Feeds

back to article Apple finally deploys Mac Flashback Trojan terminator

Apple has released a tool that removes the infamous Flashback Trojan from infected Macs. The utility, billed as a Java security update, also disables Java applets by default - but only on machines running OS X Lion, the latest version. The update turns off Java applet execution by default for all browsers, not just Safari. …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Better late than never ?

No one wants a version of Norton on their Mac - it'll slow it down by 50%

10
0
Thumb Up

Re: Better late than never ?

Well said; one of the reasons (naive as they are) for getting a bloody Mac in the first place!

0
0
N2
Bronze badge
Joke

Re: Better late than never ?

50% slower means it would still be quicker than W7 tho

7
9
Bronze badge
Meh

Re: Still be quicker than W7...

Ignoramus. Next time use the joke icon for something remotely amusing.

5
3
Silver badge

Re: Better late than never ?

tru nuf

cos $ for $ a mac is as slow as an old pig to start with

0
1
FAIL

So...

the answer to a vuln in their go-it-alone version of Java is...*drumroll*...kill Java (or at least automatic applet execution). And keep killing it until the user gives up in disgust...*slow handclap*

13
5
Silver badge

Re: So...

>the answer to a vuln in their go-it-alone version of Java is...*drumroll*...kill Java

You're being unfair there. They squashed that particular bug AND as an added precaution disabled java in browsers, which is kind of sensible as the nasty little bugger could always jump vulns to install itself, as has happened previously. Most people won't use java in browsers anyway, and for those who do it will stay enabled.

No, really, you can't fault Apple on this one (well, appart from being 6 weeks late for no reason other than "we can't be arsed", which in itself is already a big problem, but a separate one).

8
3
Bronze badge

Not entirely faultless

Didn't Steve J dislike Java and was trying to kill it off anyway? Very convenient. :-)

2
1
jai
Silver badge

Re: So...

If you're not using Java regularly within 35 days of the last time you used it, then you don't really need automatic applets switched on, do you? It's a security risk, and surely Apple forcing this is a good thing, protecting those average users who wouldn't think to switch it off.

And if you do need it, it's not exactly an onerous task to switch it on again when prompted.

Or... was your Fail icon more for your own post in a post friday lunchtime ironic twist?

2
3
Silver badge
Black Helicopters

Smells like Steve Jobs

Given that Jobs hated Java's guts during his last years, this smells like Apple's version of Pearl Harbor. Delay the fix, then get OSX infected, then push out the fix and say that Java will be disabled "for your protection" in a very Norsefire way. Hm...

5
3
Linux

Re: Not entirely faultless

Your thinking of Flash.

Steve's approach.... You ONLY need what I THINK you need.

This man was a control freak.....and unethical (Woz and Breakout)

8
1
Silver badge

Re: So...

average users.....

you mean fuckwits?

you set em up and i'll keep knocking them out of the park

0
1

Strangely...

None of the Macs at home are infected. I've checked using a few utilities prior to Apple's update come fix for this issue. They all run OS X 10.6.8 [Snow Leopard]

So, this leaves me asking how on earth did these 670,000+ Macs get infected with this Flashback issue? Was Safari the floodgate?

Just s well that I neither like nor use Apple's clunky browser

3
1
Bronze badge
Devil

Re: Strangely...

I haven't found any either, but that appears to be because the malware is really picky about what systems it will infect, excluding dev, managed and "user has a clue" type systems by checking for the presence of some fairly common applications.

Your typical infected system is likely to be a home user with limited tech support and either a free open source office or a really old version of MS office because who wants to spend a lot of dough for the odd letter, seems to have kept them under the radar enough to capture a peak of 500m+ systems so HUGE SUCCESS. It's probably hard to overstate their satisfaction.

2
0
Anonymous Coward

Re: Strangely...

Well, the cause of the vulnerability was the same as every other one ever.

You get a browser bundled with your OS and use it and get into a whole world of hurt, I mean IE sucks so much th-

Oh, wait...

Wrong rant.

Apple stuff is so great and flawless and pretrty than noone would ever be able to do bad stuff to i-

Oops.

Wrong fanboiism.

Little help?

4
0
jai
Silver badge

Re: Strangely...

not so. none of mine are infected either, and i only use Safari for browsing. They have all been upgraded from Snow Leopard to Lion though, so not a conclusive correlation to your sample group.

