Apple has released a tool that removes the infamous Flashback Trojan from infected Macs. The utility, billed as a Java security update, also disables Java applets by default - but only on machines running OS X Lion, the latest version. The update turns off Java applet execution by default for all browsers, not just Safari. …
Better late than never ?
No one wants a version of Norton on their Mac - it'll slow it down by 50%
Re: Better late than never ?
Well said; one of the reasons (naive as they are) for getting a bloody Mac in the first place!
Re: Better late than never ?
50% slower means it would still be quicker than W7 tho
Re: Still be quicker than W7...
Ignoramus. Next time use the joke icon for something remotely amusing.
Re: Better late than never ?
cos $ for $ a mac is as slow as an old pig to start with
the answer to a vuln in their go-it-alone version of Java is...*drumroll*...kill Java (or at least automatic applet execution). And keep killing it until the user gives up in disgust...*slow handclap*
>the answer to a vuln in their go-it-alone version of Java is...*drumroll*...kill Java
You're being unfair there. They squashed that particular bug AND as an added precaution disabled java in browsers, which is kind of sensible as the nasty little bugger could always jump vulns to install itself, as has happened previously. Most people won't use java in browsers anyway, and for those who do it will stay enabled.
No, really, you can't fault Apple on this one (well, appart from being 6 weeks late for no reason other than "we can't be arsed", which in itself is already a big problem, but a separate one).
Not entirely faultless
Didn't Steve J dislike Java and was trying to kill it off anyway? Very convenient. :-)
If you're not using Java regularly within 35 days of the last time you used it, then you don't really need automatic applets switched on, do you? It's a security risk, and surely Apple forcing this is a good thing, protecting those average users who wouldn't think to switch it off.
And if you do need it, it's not exactly an onerous task to switch it on again when prompted.
Or... was your Fail icon more for your own post in a post friday lunchtime ironic twist?
Smells like Steve Jobs
Given that Jobs hated Java's guts during his last years, this smells like Apple's version of Pearl Harbor. Delay the fix, then get OSX infected, then push out the fix and say that Java will be disabled "for your protection" in a very Norsefire way. Hm...
Re: Not entirely faultless
Your thinking of Flash.
Steve's approach.... You ONLY need what I THINK you need.
This man was a control freak.....and unethical (Woz and Breakout)
you mean fuckwits?
you set em up and i'll keep knocking them out of the park
None of the Macs at home are infected. I've checked using a few utilities prior to Apple's update come fix for this issue. They all run OS X 10.6.8 [Snow Leopard]
So, this leaves me asking how on earth did these 670,000+ Macs get infected with this Flashback issue? Was Safari the floodgate?
Just s well that I neither like nor use Apple's clunky browser
I haven't found any either, but that appears to be because the malware is really picky about what systems it will infect, excluding dev, managed and "user has a clue" type systems by checking for the presence of some fairly common applications.
Your typical infected system is likely to be a home user with limited tech support and either a free open source office or a really old version of MS office because who wants to spend a lot of dough for the odd letter, seems to have kept them under the radar enough to capture a peak of 500m+ systems so HUGE SUCCESS. It's probably hard to overstate their satisfaction.
Well, the cause of the vulnerability was the same as every other one ever.
You get a browser bundled with your OS and use it and get into a whole world of hurt, I mean IE sucks so much th-
Apple stuff is so great and flawless and pretrty than noone would ever be able to do bad stuff to i-
not so. none of mine are infected either, and i only use Safari for browsing. They have all been upgraded from Snow Leopard to Lion though, so not a conclusive correlation to your sample group.
I suspect the infections are just down to the usual way that trojans get onto any computer, users don't pay attention
>>and either a free open source office or a really old version of MS office
Agreed, Safari is a crock of shit
Tested over 75 systems both at work and through a Mac User Group - zero infections. Most had no AV, most had Java installed and enabled. I'm not saying that proves anything (I'd like a bigger sample) but I'm still to be convinced of the size of the reported infection. Having Kaspersky hand out a fix tool that hosed user account information hasn't helped either…
From this I infer that they're avoiding developers (Xcode), clued up users (little snitch) and managed workplace machines (recent MS Office), all places where they are likely to get noticed, clear now?
The original press release about Flashback from Dr Web (the Russian AV firm that apparently discovered this variant of Flashback) lists several Russian web sites as hosting the code. As Flashback gets its victims in browse by infections, the infections are likely to be limited to those who have visited these websites.
I suspect this level of return will encourage more in the future, near or far. And not just with Java, but also by a slow spread into exploiting other known vulnerabilities in the MacOS.
Paris, slow spread?
> but no office suites.
Also, free open source office is typically how Java gets into a Mac. For some reason that escapes me, Mac OS X will force the user to install Java when the LibreOffice, OpenOffice, StarOffice or NeoOffice (or any other OOo spinoff) installer is invoked and Java isn't installed. Other possibilities are using JDownloader (fair enough, there are practically no other freeware standalone download managers for Mac OS X), Running Serviio since the Mac doesn't come with a DLNA server built in, or running Oracle's E-Business Suite (the only possible scenario to get infected in a corporate environment- you won't believe how many large corporations stuck to IE6 and use Java just because of this beast).
