Forgot your password?
typodupeerror
Java Security Apple

Apple Hit By Hackers Who Targeted Facebook 148

Posted by Soulskill
from the getting-hacked-is-now-the-trendy-thing-to-do dept.
snydeq writes "Apple was recently attacked by hackers who infected the Macintosh computers of some employees, the company said on Tuesday in an unprecedented disclosure that described the widest known cyber attacks against Apple-made computers to date, Reuters reports. 'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday. ... A person briefed on the investigation into the attacks said that hundreds of companies, including defense contractors, had been infected with the same malicious software, or malware. The attacks mark the highest-profile cyber attacks to date on businesses running Mac computers.'"
This discussion has been archived. No new comments can be posted.

Apple Hit By Hackers Who Targeted Facebook

Comments Filter:
  • by crazyjj (2598719) * on Tuesday February 19, 2013 @04:26PM (#42947931)

    Thank you folks, I'll be here all week.

    • by jhoegl (638955) on Tuesday February 19, 2013 @04:40PM (#42948095)
      Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
      Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
      Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
      Sure IT may get an increase in calls at the start, but it is worth it in the long run.
      • by pszilard (1681120) on Tuesday February 19, 2013 @05:07PM (#42948469)

        Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.

        That was a bit quick to jump to conclusions:

        Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.

        "The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."

        Source: http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/ [arstechnica.com]

        • any engineer who visited the site and had Java enabled in their browser would have been affected

          It seems like not many Mac developers would have been affected - because (1) you have to specifically install Java, and (2) as the response from Apple states Java (in the browser) is disabled if you do not use it for 35 days...

          But it would be great to know the sites involved so we would know if we were at risk.

          • by _xeno_ (155264)

            I have Java enabled on my Mac in the browser. Not because I want it enabled, mind you, but because IT requires it to be enabled because some of the software IT requires demand the Java plugin under non-Windows operating systems. (This also kills the plan I use under Windows of using 32-bit Firefox and only the 64-bit JDK, which means I get the JDK I need for my job but not a Java plugin that even can run in my browser.)

            Since the only reason I have a Mac in the first place is to work on a completely useless

        • by jhoegl (638955)
          Perhaps in this case it was a targeted site that was compromised, but the point still stands.
          By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.
          It also points out the problem with complex coding platforms like Java.
          As I never liked Java because of many other factors, this is just icing on the cake to my issues with it. Java is terrible.
          • by pszilard (1681120)

            Perhaps in this case it was a targeted site that was compromised, but the point still stands. By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.

            No, your point does not stand. You were blaming the stupid users with too much time browsing porn sites or whatnot as well as the corporation that did not train them properly.

            There isn't much you can do against a browser plugin silently executing malicious code planted into a normally harmless popular website. No matter how knowledgeable were the respective FB developers, if the cited information is correct and complete, there was no way he they could have avoided the problem except by having java block

        • by Xest (935314)

          Why does everywhere seem to be keeping the identity of the site in question top secret?

          That's rather unacceptable, as many other developers using said site could also have been impacted.

          This helps no one other than the admins of a site who failed to properly secure it and they shouldn't have right to anonymity of their site when others may well be at risk.

      • Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.

        Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.

        Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.

        Sure IT may get an increase in calls at the start, but it is worth it in the long run.

        Riiiigth. [slashdot.org]

    • Write once, run anywhere.
  • Among my computers is a windows machine. I have no fear of being compromised because it has no exposed ports, a safe browser, and all 3rd party plugins disabled until I activate them.
    I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything. It has nothing to do with the underlying safety of the system, but always the weakest link the chain.

    • by gstoddart (321705) on Tuesday February 19, 2013 @04:52PM (#42948257) Homepage

      I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything.

      AdBlock runs just fine on an Android phone, in case you didn't know. I put it on mine pretty much the day I got it.

    • by AmiMoJo (196126) *

      Chrome for Android is safe. Plugins are click-to-play and you can even disable Javascript. Adblock is available for Android and all apps run sandboxed. It is basically as safe or better than your desktop, the biggest vulnerability being user stupidity.

      • by Lazere (2809091)
        Take a look at your app permissions for me. It doesn't matter that they're sandboxed if they have access to things they shouldn't have access to.
    • by mlts (1038732)

      There are things to do to help mitigate chances of malware on Android, especially if one has root:

      1: There are AdBlock-like utilities available for Android which can actively firewall, add hosts entries, or block on the app layer.

      2: For older versions of the OS, there used to be an app called LBE Privacy Guard, which would prevent apps that wanted full kitchen sink perms from being able to do their dirty deeds.

