Apple Updates Java To Include Flashback Removal

← Back to Stories (view on slashdot.org)

Apple Updates Java To Include Flashback Removal

Posted by samzenpus on Thursday April 12, 2012 @11:25AM from the protect-ya-neck dept.

Fluffeh writes "In the third update to Java that Apple has released this week, the update now identifies and removes the most common variants of the Flashback malware that has infected over half a million Apple machines. 'This Java security update removes the most common variants of the Flashback malware,' Apple wrote in the support document for the update. 'This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.'"

121 comments

Min score:

Reason:

Sort:

All apple machines were infected? by gatfirls · 2012-04-12 11:31 · Score: 0, Troll

You'd think would have been offline or something. ;)
infected over half a million Apple machines by Anonymous Coward · 2012-04-12 11:48 · Score: 0, Offtopic

I thought this was only the initial number put out to draw ad-clicks. The revised number is now half of that.
1. Re:infected over half a million Apple machines by CharlyFoxtrot · 2012-04-13 03:41 · Score: 1
  
  Don't know who modded this offtopic but the number of infected machines seems germane to the discussion. And AC's correct that the infection rate was dropping rapidly even before this tool hit :
  "The number of Macs infected by the Flashback malware has gone down by more than half, from 550,000 to 600,000 computers last week to 270,000 in the last 24 hours, Symantec said Wednesday."
  Now whether this is because of an overestimation of the original infection or due to the Apple community being energized and taking action (or a combination of the two) is up for discussion.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
No way! by Anonymous Coward · 2012-04-12 11:49 · Score: 0, Troll

Macs don't get viruses!
1. Re:No way! by Kenja · 2012-04-12 11:51 · Score: 5, Informative
  
  Macs don't get viruses!
  Almost no computer gets viruses anymore. Trojans & malware on the other hand...
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
2. Re:No way! by Anonymous Coward · 2012-04-12 12:37 · Score: 0
  
  Macs don't get viruses!
  Hello Artie McStrawman.
3. Re:No way! by Anonymous Coward · 2012-04-12 19:40 · Score: 0
  
  Didn't you get shot down when you said this before?
  http://apple.slashdot.org/comments.pl?sid=2777497&cid=39634231
4. Re:No way! by Anonymous Coward · 2012-04-13 07:52 · Score: 0
  
  Give it a couple of weeks, and they'll have patented both getting and removing them!
I'm new to this conversation but... by Lord_of_the_nerf · 2012-04-12 11:57 · Score: 4, Funny

...I was wondering why the art department at work and the guy who makes my coffee was pissed.
1. Re:I'm new to this conversation but... by Anonymous Coward · 2012-04-12 12:48 · Score: 4, Funny
  
  I think you wanted "were pissed." Apparently you don't work in the communications department. I'll bet the guy who makes your coffee would have gotten it right.
2. Re:I'm new to this conversation but... by Anonymous Coward · 2012-04-12 14:39 · Score: 0
  
  So... good grammar leads to low-paying jobs? Good to know.
3. Re:I'm new to this conversation but... by Anonymous Coward · 2012-04-12 14:57 · Score: 0
  
  Maybe the art department is a single person who also makes his coffee.
4. Re:I'm new to this conversation but... by Lord_of_the_nerf · 2012-04-12 15:18 · Score: 1
  
  I'm happy to accept that I added art department late and should have to revised ;) I think that makes me marketing...
5. Re:I'm new to this conversation but... by Lord_of_the_nerf · 2012-04-12 15:18 · Score: 1
  
  Or even have just revised that. It's not a good day for me.
6. Re:I'm new to this conversation but... by heroid1a · 2012-04-12 22:39 · Score: 1
  
  I think you wanted "was pissed off". pissed == was under influence of alcohol wheras: pissed off == angry Ah, you colonials...
7. Re:I'm new to this conversation but... by Anonymous Coward · 2012-04-13 00:02 · Score: 0
  
  I know, aren't English Majors just so precious? :)
8. Re:I'm new to this conversation but... by Cro+Magnon · 2012-04-13 01:00 · Score: 1
  
  At least he didn't say "pissed on" which means something else entirely.
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
9. Re:I'm new to this conversation but... by citab · 2012-04-13 02:49 · Score: 1
  
  Nope.... in the states ... "pissed" does mean "angry" ... same as "pissed off" ...
  ah, you former imperialists ...
10. Re:I'm new to this conversation but... by idontgno · 2012-04-13 04:02 · Score: 1
  
  Hurry up and make up to the guy that makes the coffee. You need your fix. Badly.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
immature=no java by Anonymous Coward · 2012-04-12 11:58 · Score: 5, Interesting

So to fix the problem, they say lets disable java by default. They are new to the security game.
Lets say using adobe photoshop had a vulnerability, apple's defense is disable the running of photoshop when launching a ps file withotut prompting?
It's like preventing your child walking without your permission every time and then when their grown up and able to make their own decisions and decide to walk, you say, oh you have not walked in a while, you can't walk again.
1. Re:immature=no java by mug+funky · 2012-04-12 12:13 · Score: 2, Insightful
  
  apple's design philosophy is to progressively remove features, so this fits quite well.
  (anyone wanting to knee-jerk at my assertation - give me a counter-example)
2. Re:immature=no java by Anonymous Coward · 2012-04-12 12:15 · Score: 0
  
  (anyone wanting to knee-jerk at my assertation - give me a counter-example)
  I don't have a counter-example, but I do have a teapot in orbit between the Earth and Mars to sell you, CHEAP......
3. Re:immature=no java by codepunk · 2012-04-12 12:21 · Score: 2, Insightful
  
  I agree what they should have done is remove java entirely.
  
