Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Hit By Hackers Who Targeted Facebook

Soulskill posted about a year and a half ago | from the getting-hacked-is-now-the-trendy-thing-to-do dept.

Java 148

snydeq writes "Apple was recently attacked by hackers who infected the Macintosh computers of some employees, the company said on Tuesday in an unprecedented disclosure that described the widest known cyber attacks against Apple-made computers to date, Reuters reports. 'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday. ... A person briefed on the investigation into the attacks said that hundreds of companies, including defense contractors, had been infected with the same malicious software, or malware. The attacks mark the highest-profile cyber attacks to date on businesses running Mac computers.'"

Sorry! There are no comments related to the filter you selected.

Hackers reported that the malware "just worked." (5, Funny)

crazyjj (2598719) | about a year and a half ago | (#42947931)

Thank you folks, I'll be here all week.

Re:Hackers reported that the malware "just worked. (-1, Troll)

kutahuja (2845699) | about a year and a half ago | (#42948055)

http://www.cloud65.com/ [cloud65.com] as Linda answered I'm surprised that a mother can get paid $4920 in 4 weeks on the internet. have you seen this web site

Re:Hackers reported that the malware "just worked. (-1)

Anonymous Coward | about a year and a half ago | (#42948203)

I'm surprised random douche bags like yourself haven't been beaten to death yet.

Re:Hackers reported that the malware "just worked. (3, Insightful)

jhoegl (638955) | about a year and a half ago | (#42948095)

Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
Sure IT may get an increase in calls at the start, but it is worth it in the long run.

Re:Hackers reported that the malware "just worked. (-1, Troll)

Anonymous Coward | about a year and a half ago | (#42948247)

It *was* related to their work duties, jerk.

Re:Hackers reported that the malware "just worked. (-1, Troll)

Anonymous Coward | about a year and a half ago | (#42948443)

But...they were using Apples. Everyone knows that the Apple OSs can't be hacked. So it is perfectly OK to click on any link that strikes ones fancy. Isn't it?

Re:Hackers reported that the malware "just worked. (4, Insightful)

theVarangian (1948970) | about a year and a half ago | (#42948829)

But...they were using Apples. Everyone knows that the Apple OSs can't be hacked. So it is perfectly OK to click on any link that strikes ones fancy. Isn't it?

You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.

Re:Hackers reported that the malware "just worked. (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42948963)

Being cross platform still means it affected Macs. So the GPs tirade against the idea that Macs are immune to malware is valid. The GP was not claiming that other systems were immune to it.

Re:Hackers reported that the malware "just worked. (4, Informative)

theVarangian (1948970) | about a year and a half ago | (#42949395)

Being cross platform still means it affected Macs. So the GPs tirade against the idea that Macs are immune to malware is valid. The GP was not claiming that other systems were immune to it.

No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware. Even totally clueless 'drone' type users don't assume that. I know because a friend of mine has a small Apple shop and people regularly show up at his dealership and ask about infection risks on OS X and half the time they walk out with a free info booklet on malware and having bought a basic anti malware suite (he installs and configures it for free). This guy is just another nerdy zealot venting his irrational hatred of all things Apple. That "OS X is immune to malware and h4x0rs" mantra is so old it has whiskers on it and regurgitating it makes him just as lame as those sad plonkers who still spell Microsoft with a $ sign.

Re:Hackers reported that the malware "just worked. (0)

Anonymous Coward | about a year and a half ago | (#42949435)

You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.

A few years ago, when Apple shipped iPods with Windows Virus they said "As you might imagine, we are upset at Windows for not being more hardy against such viruses... [apple.com] ". So now they now should be upset with themselves.

Re:Hackers reported that the malware "just worked. (4, Informative)

theVarangian (1948970) | about a year and a half ago | (#42949679)

You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.

A few years ago, when Apple shipped iPods with Windows Virus they said "As you might imagine, we are upset at Windows for not being more hardy against such viruses... [apple.com] ". So now they now should be upset with themselves.

