back to article Apple and world HACKED by Facebook plunderers

Apple, Facebook and "hundreds of other companies" have had their Mac computers hacked in a sophisticated campaign mounted by an unknown adversary. Attackers were able to infect Apple, along with other businesses around the world with Mac malware delivered via a Java zero-day vulnerability, Reuters reported on Tuesday, after …

COMMENTS

This topic is closed for new posts.
  1. Pirate Dave Silver badge
    Pirate

    "This is the first really big attack on Macs,"

    So... it was a Big Mac Attack?

    1. tonysmith

      Re: "This is the first really big attack on Macs,"

      No, that happened over at Burger Kings twitter feed.

      1. Rufus McDufus

        Re: "This is the first really big attack on Macs,"

        Mutter mutter, something about horses, *jazz hands*

    2. Anonymous Coward
      Anonymous Coward

      Re: "This is the first really big attack on Macs,"

      Mac OS-X, over 1800 vulnerabilities and counting. That's 4 times more than windows XP and almost as bad a Linux dsitribution! And Mac users generally don't have antivirus wrapped round their Swiss Cheese of an OS either....

      1. The BigYin

        Re: "This is the first really big attack on Macs,"

        GNU/Linux is developed in the open, so it will look like they have many bugs as one can see them all. Some bug won't even be a GNU or Linux issue, they'll be integration issues for a particular distro. Also, many of these bugs will be duplicates as various distros have a bug reported to them (a new ticket) which then gets filed with upstream (might be a new ticket, might join an existing one). This is before we get into the severity of said bugs. The projects are co-operative units, not closed and secretive monoliths like Apple and MS.

        MS is cagey about what bugs they have and their publicly known list is probably a subset of the true picture.

        I would have expected Apple to be the same if not even more anti-open, but as you cite no sources I guess we will just have to take what you say with a very large pinch of salt.

        As for anti-virus - all PCs should run anti-virus, if only to protect Windows from itself.

        1. Anonymous Coward
          Anonymous Coward

          Re: "This is the first really big attack on Macs,"

          The total of 1800 is only referring to security vulnerabilities - not integration issues or other bugs . Like it or not, Linux distributions tend to have the highest vulnerability totals of any OSs. Even the Linux kernel alone has over 900 known vulnerabilities - about twice the total of the whole of Windows XP!

          1. The BigYin

            Re: "This is the first really big attack on Macs,"

            I'll type this slowly. Publicly admitted. And I find it funny you ate comparing a dead OS to a living kernel which supports more hardware, more filesystems, more...

            1. deadmonkey

              Re: "This is the first really big attack on Macs,"

              XP is still on extended support - http://windows.microsoft.com/en-US/windows/products/lifecycle

              Indeed it would seem to be pretty widely used still - http://en.wikipedia.org/wiki/Usage_share_of_operating_systems

              1. The BigYin

                Re: "This is the first really big attack on Macs,"

                It dies (or is currently expected to) next year. It's no longer sold. That is so close to "dead" as makes no odds.

                Just because idiots still usr IE6 does not make it any less dead either.

                Comparing XP (developed in secret and near EOL) to the Linux kernel 3.8 (developed in public and still living) is not comparing like with like.

  2. Phil E Succour
    Windows

    Life without Java

    Boy, am I glad I ditched Java a few years ago. I haven't missed it either.

    1. Anonymous Coward
      Anonymous Coward

      Re: Life without OS-X

      Boy, am I glad I ditched OS-X a few years ago. I haven't missed it either.

      1. Anonymous Coward
        Anonymous Coward

        Re: Life without OS-X

        Yes, makes me glad i run Windows....

      2. Captain Scarlet Silver badge
        Trollface

        Re: Life without OS-X

        Sorry but OS9 is far better to ditch than OSX

    2. bunual
      Happy

      Re: Life without Java

      For a moment there I thought I was at risk then I realised I removed Java years ago when I realised I didn't need it any more.

    3. The BigYin

      Re: Life without Java

      Java on the server is fine.

      Java on the client would be fine if it wasn't managed by Oracle.

  3. Anonymous Coward
    Anonymous Coward

    No....No, their MUST be some mistake. Macs are immune to such things, remember? Jobs said so.

    1. Oninoshiko
      Gimp

      So did that nice looking young man in the commercial: http://www.youtube.com/watch?v=M3Z386vXrt4

    2. Anonymous Coward
      Anonymous Coward

      There's a difference between malware or viruses and a very co-ordinated hack attempt.

      1. Anonymous Coward
        Anonymous Coward

        Yes, the difference is what you call it. Basically you got p0wned...

    3. I think so I am?
      Coat

      reality distortion field

      now he is dead his reality distortion field is no longer protecting Apple

    4. Tom 13
      Trollface

      @Taylor1

      Not just Jobs, millions of fanois said so too!

