Update Java if you haven't already. There's a pretty nasty, widespread malware infection going on.

It looks like Apple's slow approach to security has resulted in a huge malware outbreak because of a previously unpatched Java security problem.

Sometimes it feels like Apple is using Microsoft's lackadaisical security gameplan from ten years ago. Let's hope that this wake-up call will cause them to switch gears in the same way it did Microsoft.

Check to make sure that you've got the latest Java 1.6.0_31 installed.

The update is called "Java for OS X Lion 2012-001" if you're on Lion and "Java for Mac OS X 10.6 Update 7" on Snow Leopard. Note that Java is an optional install for Lion, so you might not even have Java on your system and thus won't need the update.

Here's how to figure out if you're infected:
https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

 

Good post to help people be aware of what is going on.

I doubt Apple will be changing their tune anytime soon. It took a lot of problems in Windows before Microsoft started changing their strategy, and a long time after that before the changes were reflected in the end products.

 

Isn't Java on OS X a special version that you can't install from the java site? I haven't have had updates to it in the last couple of days, nor for the flash that reportedly was being patched for stability 2 weeks ago. I have had only updates to aperture, iphoto, itunes and other apple programs.

 

The difference is that Microsoft never advertised that their products "just work" using ad copy like "One thing a Mac doesn’t do: Get PC viruses.". I hope they take a big PR hit for this carelessness.

For the time being, yes. That'll change with Java 7, but for now it's all on Apple which is why it took eight weeks to fix the hole.

If you didn't get the update in Software Update in the last few days then you probably don't have Java installed. You can check if that's the case (don't install it unless you need it though).

 

I have a MBP, which I sparingly use now since I switched to Win 7, but it still has 10.5 on it. It is only four years old. , Apple? Apple sold me a laptop with 10.5 on it, and I would expect security updates for a four year old laptop. I felt no need to upgrade to 10.6 and 10.7 since I previously had 10.6 on a MBP that I have now sold.

 

What they are saying is technically true. PC has (and will remain to be) a term used to describe computers running Windows. It started that way back in the day (even before I was born) when IBM introduced models to differentiate itself from the Apple and Apple IIe crowds. It continues into today even though Macs are still technically PCs (even iOS devices can be called PCs). Macs running OS X do not get Windows viruses and vice versa. Seeing as the majority of viral, malware, adware, and malicious content out there is programmed for Windows, I would say it is a pretty big advertising point for Apple.

So what if there is a hole in Java? There are holes and backdoors to software for every platform. Apple has never once advertised their line of computers as being 100% secure and free from attacks. They simply state that OS X is not affected by Windows malicious content.

And? It has taken Microsoft and Google just as long (if not longer) to plug holes in their software. There is still a backdoor for Word 2011 on OS X that Microsoft hasn't fixed. Updates like this can't roll out overnight as they have to be extensively tested to make sure they work. Sure, two months seems like a long time and that might be the case. I have waited longer for updates though. MS in particular used to take 3-4 months to patch stuff up in Windows XP when my antivirus would take care of it right away. What about the holes floating around in Android? They have been there for years now and Google still hasn't done anything. Like I said, it's nothing new in the world of software.

 

Okay, but this means that the advertising point is completely meaningless. Macs don't get PC-only viruses, but they do get crossplatform viruses that target crossplatform technologies like Java, and they get Mac viruses instead of windows-only viruses. It really doesn't matter that there is a lot of malware that targets windows historically, because old security holes are all patched. It makes no difference one way or the other.

Security is very much so a "today-onward" type of field, and the fact is that there are mac malwares and viruses out in the wild means that Apple needs to take security seriously just like everyone else.

Now, in the case of Java, it's deprecated tech. I feel like Apple needs to go ahead and kill it off and let Oracle take over.

 

An IBM PC running DOS (or Linux or OS/2 or whatever) is/was still a PC, because it isn't a mainframe or a terminal and is a computer used by an end-user. You said it yourself; the term pre-dates Windows. The definition was thought up by Apple's marketing department to distinguish their products from the competition. Apple abandoning PPC for x86 makes the distinction even sillier.

Anyway, here's the full quote from apple.com:

Joe Potential Apple-customer will read the above ad copy as a statement that OS X is safe and that he shouldn't do anything for his computer to stay that way. It's probably also what the Apple store will tell him.