Actually, before you ripped it out of context, the full quote was: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it." So even at the time they admitted they were upset with themselves even though they could't help but take a shot at Microsoft for reasons that have to do with events that took place while you were probably still in diapers. Come to think of it I could fill a book with snide comments by Linux Fanbois about Windows security made on this forum, comments that ignore the fact that there is way more malware targeted at Windows than there malware targeted at Linux. If you take that into account Microsoft is doing a pretty good job on security, snide comments by Apple Marketing drones and Slashdot Linux fanbois not withstanding.

Re:Hackers reported that the malware "just worked. (5, Informative)

pszilard (1681120) | about a year and a half ago | (#42948469)

Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.

That was a bit quick to jump to conclusions:

Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.

"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."

Source: http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/ [arstechnica.com]

Smaller subset than you would think (2)

SuperKendall (25149) | about a year and a half ago | (#42948987)

any engineer who visited the site and had Java enabled in their browser would have been affected

It seems like not many Mac developers would have been affected - because (1) you have to specifically install Java, and (2) as the response from Apple states Java (in the browser) is disabled if you do not use it for 35 days...

But it would be great to know the sites involved so we would know if we were at risk.

Re:Smaller subset than you would think (-1)

Anonymous Coward | about a year and a half ago | (#42949067)

Spin, spin, spin.

Does Apple pay you for all your apologetics?

Re:Hackers reported that the malware "just worked. (1)

jhoegl (638955) | about a year and a half ago | (#42949059)

Perhaps in this case it was a targeted site that was compromised, but the point still stands.
By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.
It also points out the problem with complex coding platforms like Java.
As I never liked Java because of many other factors, this is just icing on the cake to my issues with it. Java is terrible.

Re:Hackers reported that the malware "just worked. (0, Flamebait)

Anonymous Coward | about a year and a half ago | (#42948889)

And it was so light and thin.

That's Impossible! (-1, Troll)

Thrill Science (2845693) | about a year and a half ago | (#42947973)

Apple's advanced 1969-era OS is "secure by design". It is immune from viruses, and there's no need to run a virus scanner.

Re:That's Impossible! (0)

Lisias (447563) | about a year and a half ago | (#42948075)

They hired Robert T. MORRIS.

Re:That's Impossible! (2, Informative)

kthreadd (1558445) | about a year and a half ago | (#42948189)

According to TFA the eploit was in Oracle's version of Java, a third party product that was installed on the machine. Hardly something that the OS could be blamed for.

Re:That's Impossible! (5, Insightful)

ByOhTek (1181381) | about a year and a half ago | (#42948309)

Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.

And, unless the attack affects one user account only... They are right. That goes for Windows, MacOS, Linux, *BSD, and INSERT_ANY_OTHER_FSCKING_OS_HERE

Re:That's Impossible! (1)

Thrill Science (2845693) | about a year and a half ago | (#42948509)

Exactly! Yet the /. cabal calls *me* a troll!

Re:That's Impossible! (1)

nightfury (2826503) | about a year and a half ago | (#42948525)

This post should be modded up an additional forty, with a side note that it applies to mobile OSes as well.

Re:That's Impossible! (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42948885)

And, unless the attack affects one user account only...

If the goal is to penetrate a company's systems, one user account is all you need. From there you can get the credentials to get to the juicy stuff.

Multiuser OSes essentially only protect the system files. Guess what? Hackers don't care about your system files. They want your user data.

That's because the holes come with the OS (-1, Flamebait)

SuperKendall (25149) | about a year and a half ago | (#42949041)

Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.

That's because the attacks are usually around IE or open ports. So of course people would blame the OS for the security failure.

Re:That's because the holes come with the OS (1)

benjymouse (756774) | about a year and a half ago | (#42949611)

Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.

That's because the attacks are usually around IE or open ports. So of course people would blame the OS for the security failure.

If the attacks are "usually" around IE or open ports, when was the last such attack?

Re:That's Impossible! (1)

kthreadd (1558445) | about a year and a half ago | (#42949211)

Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.

Well, that's what they are doing with iOS. However some people have objections about that as well.