  4. Anonymous Coward
    Anonymous Coward

    Where's my popcorn?

    Macs are invulnerable, most secure computers, etc, etc.....

    1. Tom 13

      Re: Where's my popcorn?

      Yeah I poke a sharp stick at the fanbois about this on another page, but in general Macs really are more secure than Windows. Which is what makes this such a complete clusterfuck - it was an obvious hole even Windows fanbois saw it coming.

      The bigger problem now is, Apple's a big company and it took them too long to find this. Given that the kernel is built on an OSS *nix core, have the hackers also been able to penetrate other *nix distributions/installs which have so far gone undetected? Given that we know neither what changes Apple made to the core nor enough details of the attack for your typical admin to check for the malware on his systems (beyond: are you running Java, which like it or not most business do) it's a bit unsettling. Gut says most of those systems are still secure (greater variety, admins tend to be more security aware, lower desktop distribution), but the brain wants proof and it can't get it.

  5. m0r1arty
    Holmes

    A Mac Attack

    Article to deflect attention to Google or Samsung in three...two...one...

  6. Anonymous Coward
    Meh

    FaceBook gets hit? F'em.

    So press headlines let Apple know big players are getting hit, then Apple says "disable Java" for a cure all fix, then Apple only decides to issue a fix AFTER they too have been affected?

    Apparently security and code auditing is a burden for "IT Artists". No matter, it does explain where a large chunk of their cash pile has come from...lax security.

    OFF TOPIC: Does Apple have to hire BSD/Linux guru's to fix their system? Or do they have a security team?

    1. Dan 55 Silver badge
      FAIL

      Re: FaceBook gets hit? F'em.

      Er, no. They disabled older versions of the Java plug-in as there was a known exploit (however the new version of the Java plug-in wasn't yet released to java.com when they updated the blocklist meaning for a while all Java plug-ins were blocked) and they disabled this malware when they had a signature for it.

    2. TeeCee Gold badge

      Re: FaceBook gets hit? F'em.

      ISTR that Apple do not let a vanilla Java distribution go straight to Macs. They take the new version, wave a magic cat over it for a few weeks (or whatever it is they do) and then release their approved version, now with more fruit.

      I guess someone's spotted that Macs are the target of choice for Java vulns, as they're likely to have their knickers down for rather longer than other platforms, due to this delay while the wizards of Cupertino scry their runes.

  7. jai

    Here's an article that describes where to look on your mac to see if it's got the malware. Apparently the site that was hacked to distribute the malware was a "mobile developers website"

    They're suggesting that the idea was to allow them to inject malicious code into the code being developed for mobiles, rather than trying to hack mobiles directly.

    http://reviews.cnet.com/8301-13727_7-57570100-263/new-mac-malware-opens-secure-reverse-shell/

  8. Charlie Clark Silver badge
    Alert

    DARPA wants more money

    With the sequester looming the goons over at DARPA are making sure that the Nation knows just how important it is to invest in cyber-espionage. Just imagine what the PLA could do with all those LoLCats pictures, or, heaven forfend, actually bring down the LoLCats servers!

  9. Anonymous Coward
    Anonymous Coward

    When did getting hacked become chic?

    Everyone who visited the site with a vulnerable configuration got hacked... whether it was a Facebook or Apple engineer, or someone's granny who was there accidentally looking for mobility aids....

    This appears to be the new thing.... we are gradually becoming crap so we make out that dangerous people are out to get us to make us appear sexy again!

    All it shows is that Apple and Facebook developers need as much help as everyone else from the internet to do their jobs...

  10. Anonymous Coward
    Mushroom

    Not just Macs is it..

    This being a Java exploit, it affects everyone who still has Java enabled under any OS - Windows, Linux, FreeBSD, etc - not just those running Mac OS X.

    Let's see who admits being attacked next.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not just Macs is it..

      No, if the vulnerability is used to download and run native code - as it looks, the attack was targeted at Macs, not anyone running Java.

      1. Tom 13

        @LDS

        No, all old java code, possibly new stuff too although hopefully Oracle fixed it. The attack detailed here is specific to the Mac, and the Macs had a particular affinity for it since Apple hadn't updated the code. But the vulnerability itself was in Java. Once you've got the Java exploit worked out, you can engineer other attacks on other systems. Put those attacks at different locations and you get multiple feeders. Then people going 'it's just a Mac attack' or 'it's just a Windows attack' will ignore their own vulnerabilities allowing your malware to spread further. If I were a State sponsor of cyber attacks, it's certainly the route I'd go. Thankfully for the world I'm just a help desk monkey and slightly dyslexic so math and I don't get along as well as I'd like.