  --
  
  Got Code?
4. Re:immature=no java by Concerned+Onlooker · 2012-04-12 12:32 · Score: 2
  
  They're disabling applets, not Java. That would be like prompting if you wanted to open a recently downloaded ps file in your analogy.
  
  --
  http://www.rootstrikers.org/
5. Re:immature=no java by Anonymous Coward · 2012-04-12 12:39 · Score: 3, Interesting
  
  You have 3 pieces of software that constantly gets patched for security holes found and they are....
  1) Java - Not installed in OS X by default anymore. Doesn't get installed unless its requested like running Adobe Apps, etc.
  2) Flash - Not installed anymore by default
  3) Quicktime - Rewritten from the ground up starting with QT X. QT 7 and back has always been a security breach.
6. Re:immature=no java by utkonos · 2012-04-12 12:44 · Score: 3, Funny
  
  You're missing one: Adobe Acrobat (PDF).
7. Re:immature=no java by ColdWetDog · 2012-04-12 12:59 · Score: 2, Informative
  
  PDF's are handled internally by Preview.app. It doesn't have the functionality of Acrobat reader but it also doesn't have the attack surface.
  
  --
  Faster! Faster! Faster would be better!
8. Re:immature=no java by BasilBrush · 2012-04-12 13:12 · Score: 4, Informative
  
  No, the fix to the problem was to ship the latest Java build which had closed the vulnerability. And then to follow that up with an update that removed any infection already there.
  Java is deprecated. As a development platform for OSX it was deprecated going on for a decade ago. And as a platform supported by Apple, back in 2010. With the current version of OSX it doesn't even ship as standard. It only gets downloaded and installed for the minority of people that actually use some software that needs it.
  Nevertheless, the only part that is getting switched off when it's not been used for a while is the browser plugin. And reenabling it if required is easy.
  Basically it's a bit like Flash - being helped on the road to complete obsolescence because it's not needed and tends to have vulnerabilities.
  Perfectly sensible.
9. Re:immature=no java by pankkake · 2012-04-12 13:18 · Score: 0
  
  Right.
  http://www.cultofmac.com/56302/apple-mac-os-x-security-update-patches-pdf-exploit/
  
  --
  Kill all hipsters.
10. Re:immature=no java by BasilBrush · 2012-04-12 13:20 · Score: 5, Informative
  
  What, you mean a new feature? Wikipedia is your friend, there's a long list of new features for every major OSX version.
  e.g.
  http://en.wikipedia.org/wiki/Osx_lion
11. Re:immature=no java by Anonymous Coward · 2012-04-12 13:41 · Score: 1
  
  Wow. A whole hole. That's equivalent to the patchwork software that is Adobe Reader.
12. Re:immature=no java by Anonymous Coward · 2012-04-12 14:18 · Score: 0
  
  As a development platform for OSX it was deprecated going on for a decade ago.
  No it wasn't, and it still isn't.
  
  And as a platform supported by Apple, back in 2010.
  Wrong again, in fact back in 2010 they made the announcement that Apple will work with Oracle on Java SE 7 and future versions where Apple will contribute most of the key components, tools and technology including HotSpot JVM, class libraries, networking stack and the foundation for a new graphical client.
13. Re:immature=no java by mug+funky · 2012-04-12 14:59 · Score: 0
  
  well... they removed some of the crashes i guess.
  i was thinking more hardware and software. Final Cut Pro X is a recent example. they added some interesting stuff if you're shooting multi-cam, and broke EDL, XML, backward compatibility, the ability to share projects and removed Color entirely.
  hardware wise... if they could remove the home, power and volume buttons they would. they lost me as a supporter when they removed the "reset" button - an arrogant statement that their (then OS 8.6) machines will never crash and hence never need the kill button. had to wrench the fuckers out of the wall. God help you if you had a laptop.
14. Re:immature=no java by Anonymous Coward · 2012-04-12 15:04 · Score: 1
  
  It seems silly to blame Java when the entire purpose of Java is to serve as an execution platform for general purpose software. That's like saying "hey we should get rid of executable software, because it could pose a security risk."
15. Re:immature=no java by Anonymous Coward · 2012-04-12 15:20 · Score: 0
  
  Removing features is hell of a lot better design philosophy than the "add useless bloat till it explodes" philosophy that open source uses.
16. Re:immature=no java by viperidaenz · 2012-04-12 16:49 · Score: 1
  
  You can just remove the battery from the laptop... unless its a macbook air...
17. Re:immature=no java by tlhIngan · 2012-04-12 17:05 · Score: 4, Informative
  
  I agree what they should have done is remove java entirely.
  They did. Java and Flash have no longer been shipped with OS X for ages now. The primary reason is people keep reinstalling OS X and thus those vulnerable versions. Far better to let the user download and install the latest and greatest from Adobe and Oracle.
  
  Final Cut Pro X is a recent example. they added some interesting stuff if you're shooting multi-cam, and broke EDL, XML, backward compatibility, the ability to share projects and removed Color entirely.
  Well, Final Cut Pro X is a completely new rewrite. Apple's tradition is new rewrites of software is to get the basics working rock solid first, then add back missing features. This has been true since OS X was first released and didn't have half the stuff (e.g., DVD player) that OS 9 it shipped with also had. It happened again with QuickTime X - there's a reason why OS X supported a dual install of QT X and QT 7. FCP X is more of the same. They also retargeted it for prosumers rather than pros And yes, they still sell FCP 7 - but only by phone sales.
  