Re:That's Impossible! (4, Informative)

FrankSchwab (675585) | about a year and a half ago | (#42948381)

Well, not having the details at hand (although I did RTFA), it seems that the OS allowed a user app to corrupt the system.

So, yes, I can blame it on the OS. Java may have been the initial vector that allowed the malware entry to the system, but the OS allowed the malware to do things it shouldn't have been able to.

Re:That's Impossible! (1)

gstoddart (321705) | about a year and a half ago | (#42948505)

So, yes, I can blame it on the OS. Java may have been the initial vector that allowed the malware entry to the system, but the OS allowed the malware to do things it shouldn't have been able to.

Well, to play devil's advocate -- does the install of Java end up bypassing some of the security?

I see a lot of stuff which doesn't want to install into user space, but wants Admin rights and wants to integrate tightly with other things. At which point, installing what should be trusted software is really just opening you up to all sorts of problems.

Though, at this point, it's hard not to conclude that all versions of Java browser plugins are insecure and not to be trusted.

Re:That's Impossible! (1, Insightful)

trdtaylor (2664195) | about a year and a half ago | (#42948085)

Introducing the new Viri virus scanner, for only $30 it will prevent all infections and coo to you while it does it!

Scan different

Re:That's Impossible! (0)

Anonymous Coward | about a year and a half ago | (#42949261)

Introducing the latest SomeAntic Antivirus.

We Hose Your Computer, So Viruses Don't Have To!!

Re:That's Impossible! (1, Informative)

guruevi (827432) | about a year and a half ago | (#42948101)

Yes, Unix is secure by design and Mac OS X has a built-in virus scanner. There is no need to run additional software as none of it would've stopped this exploit short of disabling Java (which was also lauded as secure by design/sandboxing)

Re:That's Impossible! (1, Informative)

Thrill Science (2845693) | about a year and a half ago | (#42948245)

Virus scanners on Windows catch Java exploits! Having a virus scanner technology could have prevented this.

Re:That's Impossible! (1, Insightful)

Anonymous Coward | about a year and a half ago | (#42948271)

>Java
>secure
Choose one

Re:That's Impossible! (4, Funny)

the_B0fh (208483) | about a year and a half ago | (#42948285)

I think you've got Mac OS X mixed up with OpenBSD.

Re:That's Impossible! (5, Informative)

v1 (525388) | about a year and a half ago | (#42948449)

Apple's advanced 1969-era OS is "secure by design". It is immune from viruses, and there's no need to run a virus scanner.

Trojan != Virus for the love of god trolls, please learn this. I am sooo tired of hearing trojans being called viruses. They're both "malware", but that's where it ends.

Anyway, this is why Apple is getting really sick and tired of Flash and Java, they've been the top two security thorns in their side for the last decade. Feeding the Apple bashers and giving Apple a bad rap. Apple doesn't write the flash or java interpreters, they don't have much control over the code monkeys at oracle and adobe.

Re:That's Impossible! (2, Insightful)

crazyjj (2598719) | about a year and a half ago | (#42948545)

Let's be honest here. Apple doesn't dislike Flash and Java because of security. They dislike them because people can use them to play games and use apps without Apple getting their 30% cut.

Re:That's Impossible! (1)

mlts (1038732) | about a year and a half ago | (#42948595)

On OS X, I can purchase/download a game from a third party maker, and be off and running. In fact, there are a few utilities (InsomniaX) that are not up for sale in Apple's store due to doing low level kernel functions.

Now, iOS is a different story. Without a JB, one is forced to go through iTunes (beta apps, or enterprise apps) or they go through the App Store. However, this doesn't apply to OS X.

Re:That's Impossible! (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42949161)

On OS X, I can purchase/download a game from a third party maker, and be off and running.

For now.

Give it a few more releases (assuming Apple still thinks they're on top of the world then). They'll make it harder and harder to do just that, until finally you're jailbreaking your laptop to install programs. And you'll just treat that as standard operating procedure.

Re:That's Impossible! (0)

Anonymous Coward | about a year and a half ago | (#42949349)

Microsloth is trying this crap with their suggestion that they should decide what apps I can run on MY machine.