I suspect the infections are just down to the usual way that trojans get onto any computer, users don't pay attention

2
1
Bronze badge

Re: Strangely...

>>and either a free open source office or a really old version of MS office

Aren't you making it up? The alleged infection was caused by a javascript code. There are js-capable web browsers, but no office suites.

1
2
N2
Bronze badge

Re: Strangely...

Agreed, Safari is a crock of shit

1
1

Re: Strangely...

Tested over 75 systems both at work and through a Mac User Group - zero infections. Most had no AV, most had Java installed and enabled. I'm not saying that proves anything (I'd like a bigger sample) but I'm still to be convinced of the size of the reported infection. Having Kaspersky hand out a fix tool that hosed user account information hasn't helped either…

1
1
Bronze badge

Re: eulampios

No, I'm not making it up, I've actually read the reports on this infection, as such I know that it's a Java rather than a JavaScript exploit and that it checks that a number of apps aren't present before installing, these include: Xcode, Little Snitch, and Microsoft Office 2008 or later.

From this I infer that they're avoiding developers (Xcode), clued up users (little snitch) and managed workplace machines (recent MS Office), all places where they are likely to get noticed, clear now?

4
0

Re: Strangely...

The original press release about Flashback from Dr Web (the Russian AV firm that apparently discovered this variant of Flashback) lists several Russian web sites as hosting the code. As Flashback gets its victims in browse by infections, the infections are likely to be limited to those who have visited these websites.

0
0
Paris Hilton

Re: Strangely...

I suspect this level of return will encourage more in the future, near or far. And not just with Java, but also by a slow spread into exploiting other known vulnerabilities in the MacOS.

Paris, slow spread?

0
0
Bronze badge
Coffee/keyboard

Re: Strangely...

> The alleged infection was caused by a javascript code. There are js-capable web browsers,

> but no office suites.

Java and Javascript are two totally different entities. However the problem here appears to be the use of Javascript invoking a Java applet somehow to create an exploit when a drive-by or compromised site is accessed.

Also, free open source office is typically how Java gets into a Mac. For some reason that escapes me, Mac OS X will force the user to install Java when the LibreOffice, OpenOffice, StarOffice or NeoOffice (or any other OOo spinoff) installer is invoked and Java isn't installed. Other possibilities are using JDownloader (fair enough, there are practically no other freeware standalone download managers for Mac OS X), Running Serviio since the Mac doesn't come with a DLNA server built in, or running Oracle's E-Business Suite (the only possible scenario to get infected in a corporate environment- you won't believe how many large corporations stuck to IE6 and use Java just because of this beast).

And well, to be fair- the MS Office one is a different exploit. And it still isn't fixed as of Office:Mac 2011.

0
0
Anonymous Coward

Re: Strangely...

Nope - I picked up an infection on one Mac, which uses FF only. No infection when I checked for it manually on Tuesday, but a "found it, killed it" note when I updated to the Apple fix on Thursday.

0
0
Bronze badge
Linux

KISS et al

Firstly, having abused the common sense of security with Java for so long, Apple deserved this shame (even if the 6x10^5 infections story is not true). Alas, users had to suffer...

Secondly, most of the java, js, and the abominable flash technologies are redundant and potentially not secure. (e)links, lynx, w3m and ff with noscript plugin, ad-bock, flashkiller etc are better. Web browsers are for browsing web, and "anything beyond this comes from the evil one". Use KISS principle or you might get kissed by.... Otherwise, do a sandboxing (chromium), apparmoring (selinux-ing), or trustedbsd-ing (not sure if Mac OSX cares for it?)

3
1
Bronze badge

Re: KISS et al

Don't get me wrong, somewhere outside of client-side web browsing java might very well be powerful and secure, as well as js. Sorry, flash-buddy, you get nothing again :)

0
0
Silver badge
Mushroom

um...

Java is mostly secure, though the recent vuln cracks have been quite shameful. It wouldn't have bit OSX at all if they had patched up the vuln earlier.

JavaScript, however, is a craptastic attack vector and should die a horrible death. Agreed on that!

0
2

Opera On-Demand Plugins setting

Nice to see Apple getting around to inoculating their customers with this update...few weeks late, but still. I like the timed-disable, good idea.

