Forgot your password?
typodupeerror
Botnet Java Apple

Apple Updates Java To Include Flashback Removal 121

Posted by samzenpus
from the protect-ya-neck dept.
Fluffeh writes "In the third update to Java that Apple has released this week, the update now identifies and removes the most common variants of the Flashback malware that has infected over half a million Apple machines. 'This Java security update removes the most common variants of the Flashback malware,' Apple wrote in the support document for the update. 'This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.'"
This discussion has been archived. No new comments can be posted.

Apple Updates Java To Include Flashback Removal

Comments Filter:
  • by Lord_of_the_nerf (895604) on Thursday April 12, 2012 @07:57PM (#39667533)
    ...I was wondering why the art department at work and the guy who makes my coffee was pissed.
  • immature=no java (Score:5, Interesting)

    by Anonymous Coward on Thursday April 12, 2012 @07:58PM (#39667539)

    So to fix the problem, they say lets disable java by default. They are new to the security game.
    Lets say using adobe photoshop had a vulnerability, apple's defense is disable the running of photoshop when launching a ps file withotut prompting?

    It's like preventing your child walking without your permission every time and then when their grown up and able to make their own decisions and decide to walk, you say, oh you have not walked in a while, you can't walk again.

    • Re: (Score:2, Insightful)

      by mug funky (910186)

      apple's design philosophy is to progressively remove features, so this fits quite well.

      (anyone wanting to knee-jerk at my assertation - give me a counter-example)

      • Re:immature=no java (Score:5, Informative)

        by BasilBrush (643681) on Thursday April 12, 2012 @09:20PM (#39668257)

        What, you mean a new feature? Wikipedia is your friend, there's a long list of new features for every major OSX version.
        e.g.
        http://en.wikipedia.org/wiki/Osx_lion [wikipedia.org]

        • by mug funky (910186)

          well... they removed some of the crashes i guess.

          i was thinking more hardware and software. Final Cut Pro X is a recent example. they added some interesting stuff if you're shooting multi-cam, and broke EDL, XML, backward compatibility, the ability to share projects and removed Color entirely.

          hardware wise... if they could remove the home, power and volume buttons they would. they lost me as a supporter when they removed the "reset" button - an arrogant statement that their (then OS 8.6) machines will ne

          • You can just remove the battery from the laptop... unless its a macbook air...
          • Re:immature=no java (Score:5, Informative)

            by tlhIngan (30335) <slashdotNO@SPAMworf.net> on Friday April 13, 2012 @01:05AM (#39669763)

            I agree what they should have done is remove java entirely.

            They did. Java and Flash have no longer been shipped with OS X for ages now. The primary reason is people keep reinstalling OS X and thus those vulnerable versions. Far better to let the user download and install the latest and greatest from Adobe and Oracle.

            Final Cut Pro X is a recent example. they added some interesting stuff if you're shooting multi-cam, and broke EDL, XML, backward compatibility, the ability to share projects and removed Color entirely.

            Well, Final Cut Pro X is a completely new rewrite. Apple's tradition is new rewrites of software is to get the basics working rock solid first, then add back missing features. This has been true since OS X was first released and didn't have half the stuff (e.g., DVD player) that OS 9 it shipped with also had. It happened again with QuickTime X - there's a reason why OS X supported a dual install of QT X and QT 7. FCP X is more of the same. They also retargeted it for prosumers rather than pros And yes, they still sell FCP 7 - but only by phone sales.

            hardware wise... if they could remove the home, power and volume buttons they would. they lost me as a supporter when they removed the "reset" button - an arrogant statement that their (then OS 8.6) machines will never crash and hence never need the kill button. had to wrench the fuckers out of the wall. God help you if you had a laptop.

            Does a modern PC have a reset button these days? Most of the time if it hard locks, you hold the power button a few seconds and it turns off. You then hit it again to turn it on. Reset's kinda useless since most people found they needed to mollyguard their PCs. Hell, an office full of white box PCs on the floor is a tempting target around family days - little buggers go running off and pushing all the buttons on a PC, including reset. Anyhow, old Macs had them, but they were pin-holes to prevent exactly that sort of problem. (You needed it if you wanted to get into the debugger).