      3: Some Android ROMs allow permissions to be edited. That way, an app wanting all and sundry m

    • a safe browser

      A what?

      Web browsers are complex software, I would say on about the same level as Oracle's Java implementation, or the Flash plugin. The ones in common use are all written in C++, which is perfectly capable of expressing programs with exploitable security holes in them. I would say that the probability that your web browser is free of exploitable holes is about the same as the probability of that being true of Java or Flash. In other words, I hope waking up from that dream won't be too harsh.

  • by Anonymous Coward

    compromising your privacy and security since 2004...

  • by Anonymous Coward

    I suspect this is an elaborate hoax perpetrated by Microsoft or possibly Google.

    • by Anonymous Coward

      I suspect this is an elaborate hoax perpetrated by Microsoft or possibly Google.

      In a week or two, someone finally manages to throw back the curtain to find... *gasp*.... THE ORIGINAL NEXT CUBE TEAM, back for revenge?!?

      "You thought you were rid of us, didn't you? Jobs thought that, too. And Jobs forgot to buy US out! We're here to take back what's ours!"

  • 'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers"

    I thought Apple disabled Java in the browser months ago?

    • by kthreadd (1558445)

      They block individial versions which are known to be vulnerable. New versions are not blocked unless they are also found to be vulnerable. And if you absolutely want to run a vulnerable version you can just activate it yourself.

      • by Joce640k (829181)

        They block individial versions which are known to be vulnerable.

        At this point in history, can't we assume that's "all of them" and start whitelisting?

  • This is such a delicious day for the tech "press" because despite their constant barrage of warnings to the contrary, Apple viruses have been pretty much non-existent. Sure, OS X has had some vulnerabilities, but they were generally in various Unix packages and daemons, and those same problems generally affected Linux and BSDs and Solaris and so forth.

    Anyway, my question: who the hell uses Java as a browser plugin anyway? On my rigs, it is disabled and has been for years. It's still installed (unlike Fl

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Any IT worker that has to deal with:

      EMC SAN Management
      Brocade SAN Switch Management
      Citrix Netscalers
      Various random pieces of network equipment with horrible GUIs
      etc, etc, etc.

      If a device has a web gui that is doing anything remotely complicated, 99% chance it will require Java. Bonus points if it requires an ancient old version to work.

      • Don't those products all support terminal controls over SSh as well?

        Yeah, though, e state of "enterprise" management tools is pretty sad. These devices go for tens of thousands to perhaps even millions of dollars a pop, and the management software / GUI control options seem like they were created for people who failed elementary school.

        • by mlts (1038732)

          If given the choice of command-line SSH tools versus a broken Java-based web UI, just give the SSH tools. One can write a front-end if they really felt like it then.

          To boot, why is Java even needed these days on the client end? HTML5 + Javascript can do a lot. I can generate RSA keys using JS using aSSL.

          • It's not needed, it's just momentum. After all, the CIO knows from reading Gartner reports that Java is "enterprise-ready" and so that's good enough for him!

            • by mlts (1038732)

              The ironic thing is Java had its chance. Had Sun/Oracle did it right, there would have been no need for Flash or Shockwave, no need for HTML5, and perhaps no need for any other browser extensions, period.

              The fact that a JVM != a JVM is one of the things that killed Java as a usable platform. Had there been some consistency where code running under IBM's JVM would work without issue on Oracle's or Microsoft's, or just even between versions, Java would likely be a must have on today's desktop.

              I wish Oracle

              • I'll go one further for you: Had Sun done it right, there would be no need for Windows or the Macintosh or Android at this point. Java was designed ultimately so that the virtual machine could be swapped out for an actual machine without changing the software and without the user noticing at all. It was supposed to be beautiful, something that would be software and / or hardware agnostic, that would be running on our spaceships 3000 years from now.

                If they would have stuck to the idea of having one unifie

                • by mlts (1038732)

                  Nail, head, hit. It would be a nice world where one didn't have to worry about the underlying architecture, and it could be designed for specific tasks.

                  For example, one set of CPUs would be designed to run bytecode as energy efficiently as possible. When CPU load goes over a threshold, the JVM is passed to another CPU/core set which is optimized for performance. Once the CPU is back under a threshold for a certain amount of time, it goes back to the watt-saver dies.

                  Done right, improvements with computers

              • by Anonymous Coward

                wtf, IBM JVM is real fine, you must be talking about WebSphere version 7 and below. I tried to crash a spring webflow application on tomcat 7 running on the linux 64bit jdk1.7 j9 jvm. And my testing tool crashed at 893 simultaneous user, but the tomcat was only using 168Mb but the system had a load of 187 and the request service time climbed to 30sec but all request were correctly served. I tried a similar benchmark against a simpler php application and I had to use ulimit -n 4096 before it stopped crashing

    • by AmiMoJo (196126) *

      Correct me if I'm wrong but isn't Java included with the OS? Last time I installed MacOS (IIRC it was Leopard) Java was there and required me to install multiple updates (and reboot after every one). The updates were in the system updater app along with all the OS and Apple app updates.

