It looks like Apple's slow approach to security has resulted in a huge malware outbreak because of a previously unpatched Java security problem.
Sometimes it feels like Apple is using Microsoft's lackadaisical security gameplan from ten years ago. Let's hope that this wake-up call will cause them to switch gears in the same way it did Microsoft.
Check to make sure that you've got the latest Java 1.6.0_31 installed.
The update is called "Java for OS X Lion 2012-001" if you're on Lion and "Java for Mac OS X 10.6 Update 7" on Snow Leopard. Note that Java is an optional install for Lion, so you might not even have Java on your system and thus won't need the update.
Here's how to figure out if you're infected:
https://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
-
Good post to help people be aware of what is going on.
I doubt Apple will be changing their tune anytime soon. It took a lot of problems in Windows before Microsoft started changing their strategy, and a long time after that before the changes were reflected in the end products. -
Isn't Java on OS X a special version that you can't install from the java site? I haven't have had updates to it in the last couple of days, nor for the flash that reportedly was being patched for stability 2 weeks ago. I have had only updates to aperture, iphoto, itunes and other apple programs.
-
If you didn't get the update in Software Update in the last few days then you probably don't have Java installed. You can check if that's the case (don't install it unless you need it though). -
I have a MBP, which I sparingly use now since I switched to Win 7, but it still has 10.5 on it. It is only four years old. , Apple? Apple sold me a laptop with 10.5 on it, and I would expect security updates for a four year old laptop. I felt no need to upgrade to 10.6 and 10.7 since I previously had 10.6 on a MBP that I have now sold.
-
kornchild2002 Notebook Deity
So what if there is a hole in Java? There are holes and backdoors to software for every platform. Apple has never once advertised their line of computers as being 100% secure and free from attacks. They simply state that OS X is not affected by Windows malicious content.
-
masterchef341 The guy from The Notebook
Security is very much so a "today-onward" type of field, and the fact is that there are mac malwares and viruses out in the wild means that Apple needs to take security seriously just like everyone else.
Now, in the case of Java, it's deprecated tech. I feel like Apple needs to go ahead and kill it off and let Oracle take over. -
Anyway, here's the full quote from apple.com:
A threat arose and Apple sat on their hands for weeks. Testing and deploying security updates is hard, but it's certainly not eight weeks hard. As an otherwise very happy Apple user the turnaround certainly doesn't impress me.
-
Updated. Thanks for the reminder. I saw the update from Apple last night but I postponed applying it because I was in a Juniper VPn utilizing java secure application mgr and I couldn't just stop what I was doing to apply the patch.
Just updated this morning though after reading this thread.
Thanks -
Apple have released "Java for OS X Lion 2012-002" for Lion.
The only difference between this newer update and the first version is that it fixes some problems with Xcode and the Application Loader tool caused by the first update (better install it anyway). Snow Leopard users don't need this second update. -
These thing is 2 common, advertising and marketing is just what the word means.
Anyways, when do human ever fix stuff before they went wrong? Never -
arg... last time I updated my Mac safari started to crash randomly, random lock ups and some really weird graphics glitches...
security vs stability... ah, I was hopping to have left this trade off for my windows boxes. -
kornchild2002 Notebook Deity
That is what I don't understand. There is a hole in Java, so what? You actually have to install the software (which disguises itself mainly as cover girl photos) in order for the hole to be enacted. So it only takes a little bit of common sense to not be infected (just as when operating under Windows). So why is Apple getting hammered for this when they definitely aren't the only software/hardware company with issues? Anytime this happens to Apple, someone always brings up their marketing slogans ("It just works," and "It doesn't get PC malicious content" are two common ones) and tried to throw it in their faces. Why aren't people doing that to Microsoft or Google every single day when something happens to them? "Making the PC more personal, yeah right! I can't do anything personal on my Windows machine because of the new backdoor trojan that tracks my online entries." -
masterchef341 The guy from The Notebook
First off, the java hole doesn't require any user input. It asks for administrative rights but it will install itself regardless. All you have (had) to do was point your browser to a malicious site and have java installed.
Second, the reason that they are getting hammered is that their particular practices are the reason that 600,000 computers got infected with this thing.
Practice #1: pushing marketing to suggest that macs don't get viruses makes users less cautious and less likely to install anti-virus software
Practice #2: demanding 1st party integration of 3rd party software, and then not releasing critical security fixes in a timely manner.
Other companies don't subscribe to these practices, and that's why Apple is getting hammered. I'm normally the first to point out when events happen and people pull out the Apple-pitchforks, but I actually find Apple responsible for this. -
kornchild2002 Notebook Deity
I am not trying to defend Apple but I just don't see what the big deal is or how this differs from the code out there that attacks millions of Windows users because they clicked on a link to download "sexy Katy Perry pics!" and it ended up installing something else that attacks an exploit in Windows 7 that has been there for a while. I also don't see how it is different from those fake anti-virus programs that constantly fool people on Windows. That happened with OS X but Apple was actually rather quick to fix things and I haven't heard of that software coming back (finding a way around things).