A threat arose and Apple sat on their hands for weeks. Testing and deploying security updates is hard, but it's certainly not eight weeks hard. As an otherwise very happy Apple user the turnaround certainly doesn't impress me.

Comparing it to Microsoft from ten years ago is my exact point. Why's Apple not doing things like the present day Microsoft, who actually takes security seriously? Apple took some important steps towards this goal with Lion (and Snow Leopard to a lesser extent), but there's still a ways to go.

What everyone else is doing is absolutely not an excuse. The internet would be pretty dastardly place to be on if, say, Adobe's security practices were to set the bar for the rest of the industry.

 

Updated. Thanks for the reminder. I saw the update from Apple last night but I postponed applying it because I was in a Juniper VPn utilizing java secure application mgr and I couldn't just stop what I was doing to apply the patch.

Just updated this morning though after reading this thread.

Thanks

 

Apple have released "Java for OS X Lion 2012-002" for Lion.

The only difference between this newer update and the first version is that it fixes some problems with Xcode and the Application Loader tool caused by the first update (better install it anyway). Snow Leopard users don't need this second update.

 

These thing is 2 common, advertising and marketing is just what the word means.

Anyways, when do human ever fix stuff before they went wrong? Never

 

arg... last time I updated my Mac safari started to crash randomly, random lock ups and some really weird graphics glitches...

security vs stability... ah, I was hopping to have left this trade off for my windows boxes.

 

Actually, that was a term brought up outside of Apple for the competition to distinguish themselves from what others were doing. It wasn't something Apple invented for marketing terms but rather by IBM for their personal computer (released in 1981). The term IBM PC was later adopted by many others showing that their systems were compatible with what the IBM Personal Computer was doing. That changed when IBM adopted Windows as their OS so that the general public started using it to describe machines running Windows. Apple just chose not to use the term PC and stick with "Mac" for their computers. The use of PPC and the x86 (and x86-64) platform has absolutely nothing to do with the term PC.

Apple takes their security seriously too, they just aren't as open about it as MS. Apple has always had a closed door approach to the inner workings of their products. That is how things were in the 80's and they will continue to be that way until the world ends. I am also not making excuses for Apple, I am simply pointing out that their software has issues too just like everyone else. The only difference between Apple and the others is that when a backdoor/hole/whatever is discovered for Apple software, the electronics world tends to throw their arms up in the air and belittle Apple to no end acting as if the world has ended and Apple should be ashamed of what has happened. Hell, if everyone acted like that when a threat to Windows was discovered, MS would have been out of the business 14 years ago.

That is what I don't understand. There is a hole in Java, so what? You actually have to install the software (which disguises itself mainly as cover girl photos) in order for the hole to be enacted. So it only takes a little bit of common sense to not be infected (just as when operating under Windows). So why is Apple getting hammered for this when they definitely aren't the only software/hardware company with issues? Anytime this happens to Apple, someone always brings up their marketing slogans ("It just works," and "It doesn't get PC malicious content" are two common ones) and tried to throw it in their faces. Why aren't people doing that to Microsoft or Google every single day when something happens to them? "Making the PC more personal, yeah right! I can't do anything personal on my Windows machine because of the new backdoor trojan that tracks my online entries."

 

First off, the java hole doesn't require any user input. It asks for administrative rights but it will install itself regardless. All you have (had) to do was point your browser to a malicious site and have java installed.

Second, the reason that they are getting hammered is that their particular practices are the reason that 600,000 computers got infected with this thing.

Practice #1: pushing marketing to suggest that macs don't get viruses makes users less cautious and less likely to install anti-virus software

Practice #2: demanding 1st party integration of 3rd party software, and then not releasing critical security fixes in a timely manner.

Other companies don't subscribe to these practices, and that's why Apple is getting hammered. I'm normally the first to point out when events happen and people pull out the Apple-pitchforks, but I actually find Apple responsible for this.

 

I am not trying to defend Apple but I just don't see what the big deal is or how this differs from the code out there that attacks millions of Windows users because they clicked on a link to download "sexy Katy Perry pics!" and it ended up installing something else that attacks an exploit in Windows 7 that has been there for a while. I also don't see how it is different from those fake anti-virus programs that constantly fool people on Windows. That happened with OS X but Apple was actually rather quick to fix things and I haven't heard of that software coming back (finding a way around things).