It'll either never happen or will induce the largest Linux/FOSS migration in 20 years....LOL

Re:That's Impossible! (5, Interesting)

v1 (525388) | about a year and a half ago | (#42948757)

They don't like it because you have to run an update twice a week to keep up with the latest exploits found in flash and java. IF oracle/adobe were generous enough to roll up an update this week for the new exploits.

And the boneheads at oracle kept insisting on rolling up whole new installers most of the time, that would only work if you had the previous version installed. (installer or updater make up your mind!) So you'd install vers 10, then 11, then 12, then 12.1, then 13, then 14, most of which were 55-56mb each. Idiots. Java needs to die in a fire. And I'll bring the marshmallows.

It's not entirely oracle and adobe's fault though really... they're just keeping it up because devs keep using it. I'll admit it, writing games in flash (or java) is pretty quick and easy. But quick-n-easy comes at a price, a price to the users

There is no OS-based security. (1, Interesting)

i kan reed (749298) | about a year and a half ago | (#42948001)

Among my computers is a windows machine. I have no fear of being compromised because it has no exposed ports, a safe browser, and all 3rd party plugins disabled until I activate them.
I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything. It has nothing to do with the underlying safety of the system, but always the weakest link the chain.

Re:There is no OS-based security. (3, Informative)

gstoddart (321705) | about a year and a half ago | (#42948257)

I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything.

AdBlock runs just fine on an Android phone, in case you didn't know. I put it on mine pretty much the day I got it.

POSTING AS AC (0)

Anonymous Coward | about a year and a half ago | (#42948281)

Among my computers is a windows machine. I have no fear of being compromised because it has no exposed ports, a safe browser, and all 3rd party plugins disabled until I activate them.
I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything. It has nothing to do with the underlying safety of the system, but always the weakest link the chain.

I don't understand - explain each and every line.

I'm not in security. Please help in my ignorance ....

Re:POSTING AS AC (0)

Anonymous Coward | about a year and a half ago | (#42948749)

Among my computers is a windows machine.

Slashdogma is that Windows will inherently have more infections than a discount callgirl.

I have no fear of being compromised because it has no exposed ports,

It ignores outside communications.

a safe browser,

Hard to say without more details, but almost any browser younger than 1-digit Firefox releases can be configured to be safe.

and all 3rd party plugins disabled until I activate them.

He turns off Java, Flash, ActiveX, etcetera until he decides it is important to have one of them on.

I also have an android phone,

If you don't know why this matters here, go read a few more articles.

and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything.

Unless you get the right non-standard Android-like replacement OS for your mobile device, Android applications will ask for permissions once. They tend to ask for a lot more permission than needed to do their stated job, and if you disagree it does not run. This can be contrasted to Windows with a Firewall blocking unwanted outgoing communications and that awkward greyscreen asking when something wants to change your registry.

It has nothing to do with the underlying safety of the system, but always the weakest link the chain.

Re:POSTING AS AC (1)

NatasRevol (731260) | about a year and a half ago | (#42948915)

He turns off Java, Flash, ActiveX, etcetera until he decides it is important to have one of them on.

And acts like this will stop him from getting a java/flash/activex malware.

It won't.

Re:POSTING AS AC (1)

i kan reed (749298) | about a year and a half ago | (#42949051)

How exactly is software that doesn't run going to get exploited, pray tell? Objects dependent on any code outside firefox are replaced with plain-boring html until I click-to-run them, which is the only time their associated libraries get loaded into memory at all.

Re:POSTING AS AC (1)

NatasRevol (731260) | about a year and a half ago | (#42949661)

Seriously?

It'll get exploited when he is running it.

Re:There is no OS-based security. (1)

AmiMoJo (196126) | about a year and a half ago | (#42948487)

Chrome for Android is safe. Plugins are click-to-play and you can even disable Javascript. Adblock is available for Android and all apps run sandboxed. It is basically as safe or better than your desktop, the biggest vulnerability being user stupidity.

Re:There is no OS-based security. (1)

Lazere (2809091) | about a year and a half ago | (#42949789)

Take a look at your app permissions for me. It doesn't matter that they're sandboxed if they have access to things they shouldn't have access to.