  hardware wise... if they could remove the home, power and volume buttons they would. they lost me as a supporter when they removed the "reset" button - an arrogant statement that their (then OS 8.6) machines will never crash and hence never need the kill button. had to wrench the fuckers out of the wall. God help you if you had a laptop.
  Does a modern PC have a reset button these days? Most of the time if it hard locks, you hold the power button a few seconds and it turns off. You then hit it again to turn it on. Reset's kinda useless since most people found they needed to mollyguard their PCs. Hell, an office full of white box PCs on the floor is a tempting target around family days - little buggers go running off and pushing all the buttons on a PC, including reset. Anyhow, old Macs had them, but they were pin-holes to prevent exactly that sort of problem. (You needed it if you wanted to get into the debugger).
18. Re:immature=no java by Anonymous Coward · 2012-04-12 17:14 · Score: 0
  
  (anyone wanting to knee-jerk at my assertation - give me a counter-example)
  I don't have a counter-example, but I do have a teapot in orbit between the Earth and Mars to sell you, CHEAP......
  If it has free shipping I'll buy it.
19. Re:immature=no java by Robert+Zenz · 2012-04-12 20:42 · Score: 1
  
  That seems to be everyones philosophy of late: Apple, Microsoft, the Gnome Devs, Canonical, the guys which design Android...for crying out loud, I even can't find fitting shoes anymore because they all look the same.
20. Re:immature=no java by Robert+Zenz · 2012-04-12 20:46 · Score: 1
  
  Java is deprecated.
  Please don't tell me you're a .NET developer...pretty please...
21. Re:immature=no java by Anonymous Coward · 2012-04-12 20:48 · Score: 0
  
  "Java is deprecated."
  You have it wrong, like so many recent code monkeys; the right phrase is "Java is depreciated." This phrase is less wrong, but since the recent misuse of deprecated has exploded, due, ironically, to a badly edited Sun report back in the '90's, I doubt now that the Language can be repaired.
  Along with deprecated, please avoid the misuse of decimate and outlier.
  Otherwise, as for the content of your post, you are thoroughly correct
22. Re:immature=no java by makomk · 2012-04-12 21:12 · Score: 2
  
  I think the attack surface of Preview.app actually extends into the OS X kernel itself. One of the iPhone jailbreaks used a kernel-level PDF exploit and it was apparently in code shared with the desktop version.
23. Re:immature=no java by cbhacking · 2012-04-12 21:15 · Score: 5, Informative
  
  As of 2010, Adobe Reader was kicking Preview's ass on security. No, that's not a joke. Nor is it fanboyism; I don't use either one. It's just a plain and simple fact. The probable reason? Adobe, like Microsoft, has had many years of being a high-profile target, and has put a lot of effort into finding and fixing security bugs. Apple, quite frankly, has not.
  http://net-security.org/secworld.php?id=9725
  Watch the second video, and jump ahead to 8:57 (almost the end) if you want a simple comparison.
  For the lazy, here's the basic facts: Preview had from the same set of 1400 PDFs downloaded from the web, run through a mutational fuzzer to produce 2.8 million test files. Preview had 7 times as many unique crashes as Adobe Reader, and at least 3 times (more realistically, probably 10 times; at worst, 20 times) as many exploitable bugs.
  When a guy like Charlie Miller (very well-respected security researcher) can find 7 security bugs in Apple's code for each one he finds in Adobe's (using the exact same test cases), Apple has a serious security problem.
  
  --
  There's no place I could be, since I've found Serenity...
24. Re:immature=no java by Jesus_666 · 2012-04-12 22:43 · Score: 1
  
  No, a Mac user.
  
  Apple used to support Java as a first-class citizen. It was one one level with Carbon (the OS 9/OS X UI toolkit) and Cocoa (the OS X UI toolkit). Carbon has been deprecated because, well, it was only intended to make the switch from 9 to X easier and 9 has been dead forever. Java has been deprecated, too - it's now a second-class citizen like on other platforms and Apple's only officially backed environment for OS X development is Cocoa.
  
  So it's not deprecated as in "you shouldn't use this anymore" but as in "it's no longer considered a core part of our ecosystem". It lost a status it never had elsewhere. Well, except Android, of course.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
25. Re:immature=no java by Robert+Zenz · 2012-04-12 22:49 · Score: 1
  
  Oh, then forget that I wrote something...
26. Re:immature=no java by randomsearch · 2012-04-12 22:57 · Score: 1
  
  > Java is deprecated.
  What?
27. Re:immature=no java by Anonymous Coward · 2012-04-12 23:27 · Score: 0
  
  Go away, troll.
  Everyone who is anyone knows that deprecate comes from "to pray against; ward off", as opposed to depreciate "lose value".
  Posting for the benefit of people who are, obviously, not anyone, and might be baffled by your bullshit.
28. Re:immature=no java by BasilBrush · 2012-04-12 23:32 · Score: 1
  
  Another OP gave further info here:
  http://slashdot.org/comments.pl?sid=2783397&threshold=0&commentsort=0&mode=thread&cid=39671209
29. Re:immature=no java by BasilBrush · 2012-04-12 23:37 · Score: 1
  
  You must be a Java developer. And you're kidding yourself. It's in black and white.
  "Note: As of the release of Java for Mac OS X 10.6 Update 3, the Java runtime ported by Apple and that ships with Mac OS X is deprecated. Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X."
  https://developer.apple.com/library/mac/#documentation/Java/Conceptual/Java14Development/00-Intro/JavaDevelopment.html
30. Re:immature=no java by BasilBrush · 2012-04-12 23:42 · Score: 2
  
  Deprecated is in multiple dictionaries with the exact meaning I used. Therefore you are unquestionably wrong.
  You're also wrong about depreciated. That's not the meaning that is intended when software professionals use the term deprecated.
31. Re:immature=no java by Anonymous Coward · 2012-04-13 01:15 · Score: 0
  