I must say, that Opera's On-Demand Plugins setting that I've been using for ~3 yrs (as an offshoot from Opera Turbo), was a beautiful browser innovation that makes these security issues much less worrisome (and helps browsing speed & less energy drain, as well).

Shame it's taking longer for the other browsers to add this, and make it the default. Chrome seems to be following Opera Next snapshots, and I noticed latest FF dev build seems to have it in the pipeline.

1
1
Silver badge

Re: Opera On-Demand Plugins setting

Good god, is there any article the Opera Squad won't invade with their gushing?

0
2

I understand Java and Javascript are totally different, but...

I don't want to beat up on Java, but I can't remember the last time I used it in OSX. Or do I actually use it a lot unknowingly?

1
0
Bronze badge
Happy

Re: I understand Java and Javascript are totally different, but...

Doubt it. From what I read here, neither Wintards nor Macolytes can stomach it much, and the only apps I ever found that needed it was OpenOffice / LibreOffice and my childrens' copies of Minecraft.

2
0
Silver badge

Re: I understand Java and Javascript are totally different, but...

Last time I uploaded photos to Facebook from my computer and not my phone, that was Java. It is around, and it can look pretty enough that people assume it' not Java. ;-)

0
0
Bronze badge

@Greg J Preece: facebook needs no java-plugin

>>I uploaded photos to Facebook from my computer...that was Java.

Are you sure, or do you mean server-side Java, or a special app? Since, it is highly improbable to involve Java plugin for a basic upload operation (pics resizing is done on the server). My laptop has no java plugin installed (I get a complaint from here http://aleph0.clarku.edu/~djoyce/java/elements/usingApplet.html and have to install icedtea plugin to see the animation, though do have some gcc jre bits on the machine). Nevertheless, I've had no problems when browsing elsewhere, including facebook

0
0
Silver badge

Re: @Greg J Preece: facebook needs no java-plugin

The uploader wasn't just a box with "select file" - it allowed for multiple select, showed upload progress, preview and rotate, etc, etc. Was actually pretty neat.

More info: http://www.stevepoland.com/facebook-image-uploader-java-applet-replica-script/

1
0
Bronze badge

Re: @Greg J Preece: facebook needs no java-plugin

Greg, the default image uploader requires no additional plug-ins. On a * nix machine, to check if the app uses java, I'd run "top | grep \(java\|jar\)", on Windows run task manager etc.

There is one on apps.facebook.com/easyphotouploader It does not seem to be a java browser plugin based, could be written in Java and compiled for Windows though. Anyways, it says that it needs Windows and IE. At the same time, facebook java api is a project that might have some apps to work with a browser java plugin.

BTW, many cross-platform photo managers (such as gthumb, written in C) have an export interface to facebook and others. I would directly use that one instead of a browser.

0
0
Silver badge

The Flash Approach

Backed yourself into a corner by preventing Oracle from updating their own kit? Been made to look like ineffectual tits for 6 weeks? What's the answer?

Disable it!

Yes, that's right, when properly maintaining something you demanded complete control over is too much effort, and backing down would hurt your pride, just disable the user's functionality! If they complain, why not write an open letter attacking the platform as buggy/slow/a threat to users. I'm sure your legions of slavering fans will agree with your every word, no matter how demented.

2
1

double standards

Windoze should receive a daily kicking for it's constant infections by many viruses. The fact that this malware on a Mac is such a big deal is because it is unusual.

2
1
Bronze badge

Re: double standards

Exactly, however, Apple's attitude and audacity with Java should be scolded. How can you leisurely allow many vulnerabilities to linger on the system, while patches are available along with exploits! BTW, those that use a more open and secure, alas a little less functional, IcedTea implementation are better off.

0
0

No actually

Apple insisted on offering Java themselves on osx and there are reasons for that such as not having to share aqua/ cocoa code with sun, the fact that nobody will bother coding their "native osx" exclusive features and of course their control culture.

Open source Java works perfect on other Unix systems but on x11. Sun provides a perfectly working Java on Windows and people will flame Apple for not fixing their Java of course.

Java has oracle and evil Larry image. Just check the non updated open source software on osx. That is the real story. They don't even update their own cups software.

0
0
This topic is closed for new posts.