"all but dismissed malware as a Windows-only problem."
Pride comes before a fall
Apple has belatedly patched a security hole in the Java engine it ships with Mac OS X - the very hole exploited by hackers to infect Apple's own developers, their counterparts at Facebook and scores of other Mac-using companies. The vulnerability allowed miscreants to execute malicious code outside of the limited and …
...just hand management of the entire steaming poo over to Oracle instead of getting stuck in the middle of somebody else's release schedule. Then they can just point the finger without the reputation damage that Java is currently causing them.
What is this cosy relationship between Java and Apple anyway?
Since Apple demoted Java from being the "first class" citizen of OS X that they originally anticipated, there's no real decent reason for them to be involved in the release of somebody else's software.
perhaps not the best idea
except, for some of us, we have to run Java to do our jobs. and if we don't, then we don't get paid, so can't pay the rent and so are thus homeless and starving to death.
so, on balance, i'd say installing Java to remove the malware was a good idea, and at the same time, following the advice in this article to be aware if someone does manage to get malware on my machine:
http://reviews.cnet.com/8301-13727_7-57415311-263/monitor-os-x-launchagents-folders-to-help-prevent-malware-attacks/
How would you know your machine was part of a botnet these days? Given flash and java are so full of holes, browsers aren't always that secure, anti-virus is not perfect, then all it may have taken is some malicious google ad appearing on some website I visited at some point to have installed some rootkit.
If anti-virus doesn't pick it up then it's hidden. I can't trust any readout from software for what my computer is doing. Internet running slow? I can run netstat to see all active connections, or run wireshark or something to look at packets, but have the underlying network assemblies been tampered with so that certain information is being hidden from me?
The only thing I can think of is to resort to extremes like always browsing the internet under a VM, or setting up another machine as a router so that I can monitor the traffic without fear that some rootkit is hiding stuff. Or reinstall the OS regularly (under the idea that it might help).
Then again there is the tree falls in a forest principle: if I am part of a botnet but don't know I am part of a botnet, do I care?
Browsing under a VM isn't a guarantee. There's been far too many break-out vulnerabilities for that to be a trusted setup. Monitoring from a router would be better, as the attack surface of the router can be made much smaller than that of the regular machine. And, nastily enough, there's been root kits that survive an OS reinstall by hiding in the boot memory...
By and large, for most people, I suspect these days you know you're part of a botnet when your ISP calls you and tells you...
@NomNomNom, I was going to comment on Apple's idea of security (...to use the malware removal tool you have to install Java...), but it seems self explanatory as to why it is a bad plan. Instead, you raise a couple of good points.
I do not see how browsing through a VM should be considered an extreme act, especially as at least one OS is in the works which virtualizes (if that is even a word) pretty much everything.
As far as being lost amongst the trees, well, I suspect you will not care why your machine acts odd from time to time, or runs slow, or that your identity has been stolen, only that these things have happened. If your machine has been compromised and is part of a botnet, it probably has other malware, too.
It says on the anti-malware page, "This update is available for systems that installed Java 6", but does that imply that you have to still have Java 6 installed to use that?
By the way, PUBLIC and free updates to Java 6 (not Java 7) from Oracle are due to terminate at the end of this month, according to,
http://www.oracle.com/technetwork/java/eol-135779.html
Updates to a Mac version may be different. And business users who are stuck with Java 6 for their particular needs presumably are expected to pay for support.
How would you know your machine was part of a botnet these days?
install something like LittleSnitch. That'll alert you to anything new that starts communicating from your machine to the outside world.
It's a pain for the first week or so, as you get alerted to everything, and have to acknowledge the ones you're okay with and investigate the ones you're suspicious of. But after you've got it bedded in, then you know that any alert that comes up which you didn't do anything unusual to initiate is likely malware trying to dial home, and so you can kill it.
The best, but not guaranteed, way would be to have two computers, one of them being completely standalone and not exposed to your network / internet and comprising of all your data and applications that you actually do work on. Files are then burned to a CD / DVD and transferred to the other PC for emailing, etc. I don't actually do this, but am beginning to consider it. The isolated PC would also be one of my self-built older ones, to help minimise the risk that the hardware / firmware is infiltrated by the Chinks.
Perhaps Apple should block users from installing deadly software like Flash and Java. I can't help thinking it would be for the best, given the track record of Adobe and Oracle.
I have Java disabled in my browser and Flash won't run because the browser doesn't have the most recent Adobe plug-in. I think I'll keep it that way.
> Perhaps Apple should block users from installing deadly software like Flash and Java
Perhaps Adobe and Oracle should be required to provide complete, current, cumulative, and detailed instructions, prominently displayed on their own sites, for how to go about definitively uninstalling software like Flash and Java--nuke-it-from-orbit-style.