Does this whole thing suck? Yeah. Should Apple change their approach to Java? Probably. Is this the only time something like this has happened? No. Will it be the last time? Absolutely not. Is Apple the only company experiencing problems like this? Hell no. -
Detecting the trojan required running commands via the terminal. For those not comfortable with running the command line executable scripts have created too.
-
If you are running something older than Snow Leopard, you are also out of luck. The patches only work with Snow Leopard and Lion. Lion has two updates and Snow Leopard only one. I am not sure why. -
masterchef341 The guy from The Notebook
It's compounded by the fact that microsoft explicitly recommends that windows users protect themselves with anti-virus software and Apple doesn't discuss security strategies for users, and recommends through advertising that users feel safe and comfortable without anti-virus software.
-
kornchild2002 Notebook Deity
That isn't going to happen though with the mass public. We are talking about people who keep putting money in Adam Sandler's bank for whatever reason. We are talking about people who made Meet The Spartans a financial success.
-
-
-
Apple used to recommend installing antivirus software... it was on their website. As of 10.7 they don't have that up anymore and instead have this page.
Apple - OS X - Security - Keeps you safe from viruses and malware.
that does make people feel more secure, and its technically true... but if you read at the very bottom they admit that no system can be 100% safe. -
i wonder what's the objectives of hackers who develop this virus?
-
The days of clever virus writers battling each other in a game of wits and computer mastery are long over. Today it's just business. -
-
Sometimes, the upgrade doesn't work for older Macs. I think it is apple's way of saying to spend the $$$ and upgrade.
-
Of all the friends, acquaintances and people I've met IRL that own a Mac, I have yet to hear one say what "common" sense would suggest. And they are often puzzled at the fact that I haven't had a virus, trojan or malware on any of my PCs in years. They think either I'm lying or its an anomaly.
Apple has had one of the most if not the most effective marketing campaigns in modern history. And why almost every post graduate business school studies it. -
-
I think the underlying problem is that some don't acknowledged their liking is being bashed?.
for a normal consumer with minimal tech knowledge, I doubt he/she will spend time to research and "defend".
At least I know a dozen of people who only use their iPhone to call out and in only. -
kornchild2002 Notebook Deity
The main issue is with John and Jenny Q public in that they don't stay up to date regardless of what OS they are running. They also tend to just click on anything online if it seems entertaining or to just get a pop-up to go away. Take my grandpa as a prime example. He has a Hotmail account but still opens every single e-mail that he gets before deleting them. He doesn't read the headlines or anything, he just opens them and then decides what he wants to do. Seeing as it is Hotmail, a bunch of SPAM always gets through. I saw him click on a pop-up once without reading it. One of his friends spammed him and he clicked on the link. A small window popped up asking to install something. Instead of clicking Cancel, he just kept clicking OK until the pop-ups stopped.
I have a bunch of other examples like that too involving much younger people. I even know someone who ignores Windows updates until her computer forces them upon her. These are the people that represent the average computer community and they are the ones that are constantly getting infected whether they are running Windows or OS X.
What I don't like is when a specific company is singled out and bashed simply for the sake of bashing while their marketing slogans are thrown back at them as if they are the only company on Earth experiencing the same issues and handling them poorly. That isn't to cut said company any slack or to defend them but rather push people off of their high horses to realize that Microsoft, Google, Sony, Apple, Motorola, HTC, Facebook, IBM, Visa, Wellsfargo, and a countless number of other companies all have software/hardware issues that aren't always patched right away and most completely go against any marketing that they have. That is why I don't like it when someone singles out one company (i.e. Apple) only to mock them with some reverse slogans. Go ahead and complain about what they are doing and how poorly they are handling things. Just don't act like they are the only ones with these types of issues and that their marketing terms should be taken as cold hard fact (I am sure Harry Potter takes issue with Apple calling the iPad a magical device). -
This isn't bashing for the sake of bashing. In fact, it's not even bashing. It's pointing out that Apple's approach to security is far too lackadaisical for a hostile internet anno 2012. That it took Apple close to two months to fix this problem is a simple fact and the lack of speed is certainly not an outlier if you look back over the years. It's entirely Apple's issue to solve, so it's Apple that gets "singled out".
I care deeply about OS X security because I actually use the damn thing on a daily basis both for work and at home (where I unfortunately can't avoid Java because I need it to log on to my bank, do my taxes, etc.).
That Apple's machines "just work" is more than a marketing slogan. It's practically a company mantra and it's what got me to switch six years ago. I like their products so I'm hoping that Apple gets its act together.
The bad practices and lousy track records of others are not an excuse. As an Apple user that doesn't own anything from HTC or Motorola, I care very little about HTC's or Motorola's security issues. I care about Apple's. -
kornchild2002 Notebook Deity
But you are turning around their marketing slogans to try to prove a point. To me, that is the wrong way to go about things. Oh man, it just works! Year right! Tell that to my butt! It is fine to have issues with any company but mocking them isn't going to do any good whatsoever so why even bother trying to make deeper meaning out of something a bunch of marketing people cooked up?