            • by mug funky (910186)

              Final Cut Pro X is a completely new rewrite. Apple's tradition is new rewrites of software is to get the basics working rock solid first, then add back missing features.

              ask _any_ editor that doesn't work out of their bedroom what "the basics" of a professional editing package are.

              i'm not sure you understand the sheer scale of Apple's fuckup with FCP-x. sure, they've made some amends on a few features, but the entire industry is shell-shocked and afraid to trust again - even my old boss, who was a die-hard mac fanboy (to the extent of installing an xSAN system and having to spend 100k+ on hardware and software getting it to work with the PC, linux, and mac systems in the f

          • well... they removed some of the crashes i guess.

            Was the list too big, your comprehension abilities too poor, or have you just got a Fox News like ability to deny what's there in front of you? Apple adds lots of new features.

            In good design, what you take out is as important as what you leave in. Look at Windows and the PC for what happens when you are afraid to take anything out. You end up with a big pile of shit.

            • by mug funky (910186)

              in design, form must follow function, not dictate it.

              Microsoft certainly didn't do it as well as they could, but at least they tried. Apple didn't even try.

              i'd be happy if their updates just came with a simple "classic mode", or "expert mode" switch - i know "the masses" (whatever they are) are afraid of too much choice, but any feature will likely have a use, and removing it will likely inconvenience someone. less used features can be shifted out of sight, but should not be removed unless there's a very

              • in design, form must follow function, not dictate it.

                Microsoft certainly didn't do it as well as they could, but at least they tried. Apple didn't even try.

                You are misinterpreting the one thing about design you've heard. "Form follows function" does not mean that everything including the kitchen sink should be included. Designers following form follows function simplify.

          • What are you talking about? You just hold down the power button on any model ever made.

      • That seems to be everyones philosophy of late: Apple, Microsoft, the Gnome Devs, Canonical, the guys which design Android...for crying out loud, I even can't find fitting shoes anymore because they all look the same.

    • Re: (Score:3, Insightful)

      by codepunk (167897)

      I agree what they should have done is remove java entirely.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        You have 3 pieces of software that constantly gets patched for security holes found and they are....

        1) Java - Not installed in OS X by default anymore. Doesn't get installed unless its requested like running Adobe Apps, etc.

        2) Flash - Not installed anymore by default

        3) Quicktime - Rewritten from the ground up starting with QT X. QT 7 and back has always been a security breach.

        • by utkonos (2104836) on Thursday April 12, 2012 @08:44PM (#39667965)
          You're missing one: Adobe Acrobat (PDF).
          • Re: (Score:2, Informative)

            by ColdWetDog (752185)

            PDF's are handled internally by Preview.app. It doesn't have the functionality of Acrobat reader but it also doesn't have the attack surface.

              • by Anonymous Coward

                Wow. A whole hole. That's equivalent to the patchwork software that is Adobe Reader.

                • Re:immature=no java (Score:5, Informative)

                  by cbhacking (979169) <been_out_cruising-slashdot@yahoo. c o m> on Friday April 13, 2012 @05:15AM (#39670847) Homepage Journal

                  As of 2010, Adobe Reader was kicking Preview's ass on security. No, that's not a joke. Nor is it fanboyism; I don't use either one. It's just a plain and simple fact. The probable reason? Adobe, like Microsoft, has had many years of being a high-profile target, and has put a lot of effort into finding and fixing security bugs. Apple, quite frankly, has not.

                  http://net-security.org/secworld.php?id=9725 [net-security.org]
                  Watch the second video, and jump ahead to 8:57 (almost the end) if you want a simple comparison.

                  For the lazy, here's the basic facts: Preview had from the same set of 1400 PDFs downloaded from the web, run through a mutational fuzzer to produce 2.8 million test files. Preview had 7 times as many unique crashes as Adobe Reader, and at least 3 times (more realistically, probably 10 times; at worst, 20 times) as many exploitable bugs.