  For the lazy, here's the basic facts: Preview had from the same set of 1400 PDFs downloaded from the web, run through a mutational fuzzer to produce 2.8 million test files. Preview had 7 times as many unique crashes as Adobe Reader, and at least 3 times (more realistically, probably 10 times; at worst, 20 times) as many exploitable bugs.
  A crash is not the same thing as an exploitable bug (although they often go together).
  It's much better for programs to rigorously check their input, and while it's nice to fail gracefully, I would much rather have a crash than an exploit.
32. Re:immature=no java by Anonymous Coward · 2012-04-13 01:23 · Score: 0
  
  As of 2010, Adobe Reader was kicking Preview's ass on security. No, that's not a joke.
  As of 2011, Preview has been sandboxed; the PDF renderer is isolated and can't touch the filesystem. (This is much the same technique as is employed by Adobe in Reader Protected Mode.)
33. Re:immature=no java by Anonymous Coward · 2012-04-13 01:35 · Score: 0
  
  You must be a Java developer. And you're kidding yourself. It's in black and white.
  "Note: As of the release of Java for Mac OS X 10.6 Update 3, the Java runtime ported by Apple and that ships with Mac OS X is deprecated. Developers should not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X."
  https://developer.apple.com/library/mac/#documentation/Java/Conceptual/Java14Development/00-Intro/JavaDevelopment.html
  Java is not deprecated. Apple's port is. OpenJDK 7 is rolling out with partial, up-to-date, MacOS X support in the next release (update 4) and full support in the subsequent release (update 6). Java under Mac has just gotten better, not worse! You should experience much fewer cross-platform problems now that all ports are maintained by the same vendor.
34. Re:immature=no java by Anonymous Coward · 2012-04-13 01:47 · Score: 0
  
  As a development platform for OSX it was deprecated going on for a decade ago.
  No it wasn't, and it still isn't.
  The Cocoa-Java bridge (what you would use if you were using Java "as a development platform for OSX') has been deprecated since Tiger, about seven years ago
  
  And as a platform supported by Apple, back in 2010.
  Wrong again, in fact back in 2010 they made the announcement that Apple will work with Oracle on Java SE 7 and future versions where Apple will contribute most of the key components, tools and technology including HotSpot JVM, class libraries, networking stack and the foundation for a new graphical client.
  Your statement is absurd. The HotSpot JVM is Sun technology which Oracle owns and Apple uses under license.
  Since the beginning of OS X Apple maintained an official port of Sun's Java. In 2010, Apple announced that it would not guarantee future availability of this Apple port for OS X.
  A month or so later, Apple announced that it would be donating the components for that port to the OpenJDK project and that all future development of Java for OS X would be done as part of OpenJDK. In other words, Apple has washed its hands of Java and turned over the code to the community.
35. Re:immature=no java by sproketboy · 2012-04-13 02:27 · Score: 1
  
  Learn to read:
  "Apple will work with Oracle on Java SE 7 and future versions where Apple will contribute most of the key components, tools and technology including HotSpot JVM, class libraries, networking stack and the foundation for a new graphical client."
  This is exactly what Apple does. The difference is only that they are no longer including Java by default on OS/X.
36. Re:immature=no java by CharlyFoxtrot · 2012-04-13 03:47 · Score: 1
  
  I agree what they should have done is remove java entirely.
  Java is not installed by default in Lion, the latest version os OSX. The users is prompted to install it the first time he opens a webpage containing an applet or the first time he invokes "java" on the CLI.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
37. Re:immature=no java by petermgreen · 2012-04-13 03:48 · Score: 1
  
  It seems silly to blame Java when the entire purpose of Java is to serve as an execution platform for general purpose software.
  That was one purpose of it but not the only one and not the one that has caused the controversy.
  Another purpose from java was to provide a SANDBOXED execution platform for running untrusted software (such as applets from the web) while preventing it from damaging the users system. The problem is getting a sandbox like this right is hard and every so often a flaw is discovered that lets malicious code break out of the sandbox.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
38. Re:immature=no java by datavirtue · 2012-04-13 04:03 · Score: 1
  
  Or a Macbook Pro....
  
  --
  I object to power without constructive purpose. --Spock
39. Re:immature=no java by datavirtue · 2012-04-13 04:11 · Score: 1
  
  What in the hell are you talking about?
  
  --
  I object to power without constructive purpose. --Spock
40. Re:immature=no java by datavirtue · 2012-04-13 04:14 · Score: 1
  
  Apple has washed its hands of Java and turned over the code to the community.
  It is about fucking time. Java developers rejoice the world over.
  
  --
  I object to power without constructive purpose. --Spock
41. Re:immature=no java by BasilBrush · 2012-04-13 04:29 · Score: 1
  
  It's not a matter of learning to read you penis. It's a different press release. And the word "deprecate" was not withdrawn.
  Basically Apple deprecated it's own built-in port of Java, and said go get it from Oracle. 3 weeks later they announced that they'd let Oracle have the pieces remaining from their now deprecated project. And that they'd help them keep their Java working with OSX.
  The distinction is important, because it means that right now, it's Apple's responsibility to fix. As of Mountain Lion it's Oracle's. Apple deprecated it.
42. Re:immature=no java by Anonymous Coward · 2012-04-13 04:32 · Score: 0
  
  "Everyone who is anyone knows that deprecate comes from "to pray against; ward off", as opposed to depreciate "lose value"."
  Uh, spend more time in the stacks, buddy. "Deprecate" has historically carried a negative connotation, as in "self deprecating" humor. Obsolescence didn't have that image; I drive an obsolete car, most of us do, but it has not been deprecated. It certainly has been depreciated.
  To deprive a word of its historical intent due to laziness, or more likely, a bad spell-checker, not caught by a Sun editor a few years back does not remove the wrong. But the real wrong is promoting that use because of arrogance.
  Nowadays, software gits use "Deprecate" in a value-netral sense. "Our old software is not as good as our new software, so buy the new software. Not that the old software was bad in any sense. It's just obsolete. We will deprecate it."
  If they were being honest, they would say "Our old software was total crap. Our new software is also total crap, but we want your money. So we will limit the value of our old software. We will write it off. We will _depreciate_ it."
  And deprecate is such an ugly word. Say it ten times in a row. See how long it takes you to say "Depecrate". If you get to seven, you have a better command of the spoken language than I do. But, meanwhile, still continue to use outlier and decimate in their original senses.
43. Re:immature=no java by BasilBrush · 2012-04-13 04:37 · Score: 1
  
  well... they removed some of the crashes i guess.
  Was the list too big, your comprehension abilities too poor, or have you just got a Fox News like ability to deny what's there in front of you? Apple adds lots of new features.
  In good design, what you take out is as important as what you leave in. Look at Windows and the PC for what happens when you are afraid to take anything out. You end up with a big pile of shit.
44. Re:immature=no java by Anonymous Coward · 2012-04-13 04:49 · Score: 0
  
  "You're also wrong about depreciated. That's not the meaning that is intended when software professionals use the term deprecated."
  Just because _some_ "Software Professionals" have _recently_ used the word deprecated to mean something like obsolete, doesn't mean that their use of that word is correct.
  Sigh. The Language evolves. P. G. Wodehouse championed the use of "ain't" in polite circles a nearly century ago. It may catch on. But I'll be damned if I go to, whatever is left of, BestBuy a few years from now, to get a new Toaster, because my old Toaster was "Deprecated".
45. Re:immature=no java by stewbacca · 2012-04-13 08:41 · Score: 1
  
  What are you talking about? You just hold down the power button on any model ever made.
46. Re:immature=no java by sproketboy · 2012-04-13 09:21 · Score: 1
  
  Which is good you fucken inbred shit eating monkey since Apple is incompetent at providing security updates to its users.
47. Re:immature=no java by BasilBrush · 2012-04-13 10:17 · Score: 1
  
  It's also good because as as Apple has taken another step away from Java, even less use will be made of it. Thus hastening the day when Java is dead. Can't happen soon enough.
48. Re:immature=no java by sproketboy · 2012-04-13 11:04 · Score: 1
  
  Happily you'll be dead before Java.
49. Re:immature=no java by Anonymous Coward · 2012-04-13 14:10 · Score: 0
  
  So to fix the problem, they say lets disable java by default. They are new to the security game
  Think of it as more like dealing with someone who isn't capable of handling their end of a relationship. You don't make excuses for them, cover for them, or try and change them, you cut them loose. You can look at it from Apples perspective, honestly how useful is Java for the average iWidget user? The honest answer is it is of no use at all. By removing Java from the default install, and disabling Java applets by default even if installed, the number of targets for someone trying to serve up malware to iWidget users drops precipitously from tens of millions of machines to a few thousand at most.
  Seriously the world would be a better place is Antivirus programs flagged and removed Java and java files by default. Because once you get outside of corporate IT, all Java programs can be safely assumed to be malicious.
50. Re:immature=no java by Anonymous Coward · 2012-04-14 05:47 · Score: 0
  
  Kicking Preview's ass? Ok:
  Adobe Reader: Many known instances of targeted and broadcast attacks, exploiting vulnerabilities, and compromising major organizations.
  Preview: Two years ago, some fuzzing crashes were reported. No known targeted or broadcast exploits, ever.
  Probably has a lot to do with the fact that Adobe Reader bundles flash, 3d, etc functionality into PDF, whereas Preview is just for reading PDFs.
  Also, on Lion, Preview is sandboxed.
51. Re:immature=no java by mug+funky · 2012-04-15 11:57 · Score: 1
  
  Final Cut Pro X is a completely new rewrite. Apple's tradition is new rewrites of software is to get the basics working rock solid first, then add back missing features.
  ask _any_ editor that doesn't work out of their bedroom what "the basics" of a professional editing package are.
  i'm not sure you understand the sheer scale of Apple's fuckup with FCP-x. sure, they've made some amends on a few features, but the entire industry is shell-shocked and afraid to trust again - even my old boss, who was a die-hard mac fanboy (to the extent of installing an xSAN system and having to spend 100k+ on hardware and software getting it to work with the PC, linux, and mac systems in the facility).
  from a pro point of view, it's hard not to see Apple's standard operating procedure as "find software that's potentially disruptive, buy it, hard-sell it so it dominates the industry, EOL it - to hell with the customers".
  i know one should never ascribe to malice something sufficiently explained by incompetence, but given Apple's market capitalization, even a "hater" must concede that they are not incompetent.
52. Re:immature=no java by mug+funky · 2012-04-15 11:58 · Score: 1
  
  that method takes 5 seconds.
  wrenching out the power takes less than a second :)
53. Re:immature=no java by mug+funky · 2012-04-15 12:01 · Score: 1
  
  in design, form must follow function, not dictate it.
  Microsoft certainly didn't do it as well as they could, but at least they tried. Apple didn't even try.
  i'd be happy if their updates just came with a simple "classic mode", or "expert mode" switch - i know "the masses" (whatever they are) are afraid of too much choice, but any feature will likely have a use, and removing it will likely inconvenience someone. less used features can be shifted out of sight, but should not be removed unless there's a very good reason and _notice_ of it.
54. Re:immature=no java by BasilBrush · 2012-04-20 10:15 · Score: 1
  
  in design, form must follow function, not dictate it.
  Microsoft certainly didn't do it as well as they could, but at least they tried. Apple didn't even try.
  You are misinterpreting the one thing about design you've heard. "Form follows function" does not mean that everything including the kitchen sink should be included. Designers following form follows function simplify.
only the beggining by thoper · 2012-04-12 11:59 · Score: 2, Interesting

apple's "security through scarcity" is starting to fade away as they gain marketshare. any popular OS will get viruses, malware, trojans, etc.
will mac os get a stonger walled garden as a result? i hope not as i was about to buy my first mac.
1. Re:only the beggining by viperidaenz · 2012-04-12 16:52 · Score: 1
  