  11. Fazal Majid

    Practice safe browsing

    Apple (or Microsoft) can't really be blamed for security vulnerabilities in third-party software, Adobe Flash and Java being egregious culprits.

    That's why I disable Flash and Java in my primary browser (Chrome) and only have them enabled on my secondary browser (Safari) that I use to visit sites that absolutely require either, and then only under duress (normally I will just ditch a site that requires Flash or Java, or won't work with cookies disabled, as that is not acceptable in the 21st century). I also make sure the bug-ridden Adobe Reader never makes it onto my computers.

    The best approach would be for browsers to run all plugins in a virtualized sandbox where they cannot do any harm, but the engineering effort to do something like this would be daunting, essentially duplicating the functionality of VMware, and non-portable to boot.

    1. Yet Another Anonymous coward Silver badge

      Re: Practice safe browsing

      They don't make it easy though.

      Disable Java in chrome

      Click the little iching symbol on the toolbar - well the three horizontal lines that means 'heaven' or settings

      The select settings

      Then click the show advanced settings link

      Then click the content settings button (hint this is the one that is a heading not a link)

      Then scroll down to plug-ins in the popup window

      The click the disable individual plugins link (we are back to links now)

      Then find Java and click disable

      To quote Douglas Adams .... Have you ever thought of going into advertising ?

      1. Gadget Rage is BAD

        Re: Practice safe browsing

        How about just doing this instead..

        1) Type chrome://plugins into url bar,

        2) Click on "disable" beside the java plugin

    2. Tom 13

      Re: can't really be blamed for security vulnerabilities in third-party software

      So long as it remains third party software that is completely under control of the users, yes. Make it part of the OS and not something the user can fix and that changes to a big fat NO.

  12. TeeCee Gold badge
    Windows

    "Microsoft declined to comment."

    Presumably because they're all too busy dressing up as Munchkins for a corporate rendition of "Ding Dong the Witch is dead." from "The Wizard of Oz".

    1. I ain't Spartacus Gold badge
      Happy

      Re: "Microsoft declined to comment."

      Well it would be a tad embarrassing if MS had to admit they'd been hacked too. As that would be tantamount* to admitting they do their developing on Macs...

      I wonder if MS will now send a nice present to Oracle. Perhaps a new yacht for Larry, with a pirate flag with an apple impaled on the top of the pole.

  13. This post has been deleted by its author

  14. Anonymous Coward
    Anonymous Coward

    I'm a Mac user, and I say:

    Lalalalalalalalalalalalalalalalalala.......

  15. Anonymous Coward
    Anonymous Coward

    Pack 'em up...

    ...and ship the perps off to prison for 15 years.

  16. Anonymous Coward
    Anonymous Coward

    Wouldn't have happened with Windows 8

    Mac, Linux etc - anything based on Unix is just utter horsetripe compared to the years of honing Microsoft have done on developing a secure modern kernel. Windows 8 is the pinnacle of that, and those of us who run it are deeply happy and safe in the knowledge that there are no threats out there that can touch us.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Wouldn't have happened with Windows 8

      Great to see someone sticking up for Windows 8. Except in this case, it was a Java 0-day. Or are you saying Win8 can block JVM holes?

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wouldn't have happened with Windows 8

        Windows 8 employs a sophisticated AEFU layer (Anti-Ellison-F**K-Up - sorry Larry it's under your watch now) which sniffs out JVM holes and blocks them by injecting incredibly elegant java classes which intercept miscreants and route the badness into the ether via JNI. *Only* the geniuses at Microsoft can write code like that.

      2. Robert Carnegie Silver badge

        Re: Wouldn't have happened with Windows 8

        He means Windows 8 can't run Java. Or, rather, Internet Explorer 10 in Windows Store mode doesn't run browser plug-ins, except for the Adobe Flash plug-in. Zero-days and all.

        Java, Flash, and many other protocols that run in a web browser or handle downloaded files and also have access to the desktop system are potential holes in your computer security colander, I mean cordon. No, I was right with colander. But it's also true of documents for Microsoft Orifice. That's why those tools have to be patched as well. And it's true of WebGPUsr whatever that's called. Giving the Internet access to your graphics hardware is awfully unwise.

        If these things need to be done, then they should be done for selected highly trusted web sites only. Or for no web sites. You can run Java and Flash as separate desktop applications with useful results.

  17. RainForestGuppy

    The Reality...

    Linux has security flaws

    OS-X has security flaws

    Windows has security flaws

    Unless an operating system kernal is locked/controlled to such an extent that the user cannot run or perform any task not explictly defined by the original development then there will still be flaws, and even then I wouldn't garuantee it would be 100% secure from any future attacks

    And that's the point, it's all a balance between security and functionality. Mainframes are more secure because the only tasks allowed have been pre-defined. Personal computers are designed to let users have as much functionality/flexibility as possible.