How a hole in the Java software ... is Apples fault???
And lets get something straight Malware on desktops computers is pretty much a windows problem, we are still talking small change when it comes to Apple, and no amount of snide reporting , or AC boot licking is going to change that.
For the same reason a problem in IE is an OS issue at MS: they built it that way. As in 'the user has no ability to fix the problem' absent a patch from the relevant OS vendor.
Yes, they have belatedly realized that made a mistake worthy of Balmer and reversed course, but given that it was obvious to everyone who wasn't a fanboi, it's not helping them.
"Wrong, if you have Java 6 without the patch then you are vulerable.
Java is a compiled interpreted language and any exploit in the VM can be possible on multiple OSes in some cases."
But you see, since any time there is an "issue" in the Wintel world so many tektards are gleefully shouting about it you can pretty much get the gist within hours from the side of a milk carton, everyone else got the memo about Java from their browser weeks ago and, if they had any sense, took the suggestion seriously and turned the bugger off, since Oracle weren't being terribly pro-active about dealing with the problem.
In the Apple world the problems still exist, it's just that no-one talks about them (sometimes because getting a fix involves NDA paperwork - according to one famous Apple promoting geek). The uninformed Apple kit user - which is most of 'em - is rather hung out to dry on a string of increasingly untrue assumptions drawn using an internet crime model from the last century. No glee here in saying that, I use whatever comes to hand. Linux, Solaris, AIX, OS2200, Windows; all just tools needed to get the real work done (which isn't anything to do with computers as I keep reminding our "server division").
That bloke who was crying about not getting paid will likely either be overjoyed at the overtime or crying again soon - I'm told by our Java lot that installing 7 caused no end of problems in some of our legacy applications. Serves 'em right. We move money from place to place, we don't launch rockets or run massive shared world online games and we don't offer anything sophisticated in our website access because we don't need to. What we need is more Cobol* not closer ties to Oracle.
* which works, gets upgraded maybe twice a decade and has intrinsic money-handling data types that obviate stupid programmer lack-of-accumen. Never heard of scaled decimal young feller me lad? Let me introduce you to Mr Textbook. Mr Textbook, meet Mr Programmer's head.
Younger participants (assuming that there are some?)
CoBoL
Common Business Oriented Language - an attempt to take geekiness out of geek to provide solutions pragmatic and practical (and usually anti-theory, non-theory or contra-theory business types favoured such as: No, don't want a new computer language. Computer has a language and we just want it to do as we want it to do. Okay?)
thus doing things on a pootah that emulated older, traditional non-computational working methods that might have lacked logic yet oozed human values in a way that non-geeks enjoyed an intimate understanding of and influence in, no?
Common Business Oriented Language - an attempt to take geekiness out of geek to provide solutions pragmatic and practical (and usually anti-theory, non-theory or contra-theory business types favoured such as: No, don't want a new computer language. Computer has a language and we just want it to do as we want it to do. Okay?)
thus doing things on a pootah that emulated older, traditional non-computational working methods that might have lacked logic yet oozed human values in a way that non-geeks enjoyed an intimate understanding of and influence in, no?
The syntactic structure is reasonably close, but no one would believe this was written by a human. I think your model needs more training.
Wow. Not only no sense of humor, but while you can make out the words you can't interpret the icon. It was a riff on all the Mactards always posting that malware is only a Windows problem.
If you've read ANY of my other posts you'd know I take vulnerabilities ANYWHERE seriously. I particularly take note of Java vulnerabilities because some fucktards way up the chain of command insist critical financial apps in our organization run on java versions known to be vulnerable. At one point we were still depended on 1.5.16 and Sun had discontinued support for any version of v5 3 years earlier. That this app potentially conflicted with any of three OTHER financial apps that depend on still different specific outdated versions of Java only made it more fun when one of them failed because of a corruption somewhere in the Java stack because we still pushed updates to try to protect the network.
The problem isn't Apple or Microsoft its Oracle. Oracle has the worst security practices in the industry (granted SUN really got the ball rolling with their shit jvm implementation originally). I can't believe so many of the world's databases are running on their junk software methodology. If you install Oracle or Adobe software it doesn't really matter what your OS is. You are asking for a world of hurt if your computer is connected to a network.
"But to use the malware removal tool you have to install Java and this is perhaps not the best idea especially since the language has become a prime target for hacking attacks of late, as Sean Sullivan of security software firm F-Secure notes."
Install Java but don't enable the browser applet plugin. Java by itself is no danger.