key bindings, for instance), in this case it is a good thing and possibly the only option due to the current implementation of the feature.

Re:Least priv/option reset without consent is malw (0)

Anonymous Coward | more than 2 years ago | (#39671465)

I just tried the update, and all you have to do is to click on the bock labeled "Addin Disabled" to turn it back on so not very much of a pain at all.

Re:Least priv/option reset without consent is malw (0)

Anonymous Coward | more than 2 years ago | (#39672363)

It is absolutely right to disable Java by default. Even the behaviour of disabling it if not used for a while COULD have been a useful feature IF they turned that behaviour on by default then provided an option to disable it. By taking it out of the user's hands they're just playing nanny.

What, like firefox? There are some programs that I need to have on my computer for development (including java & .net), but I DON'T want them as browser plugins, ever. Firefox makes it very difficult to remove these plugins - you either have to modify the registry, or go through some obscure about:config entries.

I want to click on the plugin, choose delete, and it's GONE, never to return to firefox.

One thing I'd like to know - where does it look? (1)

boristhespider (1678416) | more than 2 years ago | (#39672669)

Within a day of the attack being announced various security blogs (and then Ars Technica) were posting directions for finding if you were infected. Each of those assumed that you'd left Safari and Firefox (and any other browser you might have been using) in the Applications folder. Since I get pissed off wading through jumbled, alphabetical lists of totally different programs, I organise my Applications folder into sub-folders. While I can go and check the programs myself from the command line, from my own experience talking even with other scientists let alone my parents, many others won't be able to do so... but might have the know-how to rearrange their Applications folder.

Does anyone know whether Apple actually search through the installed directories of browers, or just default locations?

Re:One thing I'd like to know - where does it look (1)

Anonymous Coward | more than 2 years ago | (#39672885)

Oh, you're one of those users that takes it upon themselves to "organize" their Apps folder. You make your Mac support people cry and die a little bit inside.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?