Apple finally deploys Mac Flashback Trojan terminator Apple has released a tool that removes the infamous Flashback Trojan from infected Macs. The utility, billed as a Java security update, also disables Java applets by default - but only on machines running OS X Lion, the latest version. The update turns off Java applet execution by default for all browsers, not just Safari. …
>the answer to a vuln in their go-it-alone version of Java is...*drumroll*...kill Java
You're being unfair there. They squashed that particular bug AND as an added precaution disabled java in browsers, which is kind of sensible as the nasty little bugger could always jump vulns to install itself, as has happened previously. Most people won't use java in browsers anyway, and for those who do it will stay enabled.
No, really, you can't fault Apple on this one (well, appart from being 6 weeks late for no reason other than "we can't be arsed", which in itself is already a big problem, but a separate one).
If you're not using Java regularly within 35 days of the last time you used it, then you don't really need automatic applets switched on, do you? It's a security risk, and surely Apple forcing this is a good thing, protecting those average users who wouldn't think to switch it off.
And if you do need it, it's not exactly an onerous task to switch it on again when prompted.
Or... was your Fail icon more for your own post in a post friday lunchtime ironic twist?
None of the Macs at home are infected. I've checked using a few utilities prior to Apple's update come fix for this issue. They all run OS X 10.6.8 [Snow Leopard]
So, this leaves me asking how on earth did these 670,000+ Macs get infected with this Flashback issue? Was Safari the floodgate?
Just s well that I neither like nor use Apple's clunky browser
I haven't found any either, but that appears to be because the malware is really picky about what systems it will infect, excluding dev, managed and "user has a clue" type systems by checking for the presence of some fairly common applications.
Your typical infected system is likely to be a home user with limited tech support and either a free open source office or a really old version of MS office because who wants to spend a lot of dough for the odd letter, seems to have kept them under the radar enough to capture a peak of 500m+ systems so HUGE SUCCESS. It's probably hard to overstate their satisfaction.
No, I'm not making it up, I've actually read the reports on this infection, as such I know that it's a Java rather than a JavaScript exploit and that it checks that a number of apps aren't present before installing, these include: Xcode, Little Snitch, and Microsoft Office 2008 or later.
From this I infer that they're avoiding developers (Xcode), clued up users (little snitch) and managed workplace machines (recent MS Office), all places where they are likely to get noticed, clear now?
> The alleged infection was caused by a javascript code. There are js-capable web browsers,
> but no office suites.
Java and Javascript are two totally different entities. However the problem here appears to be the use of Javascript invoking a Java applet somehow to create an exploit when a drive-by or compromised site is accessed.
Also, free open source office is typically how Java gets into a Mac. For some reason that escapes me, Mac OS X will force the user to install Java when the LibreOffice, OpenOffice, StarOffice or NeoOffice (or any other OOo spinoff) installer is invoked and Java isn't installed. Other possibilities are using JDownloader (fair enough, there are practically no other freeware standalone download managers for Mac OS X), Running Serviio since the Mac doesn't come with a DLNA server built in, or running Oracle's E-Business Suite (the only possible scenario to get infected in a corporate environment- you won't believe how many large corporations stuck to IE6 and use Java just because of this beast).
And well, to be fair- the MS Office one is a different exploit. And it still isn't fixed as of Office:Mac 2011.
Well, the cause of the vulnerability was the same as every other one ever.
You get a browser bundled with your OS and use it and get into a whole world of hurt, I mean IE sucks so much th-
Oh, wait...
Wrong rant.
Apple stuff is so great and flawless and pretrty than noone would ever be able to do bad stuff to i-
Oops.
Wrong fanboiism.
Little help?
not so. none of mine are infected either, and i only use Safari for browsing. They have all been upgraded from Snow Leopard to Lion though, so not a conclusive correlation to your sample group.