    1. TonyJ

      Re: The Reality...

      Now you need to be careful RainForestGuppy - there's no place for a reasoned, common sense, point on El Reg.

      It should be a foaming-at-the-mouth rant against whichever OS/phone/slablet device and/or manufacturer you don't personally support!

    2. deadmonkey
      Thumb Up

      Re: The Reality...

      Hmmm mainframes are probably more secure because you don't use them to browse sites on the internet.

      1. TeeCee Gold badge

        Re: The Reality...

        More to the point, if you were to use a mainframe to browse the internet, you'd be about as likely to run into a malware payload targetting its O/S as you would be to spot a Yeti shagging a Unicorn while driving up the M6.

  18. I ain't Spartacus Gold badge

    Apple mainstream

    I've often seen the comment that OSX would get more viruses (virii?) when it was more mainstream. And it still isn't really, although I believe their US laptop sales are pretty high now. But don't they now have a huge number of developers using Macs? I saw a picture taken at a Ruby on Rails conference, and there was a room completely full of Macbooks and only one lonely Dell.

    I guess that's still not mainstream enough if you're trying to sell Viagra. But if you're after information, or playing the long-game and want to infect websites/programs rather than individual PCs to push your Viagra, then maybe that makes OSX mainstream now.

    Not nice PR for Apple though. I wonder how good their security response will turn out to be?

    1. BristolBachelor Gold badge

      Re: Apple mainstream

      I'd agree with you, that you see a lot of devs with MBPs, but unless you are developing for iOS (which I admit a fair number will be), you don't necessarily need to run Mac OSx. I've spoken to a fair few who only buy the MBP for the hardware and then run Win or whatever on it.

    2. Stretch

      Re: Apple mainstream

      "I saw a picture taken at a Ruby on Rails conference, and there was a room completely full of Macbooks and only one lonely Dell." Makes sense. Idiots use Ruby on Rails. Idiots use macs.

  19. Anonymous Coward
    Anonymous Coward

    At least it's news..

    .. for Apple OSX users.

    Nobody would have cared about an attack on Windows machines because that's, well, you eventually grow numb to that and just accept that every Tuesday you lose 20% of your network bandwidth on patches, and every day's bootup is accompanied by anti-virus updates because there are SO many..

    It is, however, incorrect to state that 's the fault of MS and Adobe that there are problems - you run what you run because it has function or value. I don't have the Microsoft problem because I don't use it, and when I use Adobe Air it's only for BBC iPlayer, but java can be an issue. I have disabled it, but some sites I use don't really work without so I have to enable it there.

    Oh, and I *do* have anti-virus. I don't buy statements from people who are clueless about how IT security works (i.e. marketing noobs), I like *facts*. So far, 2 years in, I have not seen malware on this box other than in spam messages I didn't delete before the scan was started - and they were Windows threats.

    I use OSX because it's more efficient for the way *I* work, and it's a commercial grade desktop that is much easier to secure than Windows - but not because it IS secure. I haven't come across an OS that is - even the Linux boxes I run need to be controlled and kept up to date to stay safe, and even then I kill services I don't use until such time that I need them.

    1. Mike Flugennock

      Re: At least it's news..

      ...It is, however, incorrect to state that 's the fault of MS and Adobe that there are problems - you run what you run because it has function or value...

      ...or, in the case of most corporations, because it's what they've foisted on you, because nobody was ever fired for recommending Microsoft.

  20. Andrew Jones 2

    Sorry to the folks saying Windows was designed much better -

    up until XP Service pack 3 - the AT command by default gave all added scheduled tasks full system privileges regardless of the limitations of the current user.

    Eg - "at 14:56 /interactive cmd" would add a scheduled task to execute at 2:56pm that would run a command prompt. then once the command prompt runs, ctrl+lt+del and kill explorer.exe. Type explorer and hit enter into the dos prompt and voila - you are now running as the system account which gives you full access to every part of the system - with more privileges than even the local administrator.

  21. Mike Flugennock

    Well, unfortunately I'm still running a flavor of "Tiger"...

    ...as I'm still stuck with late-model PowerPC machines here.

    Still, I don't recall even installing Java Runtime at all, and have Java switched off in Firefox most of the time. I spend a total of ten minutes, tops, at a sitting in Facebook (I'm hardly on as it is) with absolutely zero apps, so I should be in pretty good shape.

    Also, assuming there are 1800ish vulns in OSX (show me your sources or take a hike), Windows still holds a pretty substantial edge in desktop share, not to mention that fact that, iirc, Windows still comes out of the box with its security set to "hack me, backdoor me, trojan me, zombify me, pwn me".

This topic is closed for new posts.

Other stories you might like