Re:There is no OS-based security. (1)

mlts (1038732) | about a year and a half ago | (#42948653)

There are things to do to help mitigate chances of malware on Android, especially if one has root:

1: There are AdBlock-like utilities available for Android which can actively firewall, add hosts entries, or block on the app layer.

2: For older versions of the OS, there used to be an app called LBE Privacy Guard, which would prevent apps that wanted full kitchen sink perms from being able to do their dirty deeds.

3: Some Android ROMs allow permissions to be edited. That way, an app wanting all and sundry might get the ability to yak on the network, but that's it.

4: Droidwall is an old standby. Unless one explicitly wants an app to hit the network, it won't.

Android has a good amount of privacy/security tools available. However, Android's main weakness is that the app stores need to have two tiers, one tier being the default, with rigorous app scanning, then the other tier as we have now, with phones set to only access the more policed tier as default.

Re:There is no OS-based security. (2)

inglorion_on_the_net (1965514) | about a year and a half ago | (#42949455)

a safe browser

A what?

Web browsers are complex software, I would say on about the same level as Oracle's Java implementation, or the Flash plugin. The ones in common use are all written in C++, which is perfectly capable of expressing programs with exploitable security holes in them. I would say that the probability that your web browser is free of exploitable holes is about the same as the probability of that being true of Java or Flash. In other words, I hope waking up from that dream won't be too harsh.

I guess they didn't have to "think different" (-1, Flamebait)

Anonymous Coward | about a year and a half ago | (#42948007)

Seems Macs can be hacked just like everything else...

Re:I guess they didn't have to "think different" (2)

kthreadd (1558445) | about a year and a half ago | (#42948221)

Of course they can, especially when the hacked software was an installed copy or Oracle's version of Java.

Re:I guess they didn't have to "think different" (0)

the_B0fh (208483) | about a year and a half ago | (#42948299)

Well, to be fair, it is a *different* virus... :)

Facebook (1)

Anonymous Coward | about a year and a half ago | (#42948021)

compromising your privacy and security since 2004...

Apple users (-1)

Anonymous Coward | about a year and a half ago | (#42948467)

burying their heads in the sand since 1984...

Re: Apple users (0)

Anonymous Coward | about a year and a half ago | (#42948549)

Qft

Re:Apple users (5, Informative)

Macgrrl (762836) | about a year and a half ago | (#42948983)

I used to do Mac support and have spent plenty of time removing viruses from the old Mac System 6/7/8/9.x machines. I have never seen a Mac OSX virus 'in the wild'.

Like any other form of security theatre, if you go long enough without being attacked, you get alert fatigue and begin to consider the threat negligible or non-existent and begin to consider yourself immune. I don't even have an anti-virus software on my home computers and would probably need to hear about a mass outbreak before I would consider installing any given my experiences of the performance hit windows machines seem to take when running anti-viral software.

I used to swear by McAffe or Norton's, now I consider them potentially worse than half the malware out there for how they turn a perfectly good machine to molasses.

Macs don't get viruses (1, Funny)

Anonymous Coward | about a year and a half ago | (#42948027)

I suspect this is an elaborate hoax perpetrated by Microsoft or possibly Google.

Re:Macs don't get viruses (0)

Anonymous Coward | about a year and a half ago | (#42948967)

Or Oracle...

Re:Macs don't get viruses (1)

Anonymous Coward | about a year and a half ago | (#42949251)

I suspect this is an elaborate hoax perpetrated by Microsoft or possibly Google.

In a week or two, someone finally manages to throw back the curtain to find... *gasp*.... THE ORIGINAL NEXT CUBE TEAM, back for revenge?!?

"You thought you were rid of us, didn't you? Jobs thought that, too. And Jobs forgot to buy US out! We're here to take back what's ours!"

We're taking national defense seriously. (-1)

Anonymous Coward | about a year and a half ago | (#42948057)

Wait... What. "...defense contractors... running Mac computers." ?????????????

