New Targeted Mac OS X Trojan Requires No User Interaction

An anonymous reader writes "Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'"

Re:No user interaction

[buchner.johannes]

Isn't a Trojan that requires no user interaction by definition a Virus?

Re:Missing from summary

[slashmydots]

I didn't consider mac users lording their "super advanced security and magical virus immunity" as "good times." It's about time someone reminded them that Windows is far more secure, it's just targetted more. This is going to be the beginning of a long line of taking them down a notch.

Re:No user interaction

[Mitchell314]

Oh come on slashdot, I'm a mac fan and even I found this funny. No need to mod down.

Re:Missing from summary

[pushing-robot]

But it looks like the good times are over.

At least until you remove Java (and preferably Flash and Acrobat Reader), or set plugins to click-to-run, or they finally implement signed apps and sandboxing (which Apple keeps delaying since developers keep screaming about it).

It's ridiculous that all browsers don't require you to approve plugins, at least on a per-site level, but it's true there are still quite a few sites out there that break in strange ways if some hidden java or flash element fails to load. Still, I'd rather live with that than trust my computers' security to Adobe and Oracle.

Market share

[devleopard]

This is inevitable, and will continue. OSX have gone from 2% to an estimated 14% market share since 2003 [wikipedia.org]

Android has something like a 47% share in the smartphone space.. and there's a report of malware weekly.

I think it's fair to say that it's easier to find a hole (ugh, here comes the 12 year-old humor) than to imagine all the ways people might come up with. You simply need a large enough target to make it worth their while.

Re:Missing from summary

[dr2chase]

It WAS cross-platform (in theory). Apple was slow to release a patch, everyone else (who was up to the latest rev of Java) is fine, because non-Apple Java had a patch for this before the Trojans were deployed.

Java has a better in-theory story than most things exposed to the web because it is (by design) invulnerable to buffer overruns. In practice, however, it uses native libraries for some important stuff, and those have the buffer overrun problem. I don't know the details of this bug, however. I find the seemingly neverending stream of vulnerabilities in everything to be more than a little depressing.

Use Chrome and "Click to play" for plugins

[oberhaus]

This attack is done by taking advantage of an exploit in the Java plugin. There are also lots of exploits in Flash (unless they have all been found and fixed...) You should try using Chrome and Click to Play: https://plus.google.com/118187272963262049674/posts/Mmgbr3BcYWb [google.com]

Re:Missing from summary

[Anonymous Coward]

20-30 new viruses a day for windows 1 virus for the mac in 10 years shows windows is more secure?

Re:Missing from summary

[Anonymous Coward]

This is going to be the beginning of a long line of taking them down a notch.

What? really? So just because someone uses a Mac instead of Windows means they somehow think they are superior to you? I'm sure there are some people that use Mac that think they are superior but that doesn't mean that everyone using a Mac thinks that. So how about you get off your high horse and stop condemning people based on what OS they choose. I personally prefer Mac OS to Windows. I grew up on Windows from Windows 3.1 to Windows Vista. For me, Mac OS is far more intuitive and streamlined. When I think of Windows I think of Menus and Folders. When I think of Mac I think of Apps and Documents. But I saw the preview of Windows 8 and it looks like they're really working on fixing that. I may switch back one day. But I don't think Mac is inherently better. Just different. I do think its more secure though. Simply because they're far more locked down in their hardware. Windows is designed to work with almost anything which leaves a lot more room for errors to exploit.

Re:Market share

[ModernGeek]

Mac OS 9 had a smaller install base than current Mac OS X and was constantly riddled with viruses. I don't think that market share alone determines whether or not something ends up riddled with viruses. That being said, Apple has been particularity lax about security these last three years.

Re:Fix Available

[Anonymous Coward]

pfft, out of the frying pan, into the blazing inferno of thrown chairs.

Better fix here [linuxmint.com].

Re:Missing from summary

[Anonymous Coward]

It's called the beginning of the Bell Curve. There's a sweet spot coming up. A real white knuckle ride.

Java sucks

[JDG1980]

A large part of the blame for this rests on Sun/Oracle's idiotic decision to install the browser plugin by default when the Java runtime is installed.

Most users don't need Java at all. Of those who do, a majority of them don't need it in the browser. And of those who do need it in the browser, they only need it for a small handful of websites, not any and every site on the entire WWW. What should happen is that Java installs by default for desktop applications only with no browser plugin. If the browser plugin IS enabled, then by default it should work only on explicitly whitelisted sites or domains, not everywhere. Of course, there should be methods for system administrators to roll out custom whitelist configurations to users in bulk. But apparently no one at Oracle has heard of the principle of least privilege [wikipedia.org], so we get crap like this every couple of months.

