Apple security team touches down on Planet Earth!

Filed Under: Apple, Featured, Java, Malware, Oracle

Apple's top-level starting page for security updates, the well-thumbed KB article HT1222, still contains its traditional blunt dismissal:

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.

But someone in Apple has broken ranks following the recent revelations of a Jolly Big OS X botnet, featuring a Java exploit (Exp/20120507-A) and the now-much-talked-about OSX/FlshPlyr-D malware.

Huzzah!

In KB article HT5244, Apple has - apparently for the very first time! - talked about a security problem before it had all its threat reponse ducks in a row:

Apple is developing software that will detect and remove the Flashback malware.

Good news.

Incidentally, some Apple apologists are still keen for us to exonerate Apple and lump the blame on Oracle.

Arik Hesseldahl, over at AllThingsD, for example, headlined one of his reports on this outbreak with: "What’s This? A Mac Virus? No, Actually It’s a Weakness in Java."

Actually, Arik, it's both. (If you allow me the word virus to mean malware in general, which is how most of the world uses it today.)

It's an exploitable vulnerability in Java, and it's a piece, or rather a family, of Mac malware.

Arik even goes on to explain that the malware "targets a vulnerability in software that is not even an Apple product: Java." Unfortunately, if you have Java on OS X then it pretty much is an Apple product.

Java is part of OS X 10.6 and earlier; it's an official Apple add-on for 10.7. So you can't apply Oracle's updates. Oracle may be the manufacturer, but Apple's the vendor, and you have to wait for Apple's fix.

Sadly, in this case, Exp/20120507-A was still, technically-speaking, a zero-day exploit on OS X some six weeks after it was patched for other operating systems.

Bad luck, this time, for Mac users, but perhaps good news in the long-term.

If nothing else, Apple's security team has touched down on Planet Earth. Apple seems to have decided that sharing information early - even if it's only to say, "We haven't quite finished our technical responses yet, but here's what to do in the meantime" - is better for everyone.

Better for you, for me, and for Apple!

Some observations

* Patching Java doesn't, on its own, prevent you getting infected by this or any other malware. It makes it much less likely that this outbreak will affect your Mac, but it closes only one of many possible doors of entry for malicious code.

* HT5244 says that "for Macs running Mac OS X v10.5 or earlier, you can better protect yourself from this malware by disabling Java in your web browser(s) preferences." Actually, there isn't any other way to close the Java hole. Apple hasn't provided a patch for users of 10.5 or earlier, and isn't saying if it will ever do so.

* Patching Java doesn't mean you aren't already infected. So if you're not sure, you can wait for Apple's Flashback-fixer software to come out, or you can use a product which already detects and cleans it. (Sophos Anti-Virus for Mac Home Edition will do the trick.)


-

PS. For those of you inclined to let rip in the comments that I'm only discussing Mac malware, and talking up the risks, because we happen to have a free product to "sell" you, please consider an alternative explanation. Perhaps the reason we have a free product to "sell" is because we think there is a genuine risk?

, , , , , , , ,

You might like

20 Responses to Apple security team touches down on Planet Earth!

  1. Deborah · 924 days ago

    I have had the peace of mind of using your mac anti-virus program for sometime now. But I have a sort of dumb-non-techie question: If I disable Java, will it affect things that I use like games that use flash player, etc. I mean if I don't need it for some things, why is it even there?

    • Paul Ducklin · 924 days ago

      Java and Flash are two quite different technologies - the former from Oracle (previously Sun); the latter from Adobe.

      Disabling Java will not affect Flash - so you can still watch YouTube videos :-)

      As @Guse points out below, website components which need Java will be obvious if you have turned Java off - you'll see a coffee cup (Java? Geddit?) and probably a notification that Java is required.

      Then you have to decide: is the feature you're missing worth re-enabling Java for?

      • Charles Dale · 924 days ago

        I have been using Sophos for Mac for awhile now and I just checked. I have version 7.3.10C. I clicked on Update Now and it says it is updated but I do not have version 8. Can you please tell me why and what I should do?

        New Version 8 now available! Even more full-featured with scheduled scanning, Live Anti-Virus and a new look and feel. If you're an existing user, you don't need to do anything—you'll be updated automatically.

        Thank you,
        Charles Dale

        • Paul Ducklin · 924 days ago

          As far as I recall, home users will be automatically upgraded from 7 to 8 sometime during the month of May. You'll know that has happened because the shield in the menu bar will change from a solid icon to the outline of a shield with a stylised "S" in it (part of the new look :-)

          If you would like to be an early adopter, though, you are most welcome - just download again from http://www.sophos.com/freemacav and run the installer yourself (you will know it's version 8 from the filename, savosx_80_he.dmg).