    • In the business world, there are hordes of 'web based applications' that use java from the browser.
    • by sribe (304414)

      Anyway, my question: who the hell uses Java as a browser plugin anyway?

      Enterprisey bullshit: HR/time tracking apps, medical apps, CRM, and so on...

    • A lot of businesses do conferencing and desktop sharing through java applets so it's more likely companies will be running them than consumers.
    • by scarlac (768893)
      Actually... Everyone in Denmark, thanks to the national authentication system called "EasyID" (translation). It forces people to have Java enabled. Nobody likes it, but we're forced to use it.
    • by gtall (79522)

      Anyone who has to use Oracle forms.

  • by Thrill Science (2845693) on Tuesday February 19, 2013 @04:47PM (#42948183)
    They have since removed this:

    Highly secure by design

    Mac OS X doesn't get PC viruses. And with virtually no effort on your part, Mac OS X protects itself from other malicious applications. It was built for the Internet in the Internet age, offering a variety of sophisticated technologies that help keep you safe from online threats. Because every Mac ships with a secure configuration, you don't have to worry about understanding complex settings. Even better, it won't slow you down with constant security alerts and sweeps. And Apple responds quickly to online threats and automatically delivers security updates directly to your Mac.

    • by Anonymous Coward on Tuesday February 19, 2013 @05:45PM (#42948929)

      And Apple responds quickly to online threats and automatically delivers security updates directly to your Mac.

      I'm sure you're trying to make a point with this post but the thing is that quote is accurate. Especially the last sentence. You see, Apple identified the security issue (third party Java plug ins) and have already released an update that deals with the problem. They didn't wait weeks (or months...) - they responded to the online threat quickly.

      So, while I can guess what point you were trying to make with your post, I must say I don't think you quite succeeded...

  • So it sounds like the newer, Oracle Java 7 SE was the vulnerable hole? Also hasn't that been the case for the last several months' worth of "Java Exploit" headlines?
    I am's be wonderin' .... who need dat Java 7 anyway? What is it's be for?
    I never installed it, just running the good ole' Java 6 SE which lets me run all the crap the interwebs brangs forth towards me.
  • "compromising the server of a popular mobile developer Web forum"

    So far, all of the press reports and statements from those compromised have left off the most important bit of information: WHAT "popular mobile developer Web forum" was used?

    One would imagine this would be important information to disseminate to developers...

  • by mschaffer (97223) on Tuesday February 19, 2013 @05:20PM (#42948617)

    Just say NO to Java.

    • by dkf (304284)

      Just say NO to Java.

      Just say no to Java in the browser. It's ugly, it's resource-hungry, it's insecure. Java's OK for implementing other types of applications, especially server-side, where the security exposure surface profile is rather different, but the browser plugin part has just been trouble for years. (I've had it disabled for years too, along with Flash, not as a security measure but rather to stop excessively annoying ads and other low-value embedded content.)

  • If you can compromise computers across so many companies, including defense contractors which obviously would have access to classified/sensitive information, why would you waste it by attacking Facebook?
    • by tlhIngan (30335)

      If you can compromise computers across so many companies, including defense contractors which obviously would have access to classified/sensitive information, why would you waste it by attacking Facebook?

      Because spamming has relatively low penalties.

      Attack a defense contractor and you have several problems. First is network security - classified stuff is probably on the airgapped network that you can get on, but it's difficult to get off of. Second, you have people monitoring such things and the likelihood

  • I can't find any reference to what the attack actually does. Does it crash the machine? Erase the hard drive? Cause ugly pop-ups? Spam email?

  • Sounds like their aim needs some practice.

  • This wouldn't have happened if Steve was alive!

  • by darkfeline (1890882) on Tuesday February 19, 2013 @08:28PM (#42950845)
    Call me ignorant, but the recent wave of Java bugs, are they Oracle implementation bugs, or problems with the Java specification? Are OpenJDK/IcedTea affected?
  • "This is a new campaign. It's not like the other ones you read about where everyone can tell it's China," the first person said." I'm a bit lost with all attacks, java security alerts, java patches, java this, java that. Could we give each java alerts a feminine first name like we do with tornado ?

No hardware designer should be allowed to produce any piece of hardware until three software guys have signed off for it. -- Andy Tanenbaum

Working...