Re:We're taking national defense seriously. (0)

Anonymous Coward | about a year and a half ago | (#42948117)

as opposed to all the ones running windows? Ever seen the computer banks at a military base? I would expect MOST of them have been compromised by adware/malware or the like.

I like Macs (0, Redundant)

Anonymous Coward | about a year and a half ago | (#42948103)

And I've only owned and used PCs for the past 15-20 years. Yes, Macs it does just *work* but never did I ever consider it 100% or foolproof. I like their design and simplicity. But I'm also learning Bash shell in Red hat which throws me back to the DOS days and I like it even better. I can't stand people who put Macs on a pedestal and glamorize its terminal and *nix roots. True, it's there and functional but the people who preach that to me have never used it.

At the end of the day, computers are just tools, and the perceived danger is proportional to what kind of data is in the computer and the particular role the computer is playing in the workplace/ home. If I'm just storing movies or working as an occasional render machine, then it's disposable as far as I'm concerned. But if it's mission-critical, then I treat it like Fort Knox with several layers of security and backup plans.

Anyways, computers are just tools and I believe the attack vector will always be the operator. Seems like Spear Phishing is the best balanced attack for the amount of effort these days.

Java in the Browser? (1)

tonywestonuk (261622) | about a year and a half ago | (#42948151)

'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers"

I thought Apple disabled Java in the browser months ago?

Re:Java in the Browser? (1)

kthreadd (1558445) | about a year and a half ago | (#42948267)

They block individial versions which are known to be vulnerable. New versions are not blocked unless they are also found to be vulnerable. And if you absolutely want to run a vulnerable version you can just activate it yourself.

Re:Java in the Browser? (1)

Joce640k (829181) | about a year and a half ago | (#42948383)

They block individial versions which are known to be vulnerable.

At this point in history, can't we assume that's "all of them" and start whitelisting?

You can sense the glee in the writeups... (2, Insightful)

RocketRabbit (830691) | about a year and a half ago | (#42948155)

This is such a delicious day for the tech "press" because despite their constant barrage of warnings to the contrary, Apple viruses have been pretty much non-existent. Sure, OS X has had some vulnerabilities, but they were generally in various Unix packages and daemons, and those same problems generally affected Linux and BSDs and Solaris and so forth.

Anyway, my question: who the hell uses Java as a browser plugin anyway? On my rigs, it is disabled and has been for years. It's still installed (unlike Flash) because some desktop software needs it, but in the browser? Fuck that.

Re:You can sense the glee in the writeups... (2, Informative)

Anonymous Coward | about a year and a half ago | (#42948493)

Any IT worker that has to deal with:

EMC SAN Management
Brocade SAN Switch Management
Citrix Netscalers
Various random pieces of network equipment with horrible GUIs
etc, etc, etc.

If a device has a web gui that is doing anything remotely complicated, 99% chance it will require Java. Bonus points if it requires an ancient old version to work.

Re:You can sense the glee in the writeups... (1)

RocketRabbit (830691) | about a year and a half ago | (#42948543)

Don't those products all support terminal controls over SSh as well?

Yeah, though, e state of "enterprise" management tools is pretty sad. These devices go for tens of thousands to perhaps even millions of dollars a pop, and the management software / GUI control options seem like they were created for people who failed elementary school.

Re:You can sense the glee in the writeups... (1)

mlts (1038732) | about a year and a half ago | (#42948719)

If given the choice of command-line SSH tools versus a broken Java-based web UI, just give the SSH tools. One can write a front-end if they really felt like it then.

To boot, why is Java even needed these days on the client end? HTML5 + Javascript can do a lot. I can generate RSA keys using JS using aSSL.

Re:You can sense the glee in the writeups... (1)

RocketRabbit (830691) | about a year and a half ago | (#42949569)

It's not needed, it's just momentum. After all, the CIO knows from reading Gartner reports that Java is "enterprise-ready" and so that's good enough for him!

Re:You can sense the glee in the writeups... (1)

AmiMoJo (196126) | about a year and a half ago | (#42948515)

Correct me if I'm wrong but isn't Java included with the OS? Last time I installed MacOS (IIRC it was Leopard) Java was there and required me to install multiple updates (and reboot after every one). The updates were in the system updater app along with all the OS and Apple app updates.