          You don't need to uninstall the old version first. (And no reboot required.)

          Enjoy!

          • Charles Dale · 924 days ago

            Thank you so much. I also received your e-mail with this answer.I sent that to you before you posted this answer. Thanks for answering my question 2X. I will wait till May just in case their are any bugs in Version 8 that may or may not need to be worked out.

            Keep up the good work.

    • Peter J Taylor · 924 days ago

      I disabled Java in both Firefox and Safari on my iMac PPC G5 OS 10.4.11 Tiger as soon as I read that this might be a solution.
      A few minutes later I wanted to use eBay, which would not work without Java. Then I wanted to order some Emma Bridgewater pottery online, and their site required Javascript.
      If one has to keep switching Java on and off, this solution will only work some of the time, and it is a time waster. Free SAV provides an uninterrupted solution.

      • Java and JavaScript are different things.

        Chances are that the pottery website you visited needed JavaScript not Java. So disabling Java probably wouldn't have caused problems.

      • In Safari 5, you can disable Java here:
        Safari -> Preferences -> Security -> Enable Java
        (you don't need to disable JavaScript).

        In Firefox 11, you can disable Java here:
        Tools -> Add-ons -> Plugins -> Java Applet Plug-in -> Disable

  2. Guse · 924 days ago

    Deborah,

    I don't imagine that your life will be too adversely affected by disabling it entirely, but be prepared to have some things just not work anymore. You'll get the coffee cup icon, so you'll know why, but all-in-all it's not an Internet-breaking decision.

  3. Ron Cook · 924 days ago

    Deborah, from what I could find in a quick search Flash Player does not require Java.

    It has its own virtual machine which is not Java-related.

    Some applications such as Libre Office use Java for implementing portions of the application.
    LO, for example, requires Java for its database module "Base".

    • Paul Ducklin · 924 days ago

      You can turn off Java in your browser (this disables applets, as they're called when delivered and run inside the browser) whilst leaving it installed for hard-disk-based Java software (applications).

      That might be a good halfway house if you have installed software which needs Java, but want to shield your browser from on-the-fly Java applets delivered in web pages.

  4. Tom · 924 days ago

    Not a Apple user, but I know a lot of the current backup tools seem to be using Java at the backend, presumably because it makes cross platfom coding an awful lot easier - Wuala, CrashPlan, SpiderOak all do off the top of my head, probably plenty of others.

  5. Paul · 924 days ago

    Minecraft uses java, just as an example of a very popular program that uses java.

    • Eli · 924 days ago

      Yes, but running a Java app and disabling Java in your browser are two different things.

  6. Tim Gowen · 924 days ago

    I've had the Sophos product running on my Mac since it was released and all it's ever found is Windows viruses in e-mailed messages which are faked from various banks.

    I'm not sure how Flashback is triggered but if the user has to install the virus then, no, the threat is not equal on the Apple OS. Nowhere near.

    • Paul Ducklin · 924 days ago

      If you read the article at the link above ("Jolly Big OS X botnet"), and the other material to which it links in turn, you should get a fairly complete picture of what's been going on here. Most infections in this 600,000+ botnet have been the result of what's known as a "drive-by install".

      This exploits a vulnerability in Java to bypass the usual "do you want to download/are you sure/this file comes from the internet" warnings, and thus sneaks the malware onto your Mac without warning or consent.

      Also, don't forget that many, if not most, Windows infections happen as a side-effect of user interaction. Often, the social engineering cover under which you are talked into letting the virus onto your PC is fairly subtle. A well-informed user will spot most, but not necessarily all, such tricks.

      So I'd say the nature of the threat on OS X is very similar to Windows. Quantitatively smaller (admittedly still by a very long way), but qualitatively pretty similar.

      • Tim Gowen · 922 days ago

        Understood, but I think the significance of that quantitative difference is being underplayed by commentators.

        As I said, my Sophos AV hasn't turned up anything much so far so maybe I don't go to the sort of websites which do this. I don't see a lot of Fake AV on Windows either but I know that a lot of people do!

  7. Felice · 922 days ago

    Does using the terminal with the command lines:

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES



    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    

defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

    still detect the various new FlashBack strains?

  8. Anonymous · 215 days ago

    "Actually, Arik, it's both. (If you allow me the word virus to mean malware in general, which is how most of the world uses it today.)". Most of the world is wrong. Use the terminology correctly. The fact that most of the world does not know the difference, and there is a big difference, does not make the use of "virus" accurate for journalistic purposes. Rediculous logic.

    • Paul Ducklin · 214 days ago

      If most of the world uses a word to mean X, then that word means X. That's how language works. And the use of a part to represent the whole is a common figure of speech. Look under "synecdoche" in your dictionary.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog