New Targeted Mac OS X Trojan Requires No User Interaction

An anonymous reader writes "Another Mac OS X Trojan has been spotted in the wild; this one exploits Java vulnerabilities just like the Flashback Trojan. Also just like Flashback, this new Trojan requires no user interaction to infect your Apple Mac. Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'"

No user interaction

So, what you're saying is, It Just Works?

Re:No user interaction

[firex726]

It Just Gets Infected!

Re:No user interaction

[buchner.johannes]

Isn't a Trojan that requires no user interaction by definition a Virus?

Re:No user interaction

[Mitchell314]

Oh come on slashdot, I'm a mac fan and even I found this funny. No need to mod down.

Re:No user interaction

No, because you still have to navigate to a web site. It is a trojan because they need to entice you to do so.

Re:No user interaction

[ninetyninebottles]

Isn't a Trojan that requires no user interaction by definition a Virus?

Not really.

Trojan - malware posing as legitimate software.

Virus - malware that copies itself either replacing or attaching to legitimate software.

Worm - malware that copies itself from system to system automatically without user interaction.

This software seems to be automatically installed when the user follows a link in their Web browser, but there is no indication that it in any way sends more links to people. So this malware does not fit neatly into any of the common categories. "Virus" seems to be a catch all term these days so you might as well call it that.

Re:No user interaction

No, viruses propagate. Worms self-propagate.

Re:No user interaction

[Altieres+Rohr]

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

Although the Morris worm did not require user interaction, this is not true of all future malware that would be considered a worm. Malware that copies itself to network drives, P2P software shared folders, or attaches itself to or sends e-mail, IM or IRC messages are all worms.

As for trojans, any malware that does not replicate is a trojan. Back in the day, and even today, the only way to convince a user to run such software is by advertising it as another piece of software - thus why the trojan horse definition. Exploit code changed that, but they're all still trojans, and most still fallback to advertising themselves as a Flash player plugin or video codec when the exploit doesn't work. In any case, this new malware doesn't replicate, so it is a trojan.

There is no malware category to describe code that requires no user interaction to run. Exploits, worms and viruses and trojans all can do it, but that's not required by their definitions.

Reference: http://www.f-secure.com/en/web/labs_global/threat-types

Re:No user interaction

[ninetyninebottles]

The definition of worm is not "malware that copies itself from system to system automatically without user interaction". Worm is self-replicating code that uses a network, by some defintions, and, by others, a worm is any malware that spreads by itself but does not parasite legitimate software (thus why "USB worms").

I worked in the security industry for many years and never heard anyone call something a "usb worm". If it is copying itself as the result of user interaction, we always called it a virus. If it spread on its own, it was a worm. The definition of "worm" you provide does not seem to differentiate itself from a virus in any way. Something that copies itself via shared disks is almost the classic poster child for a virus. The term originated talking about malware spread on floppies.

Darn you kids and your newfangled definitions!

Re:No user interaction

[Altieres+Rohr]

Mass-mailers requiring user interaction are called worms since forever. But many older worms used some form of exploit code, and Melissa was called a virus because it was actually an Office file infector (a macro virus). It's easy to see the reason for confusion.

Love Letter was already being called a worm without exploiting any flaws back in 2000, though*, so was Sircam in 2001 and Bugbear/Thanatos in 2002. By the time Netsky, Beagle and Mimail were around, it was pretty clear a worm was any malware that replicated itself completely over a network and without the use of a host file. When USB drives became common, the term was used for those as well. Floppy viruses infected the boot sector ("infected" being the keyword); malware that spreads over USB just use the Windows autorun function.

Any malware parasite can infect a program that will end up in a USB drive, in the same way that the Parite virus ended up spreading over e-mail when it infected a copy of Beagle (IIRC). A USB worm specifically looks for connected USB drives and copies itself to them. There's a difference.

* http://www.cert.org/advisories/CA-2000-04.html

Re:No user interaction

[Kalriath]

Perhaps, but if that link is to "ad.doubleclick.net" or "ad.yieldmanager.net" then no conscious interaction is required, a legitimate site can infect you just as easily.

Re:No user interaction

[mcneely.mike]

JUST LIKE MY MOMMA!!!

wait.... ahh, that came out all wrong.
damn.

Missing from summary

[dr2chase]

from TFA: "if you’ve downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you’re safe" (for now).

But it looks like the good times are over.

Re:Missing from summary

[slashmydots]

I didn't consider mac users lording their "super advanced security and magical virus immunity" as "good times." It's about time someone reminded them that Windows is far more secure, it's just targetted more. This is going to be the beginning of a long line of taking them down a notch.

Re:Missing from summary

I didn't consider mac users lording their "super advanced security and magical virus immunity" as "good times."

But we sure did!

Re:Missing from summary

[pushing-robot]

But it looks like the good times are over.

At least until you remove Java (and preferably Flash and Acrobat Reader), or set plugins to click-to-run, or they finally implement signed apps and sandboxing (which Apple keeps delaying since developers keep screaming about it).

It's ridiculous that all browsers don't require you to approve plugins, at least on a per-site level, but it's true there are still quite a few sites out there that break in strange ways if some hidden java or flash element fails to load. Still, I'd rather live with that than trust my computers' security to Adobe and Oracle.