                  When a guy like Charlie Miller (very well-respected security researcher) can find 7 security bugs in Apple's code for each one he finds in Adobe's (using the exact same test cases), Apple has a serious security problem.

            • by makomk (752139)

              I think the attack surface of Preview.app actually extends into the OS X kernel itself. One of the iPhone jailbreaks used a kernel-level PDF exploit and it was apparently in code shared with the desktop version.

      • by Anonymous Coward

        It seems silly to blame Java when the entire purpose of Java is to serve as an execution platform for general purpose software. That's like saying "hey we should get rid of executable software, because it could pose a security risk."

        • It seems silly to blame Java when the entire purpose of Java is to serve as an execution platform for general purpose software.

          That was one purpose of it but not the only one and not the one that has caused the controversy.

          Another purpose from java was to provide a SANDBOXED execution platform for running untrusted software (such as applets from the web) while preventing it from damaging the users system. The problem is getting a sandbox like this right is hard and every so often a flaw is discovered that lets malicious code break out of the sandbox.

      • I agree what they should have done is remove java entirely.

        Java is not installed by default in Lion, the latest version os OSX. The users is prompted to install it the first time he opens a webpage containing an applet or the first time he invokes "java" on the CLI.

    • They're disabling applets, not Java. That would be like prompting if you wanted to open a recently downloaded ps file in your analogy.

    • Re:immature=no java (Score:5, Informative)

      by BasilBrush (643681) on Thursday April 12, 2012 @09:12PM (#39668177)

      No, the fix to the problem was to ship the latest Java build which had closed the vulnerability. And then to follow that up with an update that removed any infection already there.

      Java is deprecated. As a development platform for OSX it was deprecated going on for a decade ago. And as a platform supported by Apple, back in 2010. With the current version of OSX it doesn't even ship as standard. It only gets downloaded and installed for the minority of people that actually use some software that needs it.

      Nevertheless, the only part that is getting switched off when it's not been used for a while is the browser plugin. And reenabling it if required is easy.

      Basically it's a bit like Flash - being helped on the road to complete obsolescence because it's not needed and tends to have vulnerabilities.

      Perfectly sensible.

      • Java is deprecated.

        Please don't tell me you're a .NET developer...pretty please...

        • by Jesus_666 (702802)
          No, a Mac user.

          Apple used to support Java as a first-class citizen. It was one one level with Carbon (the OS 9/OS X UI toolkit) and Cocoa (the OS X UI toolkit). Carbon has been deprecated because, well, it was only intended to make the switch from 9 to X easier and 9 has been dead forever. Java has been deprecated, too - it's now a second-class citizen like on other platforms and Apple's only officially backed environment for OS X development is Cocoa.

          So it's not deprecated as in "you shouldn't use this
      • > Java is deprecated.

        What?

  • only the beggining (Score:2, Interesting)

    by thoper (838719)

    apple's "security through scarcity" is starting to fade away as they gain marketshare. any popular OS will get viruses, malware, trojans, etc.

    will mac os get a stonger walled garden as a result? i hope not as i was about to buy my first mac.

    • Wait a bit longer and you'll only be able to install Mac software you bought through iTunes.
    • apple's "security through scarcity" is starting to fade away as they gain marketshare. any popular OS will get viruses, malware, trojans, etc.

      will mac os get a stonger walled garden as a result? i hope not as i was about to buy my first mac.

      The next release of OS X (Mountain Lion) will warn people when trying to run unsigned apps [panic.com]. Apps sold through the Mac App Store will be signed and devs will be able to get their app signed by Apple for free without having to distribute through the App Store. Unsigned apps will also still run if you tell the system to do so. The fact that Apple are doing things shows they will not go full-on walled garden like with iOS but are still trying to get some of its advantages to their users by choosing this middle