  Wait a bit longer and you'll only be able to install Mac software you bought through iTunes.
2. Re:only the beggining by CharlyFoxtrot · 2012-04-13 03:57 · Score: 1
  
  apple's "security through scarcity" is starting to fade away as they gain marketshare. any popular OS will get viruses, malware, trojans, etc.
  will mac os get a stonger walled garden as a result? i hope not as i was about to buy my first mac.
  The next release of OS X (Mountain Lion) will warn people when trying to run unsigned apps. Apps sold through the Mac App Store will be signed and devs will be able to get their app signed by Apple for free without having to distribute through the App Store. Unsigned apps will also still run if you tell the system to do so. The fact that Apple are doing things shows they will not go full-on walled garden like with iOS but are still trying to get some of its advantages to their users by choosing this middle path.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
user error will continue by Anonymous Coward · 2012-04-12 12:05 · Score: 0

And the problem will persists once a user's experience is interrupted by allowing various applets and allows any to run any time, or blindly accepts the running of unknown applets.
Leopard and earlier by SilverCanary · 2012-04-12 12:19 · Score: 1

Except for Macs running Leopard or earlier of course. Those will probably never be patched.
1. Re:Leopard and earlier by DurendalMac · 2012-04-12 14:24 · Score: 2
  
  If an Intel Mac is still running Leopard or earlier then I would have to wonder why. SL will run on any Intel Mac, is superior in nearly every way, and is a whopping $29. If it's a PowerPC Mac, then rest easy, because nobody is going to write malware designed to run on them. What's the point? They're a sliver of the Mac market and that number is going to get any bigger.
2. Re:Leopard and earlier by DurendalMac · 2012-04-12 14:25 · Score: 1
  
  Er, isn't going to get any bigger. Curse you lack of an edit button!
3. Re:Leopard and earlier by Anonymous Coward · 2012-04-12 16:23 · Score: 0
  
  If an Intel Mac is still running Leopard or earlier then I would have to wonder why. SL will run on any Intel Mac, is superior in nearly every way, and is a whopping $29.
  It's not $29 if you're running something earlier than Snow Leopard, tack on another $100 to that price. So it's more comparable to the older XP-generation of which many still haven't upgraded to 7 but MS still supports them even though XP is a far less secure and far less stable OS.
4. Re:Leopard and earlier by viperidaenz · 2012-04-12 16:55 · Score: 1
  
  ... and will continue to support XP for another two years.
5. Re:Leopard and earlier by DurendalMac · 2012-04-13 04:50 · Score: 1
  
  The SL upgrade discs work on Tiger installations.
6. Re:Leopard and earlier by StuartHankins · 2012-04-13 04:57 · Score: 1
  
  You can upgrade Tiger to Snow Leopard for $29. I know, I did it. http://www.appleinsider.com/articles/09/08/27/apples_snow_leopard_disc_will_install_on_tiger_macs.html
7. Re:Leopard and earlier by Anonymous Coward · 2012-04-13 10:00 · Score: 0
  
  It's not $29 if you're running something earlier than Snow Leopard, tack on another $100 to that price.
  Yes it is. Seriously, go to an Apple Store and buy the $30 disc. It will install on bare (shiny Apple) metal. Read the EULA that comes inside it. Apple markets it as an "upgrade" (in the sense of a discounted version for owners of the previous one) but the box itself does not say "upgrade" anywhere on it. It's the full version.
The core OS is still pretty secure by Grayhand · 2012-04-12 12:21 · Score: 3, Interesting

Most of the problems have been related to people installing software from the internet manually and things like Java. I'm not saying anything pro or con about Apple I own both Mac and Windows machines so I have no horse in this race. Like Linux the core OS is pretty sound I just wish Microsoft had bitten the bullet and made the leap when they did the Vista overhaul. It was a pretty brave move for Apple at the time to switch the OS and it paid off in the long run. Add ons like Java are always going to be a source of headaches. All I know is I rarely have trouble with my Macs but the PCs are another story. One of mine I had to surrender for internet use because it got nailed by a redirect and I tried everything and short of redoing the OS there was no way to scrub it out. I find it safer to use Mac for web surfing and downloading things like software and I use a lot of licensed photos in my work. It's just my personal experience that I run into far fewer issues with the Macs.
1. Re:The core OS is still pretty secure by exomondo · 2012-04-12 13:04 · Score: 4, Interesting
  
  Most of the problems have been related to people installing software from the internet manually and things like Java.
  That's pretty much the case with all platforms, compromise the user and you compromise the security of the system. All the email attachment malware, screensavers, etc... are user exploits and it doesn't matter what platform they are on, of course modern operating systems require explicit privilege escalation but again that's up to the user.
  
  Add ons like Java are always going to be a source of headaches.
  What do you mean 'Add ons'? You mean 3rd party software? Or in this case not even that since it's Apple that maintains Java releases for OSX.
  