Re:Missing from summary

Any reason to worry or to have our belief in Java security shattered?

Java has security?

Re:Missing from summary

[errandum]

Well, the general idea is that they were very secure. Not too long ago I was modded into oblivion because I said windows is, by design, more secure that Mac OS. So obviously, I dropped the subject and never posted about it again.

If no one is allowed to talk about it, the general impression will be that they are, indeed, more secure (at least here).

Re:Missing from summary

Is that Java security hole that we heard about over the last weeks Mac-specific or cross-platform? Any reason to worry or to have our belief in Java security shattered? Or just a conspiracy of several factors in the Mac environment?

The malware writers could in theory do the same thing to Linux distros. However the openjdk and java on Linux is essentially different in as much as the methods to run and install to a user home directory a downloaded .so the way this malware does cannot happen on Linux distros in as much as the user is the only one on Linux who can direct which binaries run from within a user profile at login.

I know this is a mouthful for those who do not understand but I would highly recommend looking into how exactly this malware works. Here is how the default set-up of OS X can be subverted to install a binary to a hidden user directory without user permission or knowledge. Then download a binary which is really smart that will try to get user permission to install system wide and if it does not receive this permission it just does it to the ill informed Mac user without permission. With Linux the system would not allow a .so to be loaded to a user /home directory and then set it to run at login. This is the problem with Mac security there is also a huge hole in the way binaries can run from within a /home at login without permission!

Here is a run-down of how it works and why it will only work on Mac because its method of infection does not require user interaction to install the payload to a users home directory with Mac OS. However I have the feeling that this security nightmare will be addressed by the Apple coders simply by doing things the way most Linux distros do!

From a CNET article:

How does it work?

The Flashback malware injects code into applications (specifically Web browsers) that will be executed when they run, and which then send screenshots and other personal information to remote servers.

First step: Exploiting Java
When you encounter the malicious Web page containing the malware and have an unpatched version of Java running on your system, it will first execute a small Java applet that when run will break the Java security and write a small installer program to the user's account. The program is named something like .jupdate, .mkeeper, .flserv, .null or .rserv, and the period in front of it makes it appear hidden in the default Finder view.

In addition, the Java applet will write a launcher file named something like "com.java.update.plist", "com.adobe.reader.plist", "com.adobe.flp.plist" or even "null.plist" to the current user's ~/Library/LaunchAgents/ folder, which will continually launch the .jupdate program whenever the user is logged in.

In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following: /Library/Little Snitch /Developer/Applications/Xcode.app/Contents/MacOS/Xcode /Applications/VirusBarrier X6.app /Applications/iAntiVirus/iAntiVirus.app /Applications/avast!.app /Applications/ClamXav.app /Applications/HTTPScoop.app /Applications/Packet Peeper.app

If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.

Second step: Downloading the payload
When the jupdate program executes, it will connect to a remote server and download a payload program that is the

Re:Missing from summary

[dr2chase]

It WAS cross-platform (in theory). Apple was slow to release a patch, everyone else (who was up to the latest rev of Java) is fine, because non-Apple Java had a patch for this before the Trojans were deployed.

Java has a better in-theory story than most things exposed to the web because it is (by design) invulnerable to buffer overruns. In practice, however, it uses native libraries for some important stuff, and those have the buffer overrun problem. I don't know the details of this bug, however. I find the seemingly neverending stream of vulnerabilities in everything to be more than a little depressing.

Re:Missing from summary

[ninetyninebottles]

Is that Java security hole that we heard about over the last weeks Mac-specific or cross-platform? Any reason to worry or to have our belief in Java security shattered?

It was cross platform. Oracle seems to have fixed it in the Windows version of Java quite a while ago, then more recently in the Mac version, although that last point seems to be a matter of contention between Apple and Oracle.

Re:Missing from summary

[ColdWetDog]

Group hug for the unhappy, disaffected AC!

We love you!

Re:Missing from summary

[Billly+Gates]

I have said this before here and will say this again.

For the Tech Support pros reading this
1. Use FoxitPDF or Summutra PDF. They will at least prompt you before blindly opening a PDF from a website and executing it in no sandbox with full javascript unlike Adobe Reader.
2. If you must support Java for corporate users create a GPO that enforces Java in Intranet only! No internet zone java if you must use crappy Kronos or ADP apps. If the users need Java in IE for an external site add it to a special custom security zone.
3. Use Chrome. It has its own PDF reader, does not support Java, and updates flash automatically without user interaction
4. Use Flashblock and keep it for sites like Pandora or youtube if you support home users or need training sessions in youtube for work.
5. Use antivirus software. THey are getting much better and no longer slow your whole computer down so much. Even the latest Norton is as light as MSE which is shocking! If you are one of the smirk users who are proud that you are virus free I have to say your an idiot and infected. How? Last week malware was hosted right here on slasdhot in an ad! If you came to slashdot last weekend or before you are infected. Avast! and MSE are both free and pretty decent and only add a few seconds more of boot time.

Java is not going away and neither is flash nor pdfs. Follow the above steps and you take care of 85% of all security issues unless you run unpatched Windows. I use Java for Eclipse and have Java disabled in all my browsers. Disable it in IE even if you do not use it. Some exploits may call to IE helper ojbects to execute so its a good idea anyway.

If you do IT and do not follow all of these procedures you are lazy and so many are as many get constant support calls for fake virus scans and slow computers through constant infection from running unpatched old versions of flash, java, and Windows. If you must run insecure old java then do it right and disable it from all sites except Kronos and ADP. That is it! Your infects will drop to near zero

Re:Missing from summary

20-30 new viruses a day for windows 1 virus for the mac in 10 years shows windows is more secure?

Re:Missing from summary

This is going to be the beginning of a long line of taking them down a notch.

What? really? So just because someone uses a Mac instead of Windows means they somehow think they are superior to you? I'm sure there are some people that use Mac that think they are superior but that doesn't mean that everyone using a Mac thinks that. So how about you get off your high horse and stop condemning people based on what OS they choose. I personally prefer Mac OS to Windows. I grew up on Windows from Windows 3.1 to Windows Vista. For me, Mac OS is far more intuitive and streamlined. When I think of Windows I think of Menus and Folders. When I think of Mac I think of Apps and Documents. But I saw the preview of Windows 8 and it looks like they're really working on fixing that. I may switch back one day. But I don't think Mac is inherently better. Just different. I do think its more secure though. Simply because they're far more locked down in their hardware. Windows is designed to work with almost anything which leaves a lot more room for errors to exploit.

Re:Missing from summary

[wmbetts]

All current versions of OSX are 100% UNIX. It received it's certification in 07 if I remember correctly.

Re:Missing from summary

[wmbetts]

Blah, I should have looked it up before posting. OSX version 10.5 and higher running on Intel processors are UNIX 03 certified.

http://en.wikipedia.org/wiki/Single_UNIX_Specification#OS_X

Re:Missing from summary

It's called the beginning of the Bell Curve. There's a sweet spot coming up. A real white knuckle ride.

Re:Missing from summary

[Centurix]

Two ints and a float are in a bar. They spot an attractive double on her own.
The first int walks up to her. “Hey, baby”, he says, “my VM or yours”. She slaps him and he walks back dejected.
The second int walks over. “Hey, cute-stuff, can I lick your Bean?”. After a quick slapping, he too walks back.
The float then ambles over casually. “Were those two primitive types bothering you?”, he remarks.
“Yes. I’m so glad you’re here”, she says. “They just had no Class!”

Borrowed from somewhere else...

Re:Missing from summary

[jedidiah]

The malware writers could in theory do the same thing to Linux
distros. However the openjdk and java on Linux is essentially
different in as much as the methods to run and install to a user
home directory a downloaded .so the way this malware does
cannot happen on Linux distros in as much as the user is the
only one on Linux who can direct which binaries run from within
a user profile at login.

If you are able to alter the user's files, then you can pretty much do anything you want with their account. The trick is just figuring out how to do so based what ever GUI they happen to be running. For Macs there just happens to be a single approach. There's no reason this approach couldn't be tailored to Linux and sort itself out with GNOME and KDE. If there's a similar autostart mechanism, then the virus can just manipulate that.

At the very least, it could install itself at the end of .login or .bashrc.

Re:Missing from summary

[Atzanteol]

And it was patched much faster by Oracle and pushed out quicker by the Java install because Microsoft doesn't have insane control issues like Apple does.

Re:Missing from summary

[SiMac]

I'm not sure what you're talking about here. If you have access to a user's account, you can set a binary to run when a user logs in on Linux without administrator privileges. You can call gksudo to put up a dialog asking for administrative privileges so you can modify other users' files as well, or just put up the dialog yourself and hope the user enters their password. This is exactly the same level of security as on OS X. If there's a reason this doesn't work on Linux, you have not communicated it.

It's unclear to me where the .so comes in, as opposed to a regular binary, but you are aware that you can set LD_PRELOAD and LD_LIBRARY_PATH to whatever you want, right?

Re:Missing from summary

[thestuckmud]

I think about Apple's insane control issues every time I have to re-install OS X (which I did once for testing purposes). My outrage at not being required to type long registration codes and then have the OS phone home for validation is unspeakable.

Re:Missing from summary

[SplashMyBandit]

Funny thing is, these exploits are not 0-day. Oracle patched the Java they control. It was Apple (as you correctly pointed out) who dropped the ball (both the hole in the Mac OS user abilities *and* not patching Java).

It is a real shame Apple hate Java with a passion. It makes sense since Java can and does run well everywhere it is permitted to - but Steve Jobs wanted to silo Apple, so he could make more money (didn't extend his life though [too soon?]). As a developer that attitude really pissed me off, I can write software in Java that runs wonderfully in Windows and Linux, but I'm limited to older officially-supported versions of Java (eg 6 rather than 7) on my (otherwise wonderful) MacBook Pro and not at all on my iPhone.

Apple are wankers in this regard. Tidbit: IIRC the earlier iPhones had JVMs in hardware (part of the chipset the phones used - as did many Java enabled phones a few years ago). Apple had to spend development effort to block the Java capabilities on the phones. They cited Java as being insecure (same with Flash) when this example clearly shows that the security problem is Apple's (since Oracle could repair Java vulnerabilities very quickly for Windows and Linux).

Re:Missing from summary

[mbadolato]

Not to mention that horrendous experience of connecting a backup hard drive, waiting 30 minutes then have the new OS installation reboot and be exactly how I had everything before doing a reinstall. That moronic process forces me to not waste 10 hours reinstalling everything, every time. Bastards.

Re:Missing from summary

[Guy+Harris]

Blah, I should have looked it up before posting. OSX version 10.5 and higher running on Intel processors are UNIX 03 certified.

http://en.wikipedia.org/wiki/Single_UNIX_Specification#OS_X

Actually, OS X 10.5 and 10.6 running on Intel processors are UNIX 03 certified, but 10.7 isn't.

But you were probably responding to the poster distinguishing between "OS X" and "UNIX". The problem is that "UNIX" can either mean "an operating system from AT&T^WNovell^WSCO with "UNIX" in its name" or "a specification for operating system APIs and commands". The UNIX trademark refers to the latter, and, in that sense, "UNIX" is not an operating system, it's a specification, and it's not clear what it would mean to have malware targeted at it, unless the malware is portable malware that only uses Single UNIX Specification APIs.

Re:Missing from summary

[symbolset]

The bad guys are definitely after Apple and Android now. They had better not get caught with corporate sponsorship or things will go very badly.

Re:Missing from summary

[Guy+Harris]

Putting an @reboot entry in the user's crontab would start anything you want when the machine boots, without the user even logging in.

...and would do so not only on OS X, but on many Linux distributions and FreeBSD and NetBSD and OpenBSD and....

Re:Missing from summary

[kestasjk]

Here, or here. They qualify it a bit more accurately now, for obvious reasons, but people really did claim immunity.

Re:Missing from summary

[bryan1945]

I look down, and realize my dong is long enough not to care about anyone else's insecurities.

Re:Missing from summary

[Glarimore]

I reformat my PC once a year on the off chance there is something going on I'm not aware of... and it never takes me more than an hour and a half to do so.

Re:Missing from summary

[errandum]

I assume you are talking about Time Machine. I've lost more than one "whole install" to corrupt time machine backups. Worse, one of the computers wouldn't even boot after it It was a new computer, changed it for a another, same thing - just ended up restoring my documents only and loosing a shitload of things in the process.

And FYI, windows also does the time machine thing, they just don't call it "time machine" and don't make it a default option. It's a tool that you need to decide to use and it'll freeze your current computer state into an external hard drive or dvd's.

The idea of the Time Machine is good, but it's not well executed. From deleting old backups automatically for space (I might want to save some of those old things) to using a nth degree differential backups that depend on the root and the entire backup tree to work... Each time it runs you risk corrupting something so bad the backups will be worthless. I'd rather apple would let me chose folders and just do full zipped/encrypted copies of those I choose. Time Machine just lulls most into a false sense of security

Re:Missing from summary

IE: OSX is about to enter its Win98 era.

I wouldn't believe anything you hear from Internet Explorer.

Re:Missing from summary

[Tom]

I said windows is, by design, more secure that Mac OS

Comparing apples and oranges. Different approaches in security seldom compare naively along one axis. There are many good approaches in windows, and many good approaches in OS X (it hasn't been called Mac OS for a decade now, maybe if you'd get up to speed...)

The issue is more often implementation, where both MS and Apple blunder. But don't forget that it took a decade of heavy fire from pretty much everyone before MS finally woke up and put a focus on security. Before that, their crap contained the most shoody fuck-ups you can imagine and more. I sincerely hope that Apple doesn't require that kind of wake-up call. But they definitely need one, given that they don't even use, say, sandboxing on all of their own applications.

Re:Missing from summary

[Tom]

"To install this virus, run ./configure && make & make install" :-)

Re:Missing from summary

[Richard_at_work]

Really, they don't need a wake up call?

In security update 2012-001 there are 36 patched issues, almost all of which are labelled "may lead to the disclosure of sensitive information", including one TimeMachine issue where a remote attacker could gain access to backups...

And I'm a Mac user and Apple liker!

Re:Missing from summary

[TheRaven64]

It is a real shame Apple hate Java with a passion. It makes sense since Java can and does run well everywhere it is permitted to - but Steve Jobs wanted to silo Apple, so he could make more money

Wow, someone doesn't remember history very well. NeXT rewrote some of their core products (e.g. WebObjects) in Java, replacing the Objective-C version. When OS X launched, Java was one of three first-class development environments (ObjC/Cocoa and C/Carbon being the other two), including a set of Cocoa bindings for better integration with the host environment. It had a few tricks that weren't present in other JVMs at the time, such as the ability to have only one copy of the standard classes in memory even if you had multiple Java applications running. This code was eventually contributed upstream by Apple and is now present in the official JRE.

The Cocoa/Java ('Mocha') bindings were eventually deprecated because no one was using them.

IIRC the earlier iPhones had JVMs in hardware

The original iPhone had an ARM11 core with Jazelle, but even that doesn't mean 'JVM in hardware' that they had to'spend development effort to block'. It means that it had hardware that executed a subset of Java bytecodes directly and trapped to a VM for the rest. To support it they would have had to:

• Pay a license to ARM and Sun for every iPhone (the Jazelle stuff is disabled by default and must be licensed separately
• Port the Jazelle VM to iOS.

They spent effort in not doing this in the same way that I spent effort in not porting Java to BeOS.

The later iPhones have a Cortex A8 processor. The Jazelle mode in all of these chips does not exist. If you try to enter Jazelle mode, you get an error and return to ARM or Thumb mode. Thumb-2EE mode is supported, but that's just a few small extensions to Thumb-2 mode to make it a slightly more useful target for JIT compilers for Java-like languages. If they had originally supported Java, then they would have needed to spend more time and money porting a different VM to iOS for the newer devices and a lot more time testing that the pure software VM worked the same way as the hardware one.

Oh, and on devices with more than about 32MB of RAM, the hotspot JIT actually runs faster than the Jazelle VM, so using Jazelle on the iPhone would have been entirely pointless.

Re:Missing from summary

[kybred]

The idea of the Time Machine is good, but it's not well executed. From deleting old backups automatically for space (I might want to save some of those old things)

If you have something you want to keep, keep it. Don't depend on TM to know that you want it. The deleting old backups is a tradeoff; would you rather it fail to run a new backup due to lack of space?

to using a nth degree differential backups that depend on the root and the entire backup tree to work...

That's not the way TM works. No diffs are involved at all. It creates hards links to files/folders that didn't change since the last backup. You can delete older backups and files in it that have hard links from newer backups will be retained.

Each time it runs you risk corrupting something so bad the backups will be worthless. I'd rather apple would let me chose folders and just do full zipped/encrypted copies of those I choose. Time Machine just lulls most into a false sense of security

I won't dispute that TM can get corrupted. But you certainly can set up your own backup mechanism of files of your choice.

Re:Missing from summary

[Tom]

X is part of the name and has always been. The official name used to be "Mac OS X" until recently, and the upcoming version is officially named just "OS X":

http://www.theverge.com/2012/2/16/2802281/apple-officially-renames-mac-os-x-to-os-x-drops-the-mac

Re:Missing from summary

[GizmoToy]

The X has only been applicable since Mac OS has been on version 10. The X certainly wasn't part of the name when it was Mac OS 7, Mac OS 8, or Mac OS 9. Apple's been using Mac OS as the operating system name, followed by a version identifier, for over 15 years.

It does look like you're right in that Apple's not using the Mac part going forward, though, probably in preparation for further merging of iOS and OS X.

Re:Missing from summary

[TheRaven64]

Why would they? If you are going to use Java you use Swing or AWT or SWT. Using Apple-specific bindings makes zero sense if you are going to use Java (kinda defeats the purpose of "write once, run anywhere" which actually does work if you know what you are doing).

And that's how you end up with crap applications. Good cross-platform applications are MVC with a different UI for each platform. Even the Swing documentation agrees with this, and recommends that you use a native look and feel. If you've got a Java application then you could add a Mac GUI that would use native widgets and behaviours everywhere (you could even get your Mac UI specialist to draw it in Interface Builder), but still reuse the same model code that you used on other platforms.

Two things: first, plenty of people still have devices with less than 32 MB of RAM and this was certainly the case when early devices are used

Irrelevant. No one has an iPhone with under 32MB of RAM. The existence of devices under 32MB has no baring on the

Secondly, Apple in its egocentricity decided to support neither

They also chose not to port Mono. Or any other VM environments. They let you run binaries (although they did restrict this in the developer license for a while), so as long as your language of choice can generate ARM assembly it will run. The egocentricity seems to be more on your part, deciding that Apple needs to pay to have the runtime for your favourite language ported to their platform.

Universal cross-platform was slowly becoming a reality but thanks to Apple (iOS) and Microsoft (XBox) they are trying to silo again. For *users* is a step backwards, not forwards

No, for users cross-platform applications that had a non-native look and feel were a step backwards. Java applications on OS X often can't even get text boxes right - the shortcut keys for navigating in a text field are different to every other application that the user uses on the platform - and things like menu layouts are also unconventional. How is that good for the user? Users benefit from good ports, not from half-arsed recompile-and-ship jobs. Or, in the case of Java, skipping even the recompile step.

Re:Missing from summary

[SplashMyBandit]

> And that's how you end up with crap applications.
Bullshit. I thought this 'native look n feel' myth had been thoroughly debunked by now by developers in the know. There are plenty of applications with a native look-n-feel that are crap. There are plenty of applications (more, in fact, as time goes by) that don't have native look-n-feel that are thoroughly excellent. Self-consistency and meeting expectations for application type matters far more niceness of integration that just using native widgets.

> Irrelevant. No one has an iPhone with under 32MB of RAM. The existence of devices under 32MB has no baring on the
Totally relevant when the decision was made. And if I accept your argument, then there was no real reason not to allow someone to port Java to the iPad (and later iPhone) except for Apple's corporate politics. Instead Apple have decided to take a totalitarian route (which, incidentally seems to be abused to stop competition more than any supposed benefits of the iron fist). I'm a Apple user and I love their gear but hate their attitude.

> Java applications on OS X often can't even get text boxes right - the shortcut keys for navigating in a text field are different to every other application that the user uses on the platform - and things like menu layouts are also unconventional.
This I agree with. However, don't throw the baby out with the bathwater, Apple did have the leeway over their own VM to fix it - after all, they insisted on maintaining their own VM than letting Sun (and now the community with OpenJDK) sort it out. What I'm trying to point out was that it is Apple's policies that are preventing Java from working on iOS (and Java could be made to be great on that platform - the problem is not the technology, it is the evil gatekeeper).

With regard to Mono. That's a non-argument since the .NET libraries are not intended to be cross-platform. What I'm trying to say is that Apple is against cross-platform, and cross-platform is good. Disagree?

> The egocentricity seems to be more on your part, deciding that Apple needs to pay to have the runtime for your favourite language ported to their platform.
Apple don't have to pay for anything - that is just the apologies of a fanboi. All they would have to do is get out of the way and let the community sort it out (OpenJDK manages to get a lot of places without Microsoft or Linus funding anything). iOS is not really that much different to OS X after all. Do you really think that if Apple got out of the way that the community would have the inability to make a good Java version for iOS?

Contradiction

[Hercules+Peanut]

I understand the purpose and value of malware protection but from the article we first read:

The Java exploits appear to be pretty standard, but have been obfuscated using ZelixKlassMaster to avoid detection by anti-malware products.

then

This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Doesn't that seem to come off as a slightly counter-intuitive statement? Is it unreasonable to come away from this article asking yourself "Why buy anti-virus when the malware just avoids it anyway?"

Re:Contradiction

[ninetyninebottles]

This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

Doesn't that seem to come off as a slightly counter-intuitive statement? Is it unreasonable to come away from this article asking yourself "Why buy anti-virus when the malware just avoids it anyway?"

It is trying to hide its similarity to other malware so that a new signature is needed to detect this specific variant. So while anti-virus programs may not detect this now, within a few days they probably will, at least until there is yet another variant. Apple is, of course, including their own signatures right in the OS so that makes antivirus less attractive as well, although Apple's response time has been hit and miss.

Re:Contradiction

[Billly+Gates]

A good anti virus software package will look for apps with strange behaviors and sandbox or block them.

For shit and kicks I weird download happened automatically from the PirateBay yesterday. I ran it through a VirtualBox and even though Avast! did not pick up the malware signature it did flag it and immediately sandboxed it as it said its behavior was typical of tojans and malware. I was impressed.

I know some slashdoters with very outdated 1990s knowledge think you are fine without any anti virus package as long as you do not click attachments are in a rude awakening. Even slashdot hosted malware in an ad about 2 weekends ago!

Anyway Norton is available for macs and Avast has a beta for IOS and MacOSX. I would recommend any mac user to use either one. You need more than a scanner to remain secure today and no platform that can execute data and use ram can ever be secure.

Apple Culture

[ninetyninebottles]

I hope the recent rash of Malware for the Mac will serve to change the culture of security at Apple. They have a lot of really good technology in that regard and many very good coders who work with security as a priority (they have a lot of oldschool UNIX guys these days). The problem is, it is not a priority for Apple or part of their culture. Some Apple software ships with what looks like no security review at all and no real consideration, while other software clearly was architected with that as a design goal.

They have some very nice sandboxing, but they don't apply it very widely within OS X, even when there is no pain to the user or developer. It is like they just don't want to spend money and resources on that sort of hardening. You send a security hole to Apple and sometimes you hear back the next day and it is fixed in short order. Other times you hear nothing or malware is known and spreading for weeks before Apple bothers to issue a filtering signature.

Hey Apple! Wake up and smell the coffee. Dump some of your cash reserves into expanding work in security and having some experts paying attention and getting things done. "Think Different" about security and listen to the people you already have that have created groundbreaking security systems elsewhere.

Re:Apple Culture

[TrekkieGod]

Why? Why would Apple want to do this, aside from some insane take over the world theory? They are certainly pushing for signed applications running in nice sandboxes and they're using the Mac store as one way to do it, but why would they want to disable other applications entirely?

To charge their customary 30% for every Mac OS X application?

I don't think Apple is using malware to push for the walled garden (It's bad PR, it's more likely to push people away from the OS entirely. They'd much rather continue their "You don't have to worry about viruses with our super-secure OS!" marketing approach. That said, I do believe they'd love to have Mac OS X as controlled as iOS, if they could figure out how to get away with it.

Re:Apple Culture

[ninetyninebottles]

Why? Why would Apple want to do this, aside from some insane take over the world theory? They are certainly pushing for signed applications running in nice sandboxes and they're using the Mac store as one way to do it, but why would they want to disable other applications entirely?

To charge their customary 30% for every Mac OS X application?

If money is the motive, you should know they make so little on both stores put together (including music and movie sales) that it is barely a blip on their radar. Apple is a razor not a blade business model. The stores are purely there as ways to make hardware more attractive and increase hardware sales.

Re:Apple Culture

[toriver]

... and if you buy an "application" in any other store, do you think the store does not take a cut? They could have made Mac OS into a controlled OS years ago if that was their goal. But they are probably getting pissed at these third-party runtimes (slow Flash, buggy Java) that screw things up.

Disable Java

[sqrt(2)]

Unless you know you need Java, disable it. Also, install something like Noscript for whatever browser you use. You'll be safe then, at least against the types of attacks we've been seeing.

I don't recall there ever being a self-replicating worm for a *nix platform that could infect you just by being unpatched and connected to the network; please correct me if I'm wrong. You have to actually navigate to an infected site for these trojans to get you.

Market share

[devleopard]

This is inevitable, and will continue. OSX have gone from 2% to an estimated 14% market share since 2003

Android has something like a 47% share in the smartphone space.. and there's a report of malware weekly.

I think it's fair to say that it's easier to find a hole (ugh, here comes the 12 year-old humor) than to imagine all the ways people might come up with. You simply need a large enough target to make it worth their while.

Re:Market share

[ModernGeek]

Mac OS 9 had a smaller install base than current Mac OS X and was constantly riddled with viruses. I don't think that market share alone determines whether or not something ends up riddled with viruses. That being said, Apple has been particularity lax about security these last three years.

Re:Market share

[Tom]

I am skeptical of the causal relation between marketshare and malware share. It has been thrown around as an argument for more than a decade, but there is little evidence for it. At the very least, the correlation is weak, as the rise in malware seems to come at arbitrary times in arbitrary bursts. Unless you postulate that somehow 14% is a magical number, plotting the curves would show they demonstrate no similarities.

I am not saying that market share is not a factor - few malware targets NetBSD or BeOS or any of the other obscure OS with a market share barely visible under a microscope. However, market share is at best one of many interacting factors. The most important consequence is that you can not predict the future trend from market share alone, not even broadly. If the OS X market share doubles over the next two years, the amount of malware could stay almost equal, it could double, tripple or explode by several orders of magnitude.

Rubbish names.

[mr_lizard13]

Kaspersky refers to it as 'Backdoor.OSX.SabPub.a' while Sophos calls it at 'SX/Sabpab-A.'

Those names are very un-Apple. How about just 'iTrojan'.

Or, to avoid confusion with the previous trojan...

'The New iTrojan.'

My semi-regular Mac accounts post

[93+Escort+Wagon]

Mac users need to stop running their day-to-day stuff under Administrator accounts. Create a new account (if your account is "joe", call this new one "joe_admin"); give it admin permissions; make sure you can log in with it; then (and ONLY then!) remove the admin permissions from your personal account. And then... keep using the same account you've always been using.

On those rare occasions you need to use admin permissions - such as when you are installing software - you'll be prompted to authenticate as an admin, just like you already are. The only difference is you'll need to type that new admin account's ("joe_admin") into the authentication window rather than use your own account. It's brain-dead simple.

The reason for this (in case you're saying "but the Mac already warns you to authenticate, why bother?") is, when your account is an admin account, you're in the "admin" group (duh). The "admin" group has write permissions into the /Applications and /Library folders. All a bad guy needs to do to get around those authentication warnings is to invoke a bash script (or Applescript or whatever) that makes the necessary changes outside of the GUI.

If you're not running as an admin, a malicious script can still theoretically mess with your personal files and folders; but not the system-level ones.

Re:My semi-regular Mac accounts post

[Billly+Gates]

This can be installed with just a user account too. Its a memory corruption bug so it simply injects itself to processes already running as admin through local priveldges. However the last malware would still run under a user account but the malware could be easily deleted by deleting the account. Still with more code it can infect key system files.

User privledges only add another step and are not foolproof.

Re:My semi-regular Mac accounts post

[93+Escort+Wagon]

No, the Linux model is closer to what I described - you're not in any privileged group, and you have to be explicitly added to /etc/sudoers before you can use sudo. OS X adds admin accounts to sudoers by default (not really a big deal, in all likelihood; but it'd be better to make that an explicit option).

One example: Look at /Library - anything in there that's writeable to group "admin", you can get into without any confirmation. /Library/Fonts, for example - you can silently add files in there, at least in 10.6.8 (try it - if you're an admin, just use "touch" to create a file in there, then delete it - e.g. "touch foobar"). And remember, font engine exploits have happened in the real world (Duqu). You might have to sequence a couple exploits together; but that's a pretty common practice nowadays.

BTW you can manually add your non-privileged account to /etc/sudoers without it getting overwritten as other accounts come and go - it's what I've done for years on my various Mac laptops.

Re:My semi-regular Mac accounts post

[mjwx]

Mac users need to stop running their day-to-day stuff under Administrator accounts. Create a new account (if your account is "joe", call this new one "joe_admin"); give it admin permissions; make sure you can log in with it; then (and ONLY then!) remove the admin permissions from your personal account. And then... keep using the same account you've always been using.

Mac Users put things like this in the "too hard" basket, Macs are simple, easy to use and Automagically Secure(TM) and how dare you suggest they do something as complex and take responsibility for themselves. Who do you think they are, Windows users.

Re:My semi-regular Mac accounts post

[shutdown+-p+now]

Given that you can run binaries from ~, I don't see how it'd give you much protection against this kind of thing - it can still install itself there, and add itself to your own (rather than system-wide) autorun scripts. That's good enough for a worm, especially if its sole reason for existence is to make your machine part of a botnet.

Re:My semi-regular Mac accounts post

[ToasterMonkey]

If you're not running as an admin, a malicious script can still theoretically mess with your personal files and folders; but not the system-level ones.

What does this matter on a single user system?

Everything of value is owned by that user anyway.

On a multiuser system, for protection, yes, all user accounts should be isolated from each other as much as possible, but most macs are single user I imagine.

Use Chrome and "Click to play" for plugins

[oberhaus]

This attack is done by taking advantage of an exploit in the Java plugin. There are also lots of exploits in Flash (unless they have all been found and fixed...) You should try using Chrome and Click to Play: https://plus.google.com/118187272963262049674/posts/Mmgbr3BcYWb

Just be sure not to panic & delete the wrong f

[Kenja]

You are looking for com.apple.PubSabAgent.pfile & com.apple.PubSabAGent.plist and NOT com.PubSubAgent.plist or com.PubSubAgent.pfile.

Re:Those idiots at Microsoft

[sqrt(2)]

This is a flaw in Java, which isn't an Apple or "Unix" product. Apple is only responsible for it insofar that they bundle Java with their OS, which is going to end with their next major release of OS X.

Fix Available

[Frankie70]

Fix available here.

Re:Fix Available

pfft, out of the frying pan, into the blazing inferno of thrown chairs.

Better fix here.

Re:Fix Available

Good point, a Mac user is already used to not being able to use any of the software his friends do.

Well, I just disabled my Java plugin

[gman003]

Guess it's time to start treating my Mac computers the same way I treat my Windows computers - in need of extra care and protection against external attacks.

And so I've just disabled my Java and Quicktime plugins. Java because that's where all the current attacks are focused (and I never use it anyways), Quicktime because I never use it, either, and a smaller attack area is always good. I still visit enough sites that I need Flash enabled, but that's currently my only plugin (and protected by some heavy blocking rules).

I'll also be much more strict about keeping everything up-to-date, and all the other basic security practices.

Next, guess I need a basic virus-scanner. The only GPL one I see is Clam, which, last time I used it, was completely ineffective at stopping viruses. The one I use on Windows, MSE, is naturally not available on the Mac. So, any suggestions?

Java sucks

[JDG1980]

A large part of the blame for this rests on Sun/Oracle's idiotic decision to install the browser plugin by default when the Java runtime is installed.

Most users don't need Java at all. Of those who do, a majority of them don't need it in the browser. And of those who do need it in the browser, they only need it for a small handful of websites, not any and every site on the entire WWW. What should happen is that Java installs by default for desktop applications only with no browser plugin. If the browser plugin IS enabled, then by default it should work only on explicitly whitelisted sites or domains, not everywhere. Of course, there should be methods for system administrators to roll out custom whitelist configurations to users in bulk. But apparently no one at Oracle has heard of the principle of least privilege, so we get crap like this every couple of months.

If you have Java, please reevaluate whether or not you really need it. If you do need it, but only for desktop apps (and/or development) and not for browser based apps, then remove the browser plugin. There are virtually no legitimate public websites that use Java, but a lot of malware that exploits the plugin for evil purposes.

Re:OS Preference

[Phrogman]

It would really be nice to think that the majority of /.ers are mature enough to just accept that other OSes exist and that some people prefer them. However, apparently most of us are children when it comes to OS preference and have to take an antagonistic and condescending approach to dealing with anyone who differs from our preference. Sad.
My first computer was an Amiga 500. Then I bought an IBM PC clone. I have used MS products for years (DOS 4 -> Windows XP). I didn't particularly like them as they were rather flaky for much of that time, but they got the job done, and my employers used them so I needed to be familiar with them as well. Eventually I bought an iMac and tried OS/X and I like it. I still use Windows XP when I want to play games, but do the majority of my actual computer using on the Mac side of bootcamp. I have used Linux on the desktop and on the server for the past few decades, plus BSD etc. I have an Android smart phone ATM.
I try to use the right tool for the job at any point. I *like* OS/X because it works for me quite well and it seems fairly reliable. Other than that I seldom think about the OS. Its a nice form of Unix and it works well, that is about it.
OS Wars are so childish, unless you are actively developing an OS yourself and can hold discussions based on merit and not personal opinion/bias...

Java in a browser? What? Why?

[emt377]

Why would anyone want Java in their browser? I don't have the JRE plugin and would never install it. There's no need for Java to run in a browser. Desktop apps is a different matter, Eclipse and such are quite useful. And it's eminently practical on the server side. But in the browser? That's completely legacy, and Apple should just stop distributing the plugin for Safari.

Re:Java in a browser? What? Why?

[emt377]

I guess default is that it's not installed on Chrome. Default for some bizarre reason is to install this shovelware on Safari. Quit Safari, then remove with:
$ sudo -s
# rm -f /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin
# rm -rf /System/Library/Java/Support/CoreDeploy.bundle/Contents/JavaAppletPlugin.plugin
# exit

Restart Safari. Gone!

Re:Java in a browser? What? Why?

[Freultwah]

Some banks need it for smartcard based authentication. (Do not ask me why.) Also, me like this nice chromatic guitar tuner at www.seventhstring.com.

Re:Java in a browser? What? Why?

[gl4ss]

some banks need it for authentication just because the consulting contract went to asshats("and we got this extra layer of security by installing these native dll's on the users machine through running a java plugin! oh and by the way this way you can buy an iphone, android and symbian applications for mobile use, since the default netbanking solution will not let you login, sure it would work perfectly after the login but the login can only be done through this java applet, so it's really high tech buy buy buy buy").

however, java plugin can be a pretty snazzy way to distribute enterprise wide real sw that works on both macs and pc's and starts from the intranet page with one click...

Re:Java in a browser? What? Why?

[cmdrbuzz]

Why not just untick the 'Enable Java' checkbox under Security in Safari Preferences?

As the next Java update will put those plugin's back.