Re:You can sense the glee in the writeups... (0)

Anonymous Coward | about a year and a half ago | (#42948743)

Not anymore. Apple pulled Java support after the billionth exploit.

Not only not included, disabled later too (2)

SuperKendall (25149) | about a year and a half ago | (#42949003)

Correct me if I'm wrong but isn't Java included with the OS?

No, you have to download and install it.

And even if you do that, if Java is not used for 35 days the system disables it.

Now THAT's how to handle Java so most people will not get burned...

Re:You can sense the glee in the writeups... (1)

jbmartin6 (1232050) | about a year and a half ago | (#42948535)

In the business world, there are hordes of 'web based applications' that use java from the browser.

Re:You can sense the glee in the writeups... (1)

sribe (304414) | about a year and a half ago | (#42948607)

Anyway, my question: who the hell uses Java as a browser plugin anyway?

Enterprisey bullshit: HR/time tracking apps, medical apps, CRM, and so on...

Re:You can sense the glee in the writeups... (1)

thetoadwarrior (1268702) | about a year and a half ago | (#42948741)

A lot of businesses do conferencing and desktop sharing through java applets so it's more likely companies will be running them than consumers.

Re:You can sense the glee in the writeups... (2)

scarlac (768893) | about a year and a half ago | (#42948925)

Actually... Everyone in Denmark, thanks to the national authentication system called "EasyID" (translation). It forces people to have Java enabled. Nobody likes it, but we're forced to use it.

Re:You can sense the glee in the writeups... (1)

gtall (79522) | about a year and a half ago | (#42949403)

Anyone who has to use Oracle forms.

Here's what Apple said on their website (5, Funny)

Thrill Science (2845693) | about a year and a half ago | (#42948183)

They have since removed this:

Highly secure by design

Mac OS X doesn't get PC viruses. And with virtually no effort on your part, Mac OS X protects itself from other malicious applications. It was built for the Internet in the Internet age, offering a variety of sophisticated technologies that help keep you safe from online threats. Because every Mac ships with a secure configuration, you don't have to worry about understanding complex settings. Even better, it won't slow you down with constant security alerts and sweeps. And Apple responds quickly to online threats and automatically delivers security updates directly to your Mac.

Re:Here's what Apple said on their website (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42948929)

And Apple responds quickly to online threats and automatically delivers security updates directly to your Mac.

I'm sure you're trying to make a point with this post but the thing is that quote is accurate. Especially the last sentence. You see, Apple identified the security issue (third party Java plug ins) and have already released an update that deals with the problem. They didn't wait weeks (or months...) - they responded to the online threat quickly.

So, while I can guess what point you were trying to make with your post, I must say I don't think you quite succeeded...

Only if they used windows! (0)

Anonymous Coward | about a year and a half ago | (#42948211)

Only if they used windows then the users would have noticed something was wrong. Oh wait...

Dupe article (0)

Anonymous Coward | about a year and a half ago | (#42948297)

What is new in this post compared to the last one?

Java 6 SE vs Java 7 SE ? (1)

SpaceManFlip (2720507) | about a year and a half ago | (#42948391)

So it sounds like the newer, Oracle Java 7 SE was the vulnerable hole? Also hasn't that been the case for the last several months' worth of "Java Exploit" headlines?
I am's be wonderin' .... who need dat Java 7 anyway? What is it's be for?
I never installed it, just running the good ole' Java 6 SE which lets me run all the crap the interwebs brangs forth towards me.

Which version of Java? (0)

Anonymous Coward | about a year and a half ago | (#42948427)

TFA doesn't say which version of Java was responsible, only "a version". Was it Apple's modified Java 6, Oracle's latest and greatest Java 7, something in between, or something earlier?

Re:Which version of Java? (1)

kthreadd (1558445) | about a year and a half ago | (#42949257)

It says it was Oracle Java, and Oracle does not provide Java 6 for OS X so it must have been Java 7.