Does this whole thing suck? Yeah. Should Apple change their approach to Java? Probably. Is this the only time something like this has happened? No. Will it be the last time? Absolutely not. Is Apple the only company experiencing problems like this? Hell no.

 

Detecting the trojan required running commands via the terminal. For those not comfortable with running the command line executable scripts have created too.

Source: Mobile Raptor: How to check if you Mac has the Flashback Botnet trojan

 

Apple was slow actually. Oracle released the Java update for Windows machines back in February 14, 2012. Apple maintains it own version of Java, and their update was released on April 4, 2012.

If you are running something older than Snow Leopard, you are also out of luck. The patches only work with Snow Leopard and Lion. Lion has two updates and Snow Leopard only one. I am not sure why.

 

It's compounded by the fact that microsoft explicitly recommends that windows users protect themselves with anti-virus software and Apple doesn't discuss security strategies for users, and recommends through advertising that users feel safe and comfortable without anti-virus software.

 

I can see how that is problematic for people, especially the general public who are often way too trusting and/or naive. I think for the most part, if someone applies a little bit of common sense, they don't really need an anti-virus setup for OS X. I have one just to be on the safe side. I also have a Windows VM that I don't want infected and my computer constantly comes in contact with others that I know are using outdated anti-virus programs. The main issue is that people need to actually read Apple's advertising and then realize what it means. When Apple says "it doesn't get PC viruses," people often read that as "it doesn't get viruses and is 100% perfect lolz" when that isn't the case. If someone were to apply a little common sense, they would realize what the statement is trying to get across.

That isn't going to happen though with the mass public. We are talking about people who keep putting money in Adam Sandler's bank for whatever reason. We are talking about people who made Meet The Spartans a financial success.

I was talking about the whole Mac Keeper thing that swept through the Apple community last year. If I remember correctly, it took Apple a few weeks to clear that up and it hasn't been problematic since.

 

Thanks for the link. Still annoyed, however, that Apple won't be updating my four year old laptop.

 

I think it's ironic that thousands are probably running unknown and untrusted scripts because they are afraid of malware. Mashable's script is hosted off of a strange .me domain, which (if you squint your eyes) is close enough to a .biz or .ru domain and that makes this even funnier.

The safest thing at this point is probably to turn Java off in your browser. In Safari you can do this by going to Preferences > Security and unchecking the Java checkbox.

 

Apple used to recommend installing antivirus software... it was on their website. As of 10.7 they don't have that up anymore and instead have this page.
Apple - OS X - Security - Keeps you safe from viruses and malware.
that does make people feel more secure, and its technically true... but if you read at the very bottom they admit that no system can be 100% safe.

 

i wonder what's the objectives of hackers who develop this virus?

 

A giant botnet is worth a lot of money if you sell it to the right people (ie. people of low moral fiber like the mob or various three letter agencies).

The days of clever virus writers battling each other in a game of wits and computer mastery are long over. Today it's just business.

 

Thanks for tip. I checked in Terminal, and I was in the clear. However, I plan on just using this laptop offline from now on especially since I'm not confident at all that Apple will ever patch 10.5 again. In all honesty, I probably should just spend the $30, but I don't out of principle.

 

Sometimes, the upgrade doesn't work for older Macs. I think it is apple's way of saying to spend the $$$ and upgrade.

 

Well, with Apple's cult-like following, like any religion, adherents loathe to acknowledge flaws and would first seek to engage in a sort of apologetic before admitting to a flaw.

Of all the friends, acquaintances and people I've met IRL that own a Mac, I have yet to hear one say what "common" sense would suggest. And they are often puzzled at the fact that I haven't had a virus, trojan or malware on any of my PCs in years. They think either I'm lying or its an anomaly.

Apple has had one of the most if not the most effective marketing campaigns in modern history. And why almost every post graduate business school studies it.

 

Thats the typical mindset of the Apple Bashers... so I'm surprised I'd read that here. The truth is that Apple users complain left and right about Apples software... your talking about a vast minority that is anything cult-like. But even non cult-like followers of course will not just acknowledge flaws without some sort of apologetic first... why would they? Anytime the thing you like is being bashed, you first check out the situation, research it, and if you don't agree with what someone else is saying and want to defend your position, state your evidence as to why... which is pretty much what an apologetic is.

 

I think the underlying problem is that some don't acknowledged their liking is being bashed?.
for a normal consumer with minimal tech knowledge, I doubt he/she will spend time to research and "defend".

