Feeds

back to article Mac Java hole exploited by wild Flashback Trojan strain

Security watchers have discovered a strain of Mac-specific malware that exploits an unpatched vulnerability in Java. A variant of the Flashback Trojan exploiting CVE-2012-0507 (a Java vulnerability) has been spotted in the wild, F-Secure warns. Oracle patched the vulnerability for Windows machines in February but is yet to …

COMMENTS

This topic is closed for new posts.
WTF?

April Fool??

"Some banking websites mandate the use of Java, in which case security-conscious Mac fanbois can re-enable Java for the duration of their session before turning it off again, the Finnish security firm suggests."

Really? Re-enable a critically vulnerable piece of software for which there are exploits in the wild to allow internet banking transactions?? I *HOPE* F-Secure are yanking your chain on this, that's the daftest bit of security advice I've heard in ages!

1
1
JDX
Gold badge

Re: April Fool??

The trojans don't get onto your PC magically because Java is enabled, but because you visit a compromised site while it is enabled.

Therefore enabling Java while using one specific, trusted site, is very low risk.

4
0
Stop

Re: April Fool??

Yes, yes, yes JDX - we all know that, but it's not quite that simple is it?

The key information here is that exploits have been found in the wild so there has been a period of time when machines may already have been compromised and this compromise will likely not have been detected - certainly not by lay users who are the main target of this advice. In that situation using your banking website (or any other that uses sensitive credentials) at all is utterly foolish.

Even if the machine is currently clean it's a stretch to imagine most lay users will take this advice as meaning closing all other browser tabs and web-enabled applications that are potentially vulnerable. Any advice other than not using this software until it is patched is irresponsible.

0
0

Re: April Fool??

Ooooh god,.... those banks... again!

0
0
Anonymous Coward

Re: April Fool??

I cannot see your point really, if the problem relates to Java then switch it off and use it only if you feel you can trust your bank at your own risk.

Perhaps F-Secure should have adviced people to switch to Windows or Linux.

0
0
JDX
Gold badge

Re: April Fool??

It's nothing to do with trusting your bank or their site... their sites MAY get hacked but it's rare.

0
0
Silver badge
FAIL

java such a turd

Why o why o did PS3 media server have to be written in Java. Its the best free dnla server on mac (at least when I last checked). If not for it no way would I have the malware portal that Java is on any of my machines.

0
2
JDX
Gold badge

Re: java such a turd

Is this trolling or deliberate misinformation? either way pray tell us which platform/framework/runtime is immune to bugs? Certainly not Java, Flash, .NET, PHP or any existing browser's HTML5 implementation.

0
0
Silver badge
FAIL

Re: java such a turd

Of course any complex software will have bugs. The issue is client Java the past few years has been responsible for more serious/critical CVEs than any other cross platform software save for Adobe's crapware (flash, reader, etc). Competing with Adobe security wise when one of the original selling points of the language was security is not good.

2
1
Silver badge
Thumb Down

Re: java such a turd

...the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in the Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). During the one year period starting in the third quarter of 2010 (3Q10) and ending in the second quarter of 2011 (2Q11), between one-third and one-half of all exploits observed in each quarter were Java exploits.

0
0
Bronze badge
Thumb Down

Re: java such a turd

Actually, Java is a very nice development language. It's the applet environment that's a turd. You can disable applets that aren't signed by a trusted source using the "Java Preferences.app" in your MacOS utilities folder.

0
0
Silver badge
Thumb Up

Re: java such a turd

Good tip except best to disable all Java applets as its not all that hard to get malware signed by a dodgy CA like GoDadddy or something.

0
0
Anonymous Coward

Oracle?

"Oracle patched the vulnerability for Windows machines in February but is yet to issue a fix for Mac OS X - creating a window of opportunity for virus writers."

Of course Oracle hasn't, Apple maintains Java for OS X, not Oracle!

0
2
Silver badge
Meh

Re: Oracle?

I think that all changed with latest Mac OS X release. King Jobs didn't want the java runtime cutting into the walled garden we has planned for Mac OS X but Ellison made him an offer he couldn't refuse to delay the killing.

0
0
Silver badge
FAIL

Re: Oracle?

oops had planned should say, all past tense because the big C doesn't give a rats butt what our plans may be.

0
0
Anonymous Coward

Re: Oracle?

Nope. The Oracle port of OpenJDK is still in alpha. The latest production Java for OS X is still Apple maintained. It even states such on Oracle's Java page.

0
0
Anonymous Coward

LA LA LA LA LA LA

Sincerely,

Fanboy

1
1
Silver badge

In my 17-odd years as a Windows user, the only virus ever detected on my machines was something to do with Java.

0
0

not installed by default

I'm not sure whether the agreed transition of Java support for Mac OS X from Apple to Oracle has happened. Apple still supplies it but do we know who does the maintenance?

Regardless of that, the plain fact is that Mac OS X 10.7 Lion does NOT install Java by default. Anyone who wants it can get it, but it's not present unless the user specifically installs it.

0
0
Anonymous Coward

Schadenfreude

Am i the only one who has a perverse feeling of contentment that smug, arrogant, typically affluent Mac users finally realise their OS is not immune from malware?

0
0
Paris Hilton

Linux Mint

Does anybody know if the vulnerability exists for the Java edition in Linux Mint??

0
0
This topic is closed for new posts.