  • Except for Macs running Leopard or earlier of course. Those will probably never be patched.
  • by Grayhand (2610049) on Thursday April 12, 2012 @08:21PM (#39667745)
    Most of the problems have been related to people installing software from the internet manually and things like Java. I'm not saying anything pro or con about Apple I own both Mac and Windows machines so I have no horse in this race. Like Linux the core OS is pretty sound I just wish Microsoft had bitten the bullet and made the leap when they did the Vista overhaul. It was a pretty brave move for Apple at the time to switch the OS and it paid off in the long run. Add ons like Java are always going to be a source of headaches. All I know is I rarely have trouble with my Macs but the PCs are another story. One of mine I had to surrender for internet use because it got nailed by a redirect and I tried everything and short of redoing the OS there was no way to scrub it out. I find it safer to use Mac for web surfing and downloading things like software and I use a lot of licensed photos in my work. It's just my personal experience that I run into far fewer issues with the Macs.
    • by exomondo (1725132) on Thursday April 12, 2012 @09:04PM (#39668115)

      Most of the problems have been related to people installing software from the internet manually and things like Java.

      That's pretty much the case with all platforms, compromise the user and you compromise the security of the system. All the email attachment malware, screensavers, etc... are user exploits and it doesn't matter what platform they are on, of course modern operating systems require explicit privilege escalation but again that's up to the user.

      Add ons like Java are always going to be a source of headaches.

      What do you mean 'Add ons'? You mean 3rd party software? Or in this case not even that since it's Apple that maintains Java releases for OSX.

      All I know is I rarely have trouble with my Macs but the PCs are another story. One of mine I had to surrender for internet use because it got nailed by a redirect and I tried everything and short of redoing the OS there was no way to scrub it out. I find it safer to use Mac for web surfing and downloading things like software and I use a lot of licensed photos in my work. It's just my personal experience that I run into far fewer issues with the Macs.

      I'm equally as careful whether i'm running Windows or OSX, i'm not going to be naive and just install anything downloaded from the net or visit questionable sites on either platform because - as these recent publicized events have highlighted - neither platform is completely secure and it would be pretty irresponsible to tell users that they don't have to worry about security just because it's OSX, best to be just as careful no matter what you use. Sure there are less known issues with OSX - even less for most linux or BSD distros - but as their marketshare increases we are seeing instances of infection increase so best to take as much care no matter which platform you're on.

  • by Trogre (513942)

    When this debarcle started, I mis-parsed an article heading and was worried Apple was trying to erradicate Flashblock, and had grave fears for the web.

  • by Anonymous Coward on Thursday April 12, 2012 @10:18PM (#39668691)

    They're trying to prevent malware by installing their own malware.

    It is absolutely right to disable Java by default. Even the behaviour of disabling it if not used for a while COULD have been a useful feature IF they turned that behaviour on by default then provided an option to disable it. By taking it out of the user's hands they're just playing nanny. But like any nanny stuck in an office many years and many miles away they can't anticipate the needs of their entire userbase very well. They have just made it a pain for any user to use Java in a browser on their platform. No one needs a computer that decides not to obey settings the user had set (no matter how long ago). Think of what would happen if every setting on your computer set to defaults every week or two.

    I can think of ways around this that don't require any technical savvy. Put a local Java applet in as your homepage for instance. But this is clunky. You should be able to say "no I really do know better" and turn on Java.

    This is the problem when applying the principle of least privilege. It is also the principle of least innovation and the principle of most annoyance. The bottom line is no one needs access to a computer just to live and breath. Least privilege is oxygen, water, basic food. Wouldn't be much of a fun life.

  • Within a day of the attack being announced various security blogs (and then Ars Technica) were posting directions for finding if you were infected. Each of those assumed that you'd left Safari and Firefox (and any other browser you might have been using) in the Applications folder. Since I get pissed off wading through jumbled, alphabetical lists of totally different programs, I organise my Applications folder into sub-folders. While I can go and check the programs myself from the command line, from my own

    • by Anonymous Coward

      Oh, you're one of those users that takes it upon themselves to "organize" their Apps folder. You make your Mac support people cry and die a little bit inside.

The world is moving so fast these days that the man who says it can't be done is generally interrupted by someone doing it. -- E. Hubbard

Working...