  All I know is I rarely have trouble with my Macs but the PCs are another story. One of mine I had to surrender for internet use because it got nailed by a redirect and I tried everything and short of redoing the OS there was no way to scrub it out. I find it safer to use Mac for web surfing and downloading things like software and I use a lot of licensed photos in my work. It's just my personal experience that I run into far fewer issues with the Macs.
  I'm equally as careful whether i'm running Windows or OSX, i'm not going to be naive and just install anything downloaded from the net or visit questionable sites on either platform because - as these recent publicized events have highlighted - neither platform is completely secure and it would be pretty irresponsible to tell users that they don't have to worry about security just because it's OSX, best to be just as careful no matter what you use. Sure there are less known issues with OSX - even less for most linux or BSD distros - but as their marketshare increases we are seeing instances of infection increase so best to take as much care no matter which platform you're on.
2. Re:The core OS is still pretty secure by grouchomarxist · 2012-04-12 13:36 · Score: 1
  
  What do you mean 'Add ons'? You mean 3rd party software? Or in this case not even that since it's Apple that maintains Java releases for OSX.
  I'm not sure about the status of the current Java in OS X, but Apple previously announced that Oracle would be handling the development of Java for OS X for future OS X releases.
  http://www.apple.com/pr/library/2010/11/12Oracle-and-Apple-Announce-OpenJDK-Project-for-Mac-OS-X.html
  My guess is that this means Java resources at Apple are probably not significant and could explain why Apple took such a long time to release this patch.
3. Re:The core OS is still pretty secure by exomondo · 2012-04-12 13:55 · Score: 2
  
  I'm not sure about the status of the current Java in OS X, but Apple previously announced that Oracle would be handling the development of Java for OS X for future OS X releases.
  http://www.apple.com/pr/library/2010/11/12Oracle-and-Apple-Announce-OpenJDK-Project-for-Mac-OS-X.html
  Well from your link:
  Java SE 7 and future versions of Java for Mac OS X will be available from Oracle.
  Then in reference to the update targeting the current malware threat:
  Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31
  
  Even with the OpenJDK Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X so i'm still not sure what you're defining as 'Add ons', you mean anything outside of the kernel?
4. Re:The core OS is still pretty secure by Anonymous Coward · 2012-04-12 21:37 · Score: 0
  
  That's pretty much the case with all platforms, compromise the user and you compromise the security of the system. All the email attachment malware, screensavers, etc... are user exploits and it doesn't matter what platform they are on, of course modern operating systems require explicit privilege escalation but again that's up to the user.
  
  Not entirely the case here the nastiness of this malware comes from the fact that it does not require user interaction to alter a system though if you give it the go ahead it will do it system wide.
  From an article on CNET
  
  How does it work?
  The Flashback malware injects code into applications (specifically Web browsers) that will be executed when they run, and which then send screenshots and other personal information to remote servers.
  First step: Exploiting Java
  When you encounter the malicious Web page containing the malware and have an unpatched version of Java running on your system, it will first execute a small Java applet that when run will break the Java security and write a small installer program to the user's account. The program is named something like .jupdate, .mkeeper, .flserv, .null or .rserv, and the period in front of it makes it appear hidden in the default Finder view.
  In addition, the Java applet will write a launcher file named something like "com.java.update.plist", "com.adobe.reader.plist", "com.adobe.flp.plist" or even "null.plist" to the current user's ~/Library/LaunchAgents/ folder, which will continually launch the .jupdate program whenever the user is logged in.
  In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app
  If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
  Second step: Downloading the payload
  When the jupdate program executes, it will connect to a remote server and download a payload program that is the malware itself, and which consists of two components. The first is the main part of the malware that performs the capture and upload of personal information, and the second is a filter component that is used to prevent the malware from running unless specific programs like Web browsers are being used.
  Third step: Infection
  Once the malware and the filter are downloaded, the malware is run to infect the system. This is where users will see an alert about a software update and will be prompted to supply their passwords. Unfortunately at this point there is nothing to stop the infection, and whether or not a password is supplied only changes the mode of infection.
  The root of the infection routine is based around hijacking configuration files in OS X that are read and executed when programs are run. One of these is called "Info.plist" located in the "Contents" folder within each OS X application package, and is read whenever that specific program is opened. The second is called "environment.plist" and is located within the user account in a hidden folder (~/.MacOSX/environment.plist), which can be used to launch parameters whenever any programs are opened by the user.
  The first mode of infection is if a password is supplied, in which case the malw
riddance by Anonymous Coward · 2012-04-12 12:34 · Score: 0

Honestly I can't possibly fathom a single good reason to allow Java in your web browser. Anyone dev incorporating applets for even the smallest, optional web functionality should raise eyebrows amongst his peers.
1. Re:riddance by ColdWetDog · 2012-04-12 13:02 · Score: 1
  
  NOAA satellite loops are, unfortunately, done in Java and were last updated sometime before half of Slashdot's current user base were born.
  
  --
  Faster! Faster! Faster would be better!
2. Re:riddance by b5bartender · 2012-04-12 13:52 · Score: 1
  
  NOAA has actually migrated away from Java.........to Flash. (no, not kidding.) That's bureaucracy for you.
3. Re:riddance by Anonymous Coward · 2012-04-12 19:13 · Score: 0
  
  Every bank in norway uses something called "BankID" for accessing services through the browser, and it's a programmed in java.
4. Re:riddance by boristhespider · 2012-04-13 01:47 · Score: 1
  
  It's also slow as fuck and pisses me off every time I have to log into my account, but it's an unescapable evil.
A genuine Achievement for Apple by Anonymous Coward · 2012-04-12 12:46 · Score: 0, Funny

They have managed to get a 'Flash' application going on their machines.
Phew by Trogre · 2012-04-12 13:13 · Score: 1

When this debarcle started, I mis-parsed an article heading and was worried Apple was trying to erradicate Flashblock, and had grave fears for the web.