Is there an App for that? (0)

sl4shd0rk (755837) | about a year and a half ago | (#42948435)

Yes.

WHAT popular mobile developer Web forum? (1)

jtara (133429) | about a year and a half ago | (#42948567)

"compromising the server of a popular mobile developer Web forum"

So far, all of the press reports and statements from those compromised have left off the most important bit of information: WHAT "popular mobile developer Web forum" was used?

One would imagine this would be important information to disseminate to developers...

Re:WHAT popular mobile developer Web forum? (4, Informative)

tsamsoniw (1731366) | about a year and a half ago | (#42948947)

According to The New York Times: "But according to a person with knowledge of Facebook’s investigation, the compromised site, iPhonedevsdk, an online forum for software developers, is still infected. (In other words, unless you want to be owned by hackers, do not visit the site.)" http://bits.blogs.nytimes.com/2013/02/19/apple-computers-hit-by-sophisticated-cyberattack/ [nytimes.com]

Re:WHAT popular mobile developer Web forum? (1)

SuperKendall (25149) | about a year and a half ago | (#42949025)

Thanks - that's one.

If StackOverflow were also infected at any point, then I would start to be concerned... that's the primary site developers use.

Re:WHAT popular mobile developer Web forum? (1)

Algae_94 (2017070) | about a year and a half ago | (#42949013)

It would be of minor importance. The more important thing is how the exploit worked so that you can avoid it entirely. The idea is if one site was compromised, you really can't be sure that any other site isn't also compromised. Avoid the exploit not just one known exploited site.

Where's Nancy Reagan when we need her? (2)

mschaffer (97223) | about a year and a half ago | (#42948617)

Just say NO to Java.

Soimething doesn't make sense though.... (1)

Nidi62 (1525137) | about a year and a half ago | (#42948651)

If you can compromise computers across so many companies, including defense contractors which obviously would have access to classified/sensitive information, why would you waste it by attacking Facebook?

Re:Soimething doesn't make sense though.... (0)

Anonymous Coward | about a year and a half ago | (#42948961)

http://www.troll.me/images/futurama-fry/not-sure-if-kidding-or-just-stupid.jpg

Re:Soimething doesn't make sense though.... (1)

tlhIngan (30335) | about a year and a half ago | (#42949691)

If you can compromise computers across so many companies, including defense contractors which obviously would have access to classified/sensitive information, why would you waste it by attacking Facebook?

Because spamming has relatively low penalties.

Attack a defense contractor and you have several problems. First is network security - classified stuff is probably on the airgapped network that you can get on, but it's difficult to get off of. Second, you have people monitoring such things and the likelihood of being detected is greater. Finally, well, you have the government.

Attack Apple, Facebook, Microsoft, etc.,and the repercussions are much lower. First, they're less likely to have airgapped networks, so getting information out is a lot easier. Second, the monitoring equipment is less advanced and may not catch what you're doing. Third, potential embarassment may mean your attack goes unannounced for a while.

And what do they want? The usual - contact lists and ways to turn your machine into a zombie. Contact lists make it easier to send spam to friends coming from you (required if you want to phish or do the "I'm overseas and got robbed" scam). Zombies because botnets can command some good amount of money.

Likewise, compromise a bunch of family PCs is a lot safer as well.

Unless you want defense information, you don't bother with government and government contractors because the risk is high. The money is made elsewhere and it's a lot easier and safer as well.

What does it do? (1)

Princeofcups (150855) | about a year and a half ago | (#42948993)

I can't find any reference to what the attack actually does. Does it crash the machine? Erase the hard drive? Cause ugly pop-ups? Spam email?

Apple Hit By Hackers Who Targeted Facebook (1)

Tarlus (1000874) | about a year and a half ago | (#42949309)

Sounds like their aim needs some practice.

i have boon using the site... :( (0)

Anonymous Coward | about a year and a half ago | (#42949325)

any hints on how to remove the malware?
by the way: it was: iphonedevsdk.com
(http://arstechnica.com/security/2013/02/web-forum-for-iphone-developers-hosted-malware-that-hacked-facebook/)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?