And well, to be fair- the MS Office one is a different exploit. And it still isn't fixed as of Office:Mac 2011.
Nope - I picked up an infection on one Mac, which uses FF only. No infection when I checked for it manually on Tuesday, but a "found it, killed it" note when I updated to the Apple fix on Thursday.
KISS et al
Firstly, having abused the common sense of security with Java for so long, Apple deserved this shame (even if the 6x10^5 infections story is not true). Alas, users had to suffer...
Secondly, most of the java, js, and the abominable flash technologies are redundant and potentially not secure. (e)links, lynx, w3m and ff with noscript plugin, ad-bock, flashkiller etc are better. Web browsers are for browsing web, and "anything beyond this comes from the evil one". Use KISS principle or you might get kissed by.... Otherwise, do a sandboxing (chromium), apparmoring (selinux-ing), or trustedbsd-ing (not sure if Mac OSX cares for it?)
Re: KISS et al
Don't get me wrong, somewhere outside of client-side web browsing java might very well be powerful and secure, as well as js. Sorry, flash-buddy, you get nothing again :)
Java is mostly secure, though the recent vuln cracks have been quite shameful. It wouldn't have bit OSX at all if they had patched up the vuln earlier.
Opera On-Demand Plugins setting
Nice to see Apple getting around to inoculating their customers with this update...few weeks late, but still. I like the timed-disable, good idea.
I must say, that Opera's On-Demand Plugins setting that I've been using for ~3 yrs (as an offshoot from Opera Turbo), was a beautiful browser innovation that makes these security issues much less worrisome (and helps browsing speed & less energy drain, as well).
Shame it's taking longer for the other browsers to add this, and make it the default. Chrome seems to be following Opera Next snapshots, and I noticed latest FF dev build seems to have it in the pipeline.
Re: Opera On-Demand Plugins setting
Good god, is there any article the Opera Squad won't invade with their gushing?
I don't want to beat up on Java, but I can't remember the last time I used it in OSX. Or do I actually use it a lot unknowingly?
Doubt it. From what I read here, neither Wintards nor Macolytes can stomach it much, and the only apps I ever found that needed it was OpenOffice / LibreOffice and my childrens' copies of Minecraft.
Last time I uploaded photos to Facebook from my computer and not my phone, that was Java. It is around, and it can look pretty enough that people assume it' not Java. ;-)
@Greg J Preece: facebook needs no java-plugin
>>I uploaded photos to Facebook from my computer...that was Java.
Are you sure, or do you mean server-side Java, or a special app? Since, it is highly improbable to involve Java plugin for a basic upload operation (pics resizing is done on the server). My laptop has no java plugin installed (I get a complaint from here http://aleph0.clarku.edu/~djoyce/java/elements/usingApplet.html and have to install icedtea plugin to see the animation, though do have some gcc jre bits on the machine). Nevertheless, I've had no problems when browsing elsewhere, including facebook
Re: @Greg J Preece: facebook needs no java-plugin
The uploader wasn't just a box with "select file" - it allowed for multiple select, showed upload progress, preview and rotate, etc, etc. Was actually pretty neat.
More info: http://www.stevepoland.com/facebook-image-uploader-java-applet-replica-script/
Re: @Greg J Preece: facebook needs no java-plugin
Greg, the default image uploader requires no additional plug-ins. On a * nix machine, to check if the app uses java, I'd run "top | grep \(java\|jar\)", on Windows run task manager etc.
There is one on apps.facebook.com/easyphotouploader It does not seem to be a java browser plugin based, could be written in Java and compiled for Windows though. Anyways, it says that it needs Windows and IE. At the same time, facebook java api is a project that might have some apps to work with a browser java plugin.
BTW, many cross-platform photo managers (such as gthumb, written in C) have an export interface to facebook and others. I would directly use that one instead of a browser.
The Flash Approach
Backed yourself into a corner by preventing Oracle from updating their own kit? Been made to look like ineffectual tits for 6 weeks? What's the answer?
Yes, that's right, when properly maintaining something you demanded complete control over is too much effort, and backing down would hurt your pride, just disable the user's functionality! If they complain, why not write an open letter attacking the platform as buggy/slow/a threat to users. I'm sure your legions of slavering fans will agree with your every word, no matter how demented.
Windoze should receive a daily kicking for it's constant infections by many viruses. The fact that this malware on a Mac is such a big deal is because it is unusual.
Re: double standards
Exactly, however, Apple's attitude and audacity with Java should be scolded. How can you leisurely allow many vulnerabilities to linger on the system, while patches are available along with exploits! BTW, those that use a more open and secure, alas a little less functional, IcedTea implementation are better off.
Apple insisted on offering Java themselves on osx and there are reasons for that such as not having to share aqua/ cocoa code with sun, the fact that nobody will bother coding their "native osx" exclusive features and of course their control culture.
Open source Java works perfect on other Unix systems but on x11. Sun provides a perfectly working Java on Windows and people will flame Apple for not fixing their Java of course.
Java has oracle and evil Larry image. Just check the non updated open source software on osx. That is the real story. They don't even update their own cups software.