At least I know a dozen of people who only use their iPhone to call out and in only.

 

I think the cult member minority you are talking about is actually larger than you realize. I don't think they represent the majority of Apple users but they are still pretty large in size. I come across two almost everyday of every week and there are still meetings of Mac users (just iPod, iPad, and iPhone users aren't allowed, you have to actually own a Mac) who continue the cult status about once a month where I live.

The main issue is with John and Jenny Q public in that they don't stay up to date regardless of what OS they are running. They also tend to just click on anything online if it seems entertaining or to just get a pop-up to go away. Take my grandpa as a prime example. He has a Hotmail account but still opens every single e-mail that he gets before deleting them. He doesn't read the headlines or anything, he just opens them and then decides what he wants to do. Seeing as it is Hotmail, a bunch of SPAM always gets through. I saw him click on a pop-up once without reading it. One of his friends spammed him and he clicked on the link. A small window popped up asking to install something. Instead of clicking Cancel, he just kept clicking OK until the pop-ups stopped.

I have a bunch of other examples like that too involving much younger people. I even know someone who ignores Windows updates until her computer forces them upon her. These are the people that represent the average computer community and they are the ones that are constantly getting infected whether they are running Windows or OS X.

What I don't like is when a specific company is singled out and bashed simply for the sake of bashing while their marketing slogans are thrown back at them as if they are the only company on Earth experiencing the same issues and handling them poorly. That isn't to cut said company any slack or to defend them but rather push people off of their high horses to realize that Microsoft, Google, Sony, Apple, Motorola, HTC, Facebook, IBM, Visa, Wellsfargo, and a countless number of other companies all have software/hardware issues that aren't always patched right away and most completely go against any marketing that they have. That is why I don't like it when someone singles out one company (i.e. Apple) only to mock them with some reverse slogans. Go ahead and complain about what they are doing and how poorly they are handling things. Just don't act like they are the only ones with these types of issues and that their marketing terms should be taken as cold hard fact (I am sure Harry Potter takes issue with Apple calling the iPad a magical device).

 

Excuse me?

This isn't bashing for the sake of bashing. In fact, it's not even bashing. It's pointing out that Apple's approach to security is far too lackadaisical for a hostile internet anno 2012. That it took Apple close to two months to fix this problem is a simple fact and the lack of speed is certainly not an outlier if you look back over the years. It's entirely Apple's issue to solve, so it's Apple that gets "singled out".

I care deeply about OS X security because I actually use the damn thing on a daily basis both for work and at home (where I unfortunately can't avoid Java because I need it to log on to my bank, do my taxes, etc.).

That Apple's machines "just work" is more than a marketing slogan. It's practically a company mantra and it's what got me to switch six years ago. I like their products so I'm hoping that Apple gets its act together.

I'm not X, but... X?

The bad practices and lousy track records of others are not an excuse. As an Apple user that doesn't own anything from HTC or Motorola, I care very little about HTC's or Motorola's security issues. I care about Apple's.

 

But you are turning around their marketing slogans to try to prove a point. To me, that is the wrong way to go about things. Oh man, it just works! Year right! Tell that to my butt! It is fine to have issues with any company but mocking them isn't going to do any good whatsoever so why even bother trying to make deeper meaning out of something a bunch of marketing people cooked up?

As I said, I was not making excuses for Apple but rather expressing that they aren't the only ones with problems. Hence I don't know why you went about mocking them the way you did. They are far from perfect and their closed door policy often rubs people the wrong way. That is fine. Just don't act like they are committing a mortal sin here. They had an issue and it took a while to fix. I don't think that deserves anything more than a simple update of saying "Hey, Apple released a Java update to OS X, you should download it" instead of "Their marketing is wrong as this is a problem" when the marketing really has nothing to do with this.

 

So we can't even criticize the dubious marketing of the apple?

 

Mashable says they prepared the scripts... but I checked my computer running the Terminal myself.

 

I just don't see what the point of trying to turn around the marketing like that for any company, not just Apple. It doesn't do any good and it isn't going to help anything. Poke fun at? Sure. Disagree with? Alright. Turn around because they have a problem that everyone else does? What's the point? That is what I don't understand or agree with especially since Apple isn't the only one experiencing these types of problems.

