Apple Updates Java To Include Flashback Removal

Fluffeh writes "In the third update to Java that Apple has released this week, the update now identifies and removes the most common variants of the Flashback malware that has infected over half a million Apple machines. 'This Java security update removes the most common variants of the Flashback malware,' Apple wrote in the support document for the update. 'This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.'"

Re:No way!

[Kenja]

Macs don't get viruses!

Almost no computer gets viruses anymore. Trojans & malware on the other hand...

Re:immature=no java

[ColdWetDog]

PDF's are handled internally by Preview.app. It doesn't have the functionality of Acrobat reader but it also doesn't have the attack surface.

Re:immature=no java

[BasilBrush]

No, the fix to the problem was to ship the latest Java build which had closed the vulnerability. And then to follow that up with an update that removed any infection already there.

Java is deprecated. As a development platform for OSX it was deprecated going on for a decade ago. And as a platform supported by Apple, back in 2010. With the current version of OSX it doesn't even ship as standard. It only gets downloaded and installed for the minority of people that actually use some software that needs it.

Nevertheless, the only part that is getting switched off when it's not been used for a while is the browser plugin. And reenabling it if required is easy.

Basically it's a bit like Flash - being helped on the road to complete obsolescence because it's not needed and tends to have vulnerabilities.

Perfectly sensible.

Re:immature=no java

[BasilBrush]

What, you mean a new feature? Wikipedia is your friend, there's a long list of new features for every major OSX version.
e.g.
http://en.wikipedia.org/wiki/Osx_lion [wikipedia.org]

Re:immature=no java

[tlhIngan]

I agree what they should have done is remove java entirely.

They did. Java and Flash have no longer been shipped with OS X for ages now. The primary reason is people keep reinstalling OS X and thus those vulnerable versions. Far better to let the user download and install the latest and greatest from Adobe and Oracle.

Final Cut Pro X is a recent example. they added some interesting stuff if you're shooting multi-cam, and broke EDL, XML, backward compatibility, the ability to share projects and removed Color entirely.

Well, Final Cut Pro X is a completely new rewrite. Apple's tradition is new rewrites of software is to get the basics working rock solid first, then add back missing features. This has been true since OS X was first released and didn't have half the stuff (e.g., DVD player) that OS 9 it shipped with also had. It happened again with QuickTime X - there's a reason why OS X supported a dual install of QT X and QT 7. FCP X is more of the same. They also retargeted it for prosumers rather than pros And yes, they still sell FCP 7 - but only by phone sales.

hardware wise... if they could remove the home, power and volume buttons they would. they lost me as a supporter when they removed the "reset" button - an arrogant statement that their (then OS 8.6) machines will never crash and hence never need the kill button. had to wrench the fuckers out of the wall. God help you if you had a laptop.

Does a modern PC have a reset button these days? Most of the time if it hard locks, you hold the power button a few seconds and it turns off. You then hit it again to turn it on. Reset's kinda useless since most people found they needed to mollyguard their PCs. Hell, an office full of white box PCs on the floor is a tempting target around family days - little buggers go running off and pushing all the buttons on a PC, including reset. Anyhow, old Macs had them, but they were pin-holes to prevent exactly that sort of problem. (You needed it if you wanted to get into the debugger).

Re:immature=no java

[cbhacking]

As of 2010, Adobe Reader was kicking Preview's ass on security. No, that's not a joke. Nor is it fanboyism; I don't use either one. It's just a plain and simple fact. The probable reason? Adobe, like Microsoft, has had many years of being a high-profile target, and has put a lot of effort into finding and fixing security bugs. Apple, quite frankly, has not.

http://net-security.org/secworld.php?id=9725 [net-security.org]
Watch the second video, and jump ahead to 8:57 (almost the end) if you want a simple comparison.

For the lazy, here's the basic facts: Preview had from the same set of 1400 PDFs downloaded from the web, run through a mutational fuzzer to produce 2.8 million test files. Preview had 7 times as many unique crashes as Adobe Reader, and at least 3 times (more realistically, probably 10 times; at worst, 20 times) as many exploitable bugs.

When a guy like Charlie Miller (very well-respected security researcher) can find 7 security bugs in Apple's code for each one he finds in Adobe's (using the exact same test cases), Apple has a serious security problem.