If you have Java, please reevaluate whether or not you really need it. If you do need it, but only for desktop apps (and/or development) and not for browser based apps, then remove the browser plugin. There are virtually no legitimate public websites that use Java, but a lot of malware that exploits the plugin for evil purposes.

Re:OS Preference

[Phrogman]

It would really be nice to think that the majority of /.ers are mature enough to just accept that other OSes exist and that some people prefer them. However, apparently most of us are children when it comes to OS preference and have to take an antagonistic and condescending approach to dealing with anyone who differs from our preference. Sad.
My first computer was an Amiga 500. Then I bought an IBM PC clone. I have used MS products for years (DOS 4 -> Windows XP). I didn't particularly like them as they were rather flaky for much of that time, but they got the job done, and my employers used them so I needed to be familiar with them as well. Eventually I bought an iMac and tried OS/X and I like it. I still use Windows XP when I want to play games, but do the majority of my actual computer using on the Mac side of bootcamp. I have used Linux on the desktop and on the server for the past few decades, plus BSD etc. I have an Android smart phone ATM.
I try to use the right tool for the job at any point. I *like* OS/X because it works for me quite well and it seems fairly reliable. Other than that I seldom think about the OS. Its a nice form of Unix and it works well, that is about it.
OS Wars are so childish, unless you are actively developing an OS yourself and can hold discussions based on merit and not personal opinion/bias...

Re:Missing from summary

[mbadolato]

Not to mention that horrendous experience of connecting a backup hard drive, waiting 30 minutes then have the new OS installation reboot and be exactly how I had everything before doing a reinstall. That moronic process forces me to not waste 10 hours reinstalling everything, every time. Bastards.

Java in a browser? What? Why?

[emt377]

Why would anyone want Java in their browser? I don't have the JRE plugin and would never install it. There's no need for Java to run in a browser. Desktop apps is a different matter, Eclipse and such are quite useful. And it's eminently practical on the server side. But in the browser? That's completely legacy, and Apple should just stop distributing the plugin for Safari.

Re:Apple Culture

[TrekkieGod]

Why? Why would Apple want to do this, aside from some insane take over the world theory? They are certainly pushing for signed applications running in nice sandboxes and they're using the Mac store as one way to do it, but why would they want to disable other applications entirely?

To charge their customary 30% for every Mac OS X application?

I don't think Apple is using malware to push for the walled garden (It's bad PR, it's more likely to push people away from the OS entirely. They'd much rather continue their "You don't have to worry about viruses with our super-secure OS!" marketing approach. That said, I do believe they'd love to have Mac OS X as controlled as iOS, if they could figure out how to get away with it.

Re:No user interaction

[Kalriath]

Perhaps, but if that link is to "ad.doubleclick.net" or "ad.yieldmanager.net" then no conscious interaction is required, a legitimate site can infect you just as easily.

Re:Missing from summary

[TheRaven64]

Why would they? If you are going to use Java you use Swing or AWT or SWT. Using Apple-specific bindings makes zero sense if you are going to use Java (kinda defeats the purpose of "write once, run anywhere" which actually does work if you know what you are doing).

And that's how you end up with crap applications. Good cross-platform applications are MVC with a different UI for each platform. Even the Swing documentation agrees with this, and recommends that you use a native look and feel. If you've got a Java application then you could add a Mac GUI that would use native widgets and behaviours everywhere (you could even get your Mac UI specialist to draw it in Interface Builder), but still reuse the same model code that you used on other platforms.

Two things: first, plenty of people still have devices with less than 32 MB of RAM and this was certainly the case when early devices are used

Irrelevant. No one has an iPhone with under 32MB of RAM. The existence of devices under 32MB has no baring on the

Secondly, Apple in its egocentricity decided to support neither

They also chose not to port Mono. Or any other VM environments. They let you run binaries (although they did restrict this in the developer license for a while), so as long as your language of choice can generate ARM assembly it will run. The egocentricity seems to be more on your part, deciding that Apple needs to pay to have the runtime for your favourite language ported to their platform.

Universal cross-platform was slowly becoming a reality but thanks to Apple (iOS) and Microsoft (XBox) they are trying to silo again. For *users* is a step backwards, not forwards

No, for users cross-platform applications that had a non-native look and feel were a step backwards. Java applications on OS X often can't even get text boxes right - the shortcut keys for navigating in a text field are different to every other application that the user uses on the platform - and things like menu layouts are also unconventional. How is that good for the user? Users benefit from good ports, not from half-arsed recompile-and-ship jobs. Or, in the case of Java, skipping even the recompile step.