 

I stand by my original point, which is basically reduced to this:

- Security is an issue for all commercial operating systems
- Apple is doing it's users a disservice by recommending complacent behavior towards security

The fact that an exploit existed and was taken advantage of is not extremely unusual among operating systems. The fact that Apple doesn't have any security recommendations for it's users other than to feel secure is the primarily problematic phenomenon.

 

Correct. The main difference, in this regard, between MS and Apple is that Windows will pester the end-user until they install an anti-virus program and OS X doesn't do anything along those lines. Furthermore, Apple normally doesn't acknowledge security issues until they actually have a solution whereas MS will acknowledge them and tell people they are working on a fix.

 

If I may interject to offer my humble opinion...

All of you definitely have valid points, but I have to agree with kornchild here. Attacking apple's marketing is not the solution here, or even a good idea. Why? Because apple is hardly alone in their marketing strategies; they are not the only company to hail their product as the end-all, cure-all, infallible machine. How the public interprets their ads and the 'cult-like following' is just a result of it's execution in this competitive field.

Don't get me wrong, I am extremely biased against apple, (although truth be told I am typing this on my new iPad 3), but only because of their ridiculous pricing scheme and the lack of common sense in many of their customers. Their products themselves are smartly implemented and designed, and are solid overall.

But getting back on topic: bashing and malware. Despite apple's efforts (or lack of it) in the security field, it was just a matter of time before iOS got viruses, especially with a rapidly growing list of victims. What I do not agree with, however, are the opinions of apple zombies (who typically know very little about laptops and laptop technology, unlike my fellow NBR'ers here), who steadfastly insist that their Mac (or whatever) is infallible. Or even people who say that "macs get less viruses, ergo they are safer". Wrong. Macs are like any other computers, they have weaknesses that can be exploited.

Mr. Mysterious

 

iOS has viruses?

 

Forget viruses. The larger issue seems to be that iOS has Java...

 

Since when is Java available for iOS? Do you have to jailbreak it?

 

It isn't. I was making fun of Mr_Mysterious' typo.

 

Technically not a typo since it has long been Apple's dream to integrate all of their different OSes into one cohesive whole

Mr. Mysterious

 

My thoughts on this is Apple is as much to blame for what happened as those who ignored the warnings. As Korn said their is NO operating system that is secure proof. As a former Mac user, I remember individuals getting laughed out of forums when security and AV was brought up on a Mac.

And I do believe Apple played the virus marketing game to their advantage. I remember back in 2003 when I bought my second iMac that OS X did not crash, was hack proof, and was not vulnerable to viruses.

I'm of the belief that back then Apple was largely ignored because a) too small a market share and b) they were the underdog in the industry.

Today both reasons a) and b) have changed especially reason b). Apple now has the distinction of being the largest and most valuable tech company in the world. My prediction is more of this stuff is coming down the pipe. AV and security should not be ignored on any system including OS X.

 

Does anyone have a recommendation on good third party anti-malware software that provides real-time protection and has minimal impact on system resources?

 

Sophos works great like that for me... and the Mac version for personal home use is free!

 

Sophos also automatically updates itself quite often (about once every day or every other day) and stays ahead of the game. Back when Mac Keeper was infecting people, Sophos was able to stop and remove it before Apple issued an OS X patch. I believe the same holds true for this Java exploit. It will even catch Windows malware/viruses/whatever despite their inability to actually infect OS X.

 

Thanks. I will definitely try it out.

EDIT: Again, thanks for the recommendation. The real time protection does not impact the system too noticeably. Sophos is definitely not as well developed as Win 7 solutions (the full scan takes forever vis-a-vis MSE and others and there does not appear to be a quick scan option), but I am guessing that third party developers do not spend as much time on anti-malware software for the Mac. Regardless, I plan on keeping Sophos on this Mac.

 

I got the malware and I'm not real happy about the delay. I just read today that 650,000 Macs may be infected ( BBC link). As Apple's market share increases, they're going to have to be more vigilant.

What really worries me are viruses and malware on iOS and Android. Given the number of devices in use they have to be big targets.

 

@dmk2:

Yeah, though I don't use my Mac that often, I wasn't happy that Apple didn't even patch my laptop with 10.5 which is only four years old. My Mac was clean, but I decided to disable Java in Chrome (primary browser) and Safari and install Sophos. I was initially going to use the laptop strictly offline since it is really just a backup, but then I realized that was stupid given how much money I had spent on it.