As I said, I was not making excuses for Apple but rather expressing that they aren't the only ones with problems. Hence I don't know why you went about mocking them the way you did. They are far from perfect and their closed door policy often rubs people the wrong way. That is fine. Just don't act like they are committing a mortal sin here. They had an issue and it took a while to fix. I don't think that deserves anything more than a simple update of saying "Hey, Apple released a Java update to OS X, you should download it" instead of "Their marketing is wrong as this is a problem" when the marketing really has nothing to do with this. -
So we can't even criticize the dubious marketing of the apple?
-
-
kornchild2002 Notebook Deity
-
masterchef341 The guy from The Notebook
I stand by my original point, which is basically reduced to this:
- Security is an issue for all commercial operating systems
- Apple is doing it's users a disservice by recommending complacent behavior towards security
The fact that an exploit existed and was taken advantage of is not extremely unusual among operating systems. The fact that Apple doesn't have any security recommendations for it's users other than to feel secure is the primarily problematic phenomenon. -
kornchild2002 Notebook Deity
Correct. The main difference, in this regard, between MS and Apple is that Windows will pester the end-user until they install an anti-virus program and OS X doesn't do anything along those lines. Furthermore, Apple normally doesn't acknowledge security issues until they actually have a solution whereas MS will acknowledge them and tell people they are working on a fix.
-
Mr_Mysterious Like...duuuuuude
If I may interject to offer my humble opinion...
All of you definitely have valid points, but I have to agree with kornchild here. Attacking apple's marketing is not the solution here, or even a good idea. Why? Because apple is hardly alone in their marketing strategies; they are not the only company to hail their product as the end-all, cure-all, infallible machine. How the public interprets their ads and the 'cult-like following' is just a result of it's execution in this competitive field.
Don't get me wrong, I am extremely biased against apple, (although truth be told I am typing this on my new iPad 3), but only because of their ridiculous pricing scheme and the lack of common sense in many of their customers. Their products themselves are smartly implemented and designed, and are solid overall.
But getting back on topic: bashing and malware. Despite apple's efforts (or lack of it) in the security field, it was just a matter of time before iOS got viruses, especially with a rapidly growing list of victims. What I do not agree with, however, are the opinions of apple zombies (who typically know very little about laptops and laptop technology, unlike my fellow NBR'ers here), who steadfastly insist that their Mac (or whatever) is infallible. Or even people who say that "macs get less viruses, ergo they are safer". Wrong. Macs are like any other computers, they have weaknesses that can be exploited.
Mr. Mysterious -
iOS has viruses?
-
-
Since when is Java available for iOS? Do you have to jailbreak it?
-
-
Mr_Mysterious Like...duuuuuude
Technically not a typo since it has long been Apple's dream to integrate all of their different OSes into one cohesive whole
Mr. Mysterious -
My thoughts on this is Apple is as much to blame for what happened as those who ignored the warnings. As Korn said their is NO operating system that is secure proof. As a former Mac user, I remember individuals getting laughed out of forums when security and AV was brought up on a Mac.
And I do believe Apple played the virus marketing game to their advantage. I remember back in 2003 when I bought my second iMac that OS X did not crash, was hack proof, and was not vulnerable to viruses.
I'm of the belief that back then Apple was largely ignored because a) too small a market share and b) they were the underdog in the industry.
Today both reasons a) and b) have changed especially reason b). Apple now has the distinction of being the largest and most valuable tech company in the world. My prediction is more of this stuff is coming down the pipe. AV and security should not be ignored on any system including OS X. -
Does anyone have a recommendation on good third party anti-malware software that provides real-time protection and has minimal impact on system resources?
-
-
kornchild2002 Notebook Deity
Sophos also automatically updates itself quite often (about once every day or every other day) and stays ahead of the game. Back when Mac Keeper was infecting people, Sophos was able to stop and remove it before Apple issued an OS X patch. I believe the same holds true for this Java exploit. It will even catch Windows malware/viruses/whatever despite their inability to actually infect OS X.
-
EDIT: Again, thanks for the recommendation. The real time protection does not impact the system too noticeably. Sophos is definitely not as well developed as Win 7 solutions (the full scan takes forever vis-a-vis MSE and others and there does not appear to be a quick scan option), but I am guessing that third party developers do not spend as much time on anti-malware software for the Mac. Regardless, I plan on keeping Sophos on this Mac. -
I got the malware and I'm not real happy about the delay. I just read today that 650,000 Macs may be infected ( BBC link). As Apple's market share increases, they're going to have to be more vigilant.
What really worries me are viruses and malware on iOS and Android. Given the number of devices in use they have to be big targets. -
@dmk2:
Yeah, though I don't use my Mac that often, I wasn't happy that Apple didn't even patch my laptop with 10.5 which is only four years old. My Mac was clean, but I decided to disable Java in Chrome (primary browser) and Safari and install Sophos. I was initially going to use the laptop strictly offline since it is really just a backup, but then I realized that was stupid given how much money I had spent on it.
Update Java if you haven't already. There's a pretty nasty, widespread malware infection going on.
Discussion in 'Apple and Mac OS X' started by preview, Apr 5, 2012.