I suspect the infections are just down to the usual way that trojans get onto any computer, users don't pay attention
Tested over 75 systems both at work and through a Mac User Group - zero infections. Most had no AV, most had Java installed and enabled. I'm not saying that proves anything (I'd like a bigger sample) but I'm still to be convinced of the size of the reported infection. Having Kaspersky hand out a fix tool that hosed user account information hasn't helped either…
The original press release about Flashback from Dr Web (the Russian AV firm that apparently discovered this variant of Flashback) lists several Russian web sites as hosting the code. As Flashback gets its victims in browse by infections, the infections are likely to be limited to those who have visited these websites.
Firstly, having abused the common sense of security with Java for so long, Apple deserved this shame (even if the 6x10^5 infections story is not true). Alas, users had to suffer...
Secondly, most of the java, js, and the abominable flash technologies are redundant and potentially not secure. (e)links, lynx, w3m and ff with noscript plugin, ad-bock, flashkiller etc are better. Web browsers are for browsing web, and "anything beyond this comes from the evil one". Use KISS principle or you might get kissed by.... Otherwise, do a sandboxing (chromium), apparmoring (selinux-ing), or trustedbsd-ing (not sure if Mac OSX cares for it?)
Nice to see Apple getting around to inoculating their customers with this update...few weeks late, but still. I like the timed-disable, good idea.
I must say, that Opera's On-Demand Plugins setting that I've been using for ~3 yrs (as an offshoot from Opera Turbo), was a beautiful browser innovation that makes these security issues much less worrisome (and helps browsing speed & less energy drain, as well).
Shame it's taking longer for the other browsers to add this, and make it the default. Chrome seems to be following Opera Next snapshots, and I noticed latest FF dev build seems to have it in the pipeline.
>>I uploaded photos to Facebook from my computer...that was Java.
Are you sure, or do you mean server-side Java, or a special app? Since, it is highly improbable to involve Java plugin for a basic upload operation (pics resizing is done on the server). My laptop has no java plugin installed (I get a complaint from here http://aleph0.clarku.edu/~djoyce/java/elements/usingApplet.html and have to install icedtea plugin to see the animation, though do have some gcc jre bits on the machine). Nevertheless, I've had no problems when browsing elsewhere, including facebook
The uploader wasn't just a box with "select file" - it allowed for multiple select, showed upload progress, preview and rotate, etc, etc. Was actually pretty neat.
More info: http://www.stevepoland.com/facebook-image-uploader-java-applet-replica-script/
Greg, the default image uploader requires no additional plug-ins. On a * nix machine, to check if the app uses java, I'd run "top | grep \(java\|jar\)", on Windows run task manager etc.
There is one on apps.facebook.com/easyphotouploader It does not seem to be a java browser plugin based, could be written in Java and compiled for Windows though. Anyways, it says that it needs Windows and IE. At the same time, facebook java api is a project that might have some apps to work with a browser java plugin.
BTW, many cross-platform photo managers (such as gthumb, written in C) have an export interface to facebook and others. I would directly use that one instead of a browser.
Backed yourself into a corner by preventing Oracle from updating their own kit? Been made to look like ineffectual tits for 6 weeks? What's the answer?
Disable it!
Yes, that's right, when properly maintaining something you demanded complete control over is too much effort, and backing down would hurt your pride, just disable the user's functionality! If they complain, why not write an open letter attacking the platform as buggy/slow/a threat to users. I'm sure your legions of slavering fans will agree with your every word, no matter how demented.
Exactly, however, Apple's attitude and audacity with Java should be scolded. How can you leisurely allow many vulnerabilities to linger on the system, while patches are available along with exploits! BTW, those that use a more open and secure, alas a little less functional, IcedTea implementation are better off.
Apple insisted on offering Java themselves on osx and there are reasons for that such as not having to share aqua/ cocoa code with sun, the fact that nobody will bother coding their "native osx" exclusive features and of course their control culture.
Open source Java works perfect on other Unix systems but on x11. Sun provides a perfectly working Java on Windows and people will flame Apple for not fixing their Java of course.
Java has oracle and evil Larry image. Just check the non updated open source software on osx. That is the real story. They don't even update their own cups software.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