--
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Does It Tell You by Anonymous Coward · 2012-04-12 13:38 · Score: 0, Interesting

that you were infected? I'd like to know, I checked myself but could have missed it
1. Re:Does It Tell You by Anonymous Coward · 2012-04-12 21:59 · Score: 0
  
  If you're infected, it tells you. Otherwise the update exits silently.
java sucks by Anonymous Coward · 2012-04-12 13:42 · Score: 0

flash and java, worst shit since windows
Least priv/option reset without consent is malware by Anonymous Coward · 2012-04-12 14:18 · Score: 4, Insightful

They're trying to prevent malware by installing their own malware.
It is absolutely right to disable Java by default. Even the behaviour of disabling it if not used for a while COULD have been a useful feature IF they turned that behaviour on by default then provided an option to disable it. By taking it out of the user's hands they're just playing nanny. But like any nanny stuck in an office many years and many miles away they can't anticipate the needs of their entire userbase very well. They have just made it a pain for any user to use Java in a browser on their platform. No one needs a computer that decides not to obey settings the user had set (no matter how long ago). Think of what would happen if every setting on your computer set to defaults every week or two.
I can think of ways around this that don't require any technical savvy. Put a local Java applet in as your homepage for instance. But this is clunky. You should be able to say "no I really do know better" and turn on Java.
This is the problem when applying the principle of least privilege. It is also the principle of least innovation and the principle of most annoyance. The bottom line is no one needs access to a computer just to live and breath. Least privilege is oxygen, water, basic food. Wouldn't be much of a fun life.
Re:Least priv/option reset without consent is malw by Anonymous Coward · 2012-04-12 20:34 · Score: 0

They disabled automatic execution of Java applets (automatic execution can be re-enabled by the user). This is a good thing and is not malware. The issue here is that very few users "set" the initial setting, it was either automatic execution enabled (the previous default), or automatic execution disabled (the new default).
This patch then only effects users who have: 1. disabled automatic execution, 2. re-enabled it. This is probably a handful of users at most.
The issue here is that they probably did not store that the user had previously changed the setting. And so have no idea that the user isn't simply using the default setting — which is what it looks like. The only option this patch has is to set the new default and allow the user to change it back.
By your definition any software that changes its default settings after the user has set them is malware. While I would agree in some cases it is undesirable (key bindings, for instance), in this case it is a good thing and possibly the only option due to the current implementation of the feature.
Re:Least priv/option reset without consent is malw by Anonymous Coward · 2012-04-12 23:22 · Score: 0

I just tried the update, and all you have to do is to click on the bock labeled "Addin Disabled" to turn it back on so not very much of a pain at all.
Re:Least priv/option reset without consent is malw by Anonymous Coward · 2012-04-13 01:21 · Score: 0

It is absolutely right to disable Java by default. Even the behaviour of disabling it if not used for a while COULD have been a useful feature IF they turned that behaviour on by default then provided an option to disable it. By taking it out of the user's hands they're just playing nanny.
What, like firefox? There are some programs that I need to have on my computer for development (including java & .net), but I DON'T want them as browser plugins, ever. Firefox makes it very difficult to remove these plugins - you either have to modify the registry, or go through some obscure about:config entries.
I want to click on the plugin, choose delete, and it's GONE, never to return to firefox.
One thing I'd like to know - where does it look? by boristhespider · 2012-04-13 01:50 · Score: 1

Within a day of the attack being announced various security blogs (and then Ars Technica) were posting directions for finding if you were infected. Each of those assumed that you'd left Safari and Firefox (and any other browser you might have been using) in the Applications folder. Since I get pissed off wading through jumbled, alphabetical lists of totally different programs, I organise my Applications folder into sub-folders. While I can go and check the programs myself from the command line, from my own experience talking even with other scientists let alone my parents, many others won't be able to do so... but might have the know-how to rearrange their Applications folder.
Does anyone know whether Apple actually search through the installed directories of browers, or just default locations?
Re:One thing I'd like to know - where does it look by Anonymous Coward · 2012-04-13 02:09 · Score: 1

Oh, you're one of those users that takes it upon themselves to "organize" their Apps folder. You make your Mac support people cry and die a little bit inside.
Re:One thing I'd like to know - where does it look by boristhespider · 2012-04-13 09:47 · Score: 1

But... I don't *have* any Mac support people! Maybe I should go and get some - I'd hate to disappoint them.
Re:One thing I'd like to know - where does it look by Anonymous Coward · 2012-04-13 10:06 · Score: 0

Within a day of the attack being announced various security blogs (and then Ars Technica) were posting directions for finding if you were infected. Each of those assumed that you'd left Safari and Firefox (and any other browser you might have been using) in the Applications folder. Since I get pissed off wading through jumbled, alphabetical lists of totally different programs, I organise my Applications folder into sub-folders. While I can go and check the programs myself from the command line, from my own experience talking even with other scientists let alone my parents, many others won't be able to do so... but might have the know-how to rearrange their Applications folder.
Does anyone know whether Apple actually search through the installed directories of browers, or just default locations?
Boris dude, make aliases. Yes, it's bad practice for developers (or Apple) to assume that an app file will stay at a fixed path, but it's very common.
Make your own apps folder, fill it with aliases, categorize them to your hearts content, and get on with you life.
Re:One thing I'd like to know - where does it look by boristhespider · 2012-04-13 10:21 · Score: 1

Obviously I could, and probably should, have done this, I agree. In future I think I actually will. It was just a lot quicker to quickly drag and drop things around in Finder than to make a load of links - well, by "a lot" I mean "marginally", but it was quicker. It also didn't occur to me that Apple might occasionally need to patch or scan application folders and might assume a set location...
Pity you posted AC, any of those reading this with mod points should probably give you a few.