Slashdot Mirror
Apple Hit By Hackers Who Targeted Facebook
snydeq writes "Apple was recently attacked by hackers who infected the Macintosh computers of some employees, the company said on Tuesday in an unprecedented disclosure that described the widest known cyber attacks against Apple-made computers to date, Reuters reports. 'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday. ... A person briefed on the investigation into the attacks said that hundreds of companies, including defense contractors, had been infected with the same malicious software, or malware. The attacks mark the highest-profile cyber attacks to date on businesses running Mac computers.'"
Thank you folks, I'll be here all week.
What political party do you join when you don't like Bible-thumpers *or* hippies?
Among my computers is a windows machine. I have no fear of being compromised because it has no exposed ports, a safe browser, and all 3rd party plugins disabled until I activate them.
I also have an android phone, and I'm near certain it'll get malware from an advertisement someday, because I have no means of blocking anything. It has nothing to do with the underlying safety of the system, but always the weakest link the chain.
compromising your privacy and security since 2004...
I suspect this is an elaborate hoax perpetrated by Microsoft or possibly Google.
Introducing the new Viri virus scanner, for only $30 it will prevent all infections and coo to you while it does it!
Scan different
Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
Sure IT may get an increase in calls at the start, but it is worth it in the long run.
Yes, Unix is secure by design and Mac OS X has a built-in virus scanner. There is no need to run additional software as none of it would've stopped this exploit short of disabling Java (which was also lauded as secure by design/sandboxing)
Custom electronics and digital signage for your business: www.evcircuits.com
'The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers"
I thought Apple disabled Java in the browser months ago?
This is such a delicious day for the tech "press" because despite their constant barrage of warnings to the contrary, Apple viruses have been pretty much non-existent. Sure, OS X has had some vulnerabilities, but they were generally in various Unix packages and daemons, and those same problems generally affected Linux and BSDs and Solaris and so forth.
Anyway, my question: who the hell uses Java as a browser plugin anyway? On my rigs, it is disabled and has been for years. It's still installed (unlike Flash) because some desktop software needs it, but in the browser? Fuck that.
According to TFA the eploit was in Oracle's version of Java, a third party product that was installed on the machine. Hardly something that the OS could be blamed for.
Of course they can, especially when the hacked software was an installed copy or Oracle's version of Java.
>Java
>secure
Choose one
I think you've got Mac OS X mixed up with OpenBSD.
Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.
And, unless the attack affects one user account only... They are right. That goes for Windows, MacOS, Linux, *BSD, and INSERT_ANY_OTHER_FSCKING_OS_HERE
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
You mean something like this?
http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx
Well, not having the details at hand (although I did RTFA), it seems that the OS allowed a user app to corrupt the system.
So, yes, I can blame it on the OS. Java may have been the initial vector that allowed the malware entry to the system, but the OS allowed the malware to do things it shouldn't have been able to.
And the worms ate into his brain.
So it sounds like the newer, Oracle Java 7 SE was the vulnerable hole? Also hasn't that been the case for the last several months' worth of "Java Exploit" headlines? .... who need dat Java 7 anyway? What is it's be for?
I am's be wonderin'
I never installed it, just running the good ole' Java 6 SE which lets me run all the crap the interwebs brangs forth towards me.
Trojan != Virus for the love of god trolls, please learn this. I am sooo tired of hearing trojans being called viruses. They're both "malware", but that's where it ends.
Anyway, this is why Apple is getting really sick and tired of Flash and Java, they've been the top two security thorns in their side for the last decade. Feeding the Apple bashers and giving Apple a bad rap. Apple doesn't write the flash or java interpreters, they don't have much control over the code monkeys at oracle and adobe.
I work for the Department of Redundancy Department.
Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
That was a bit quick to jump to conclusions:
Rather than using typical targeted approaches like "spear phishing" with e-mails to individuals, the attackers used a "watering hole" attack—compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors.
"The attack was injected into the site's HTML, so any engineer who visited the site and had Java enabled in their browser would have been affected," Sullivan told Ars, "regardless of how patched their machine was."
Source: http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/
Well, to play devil's advocate -- does the install of Java end up bypassing some of the security?
I see a lot of stuff which doesn't want to install into user space, but wants Admin rights and wants to integrate tightly with other things. At which point, installing what should be trusted software is really just opening you up to all sorts of problems.
Though, at this point, it's hard not to conclude that all versions of Java browser plugins are insecure and not to be trusted.
Lost at C:>. Found at C.
This post should be modded up an additional forty, with a side note that it applies to mobile OSes as well.
Let's be honest here. Apple doesn't dislike Flash and Java because of security. They dislike them because people can use them to play games and use apps without Apple getting their 30% cut.
What political party do you join when you don't like Bible-thumpers *or* hippies?
"compromising the server of a popular mobile developer Web forum"
So far, all of the press reports and statements from those compromised have left off the most important bit of information: WHAT "popular mobile developer Web forum" was used?
One would imagine this would be important information to disseminate to developers...
On OS X, I can purchase/download a game from a third party maker, and be off and running. In fact, there are a few utilities (InsomniaX) that are not up for sale in Apple's store due to doing low level kernel functions.
Now, iOS is a different story. Without a JB, one is forced to go through iTunes (beta apps, or enterprise apps) or they go through the App Store. However, this doesn't apply to OS X.
Just say NO to Java.
If you can compromise computers across so many companies, including defense contractors which obviously would have access to classified/sensitive information, why would you waste it by attacking Facebook?
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
They don't like it because you have to run an update twice a week to keep up with the latest exploits found in flash and java. IF oracle/adobe were generous enough to roll up an update this week for the new exploits.
And the boneheads at oracle kept insisting on rolling up whole new installers most of the time, that would only work if you had the previous version installed. (installer or updater make up your mind!) So you'd install vers 10, then 11, then 12, then 12.1, then 13, then 14, most of which were 55-56mb each. Idiots. Java needs to die in a fire. And I'll bring the marshmallows.
It's not entirely oracle and adobe's fault though really... they're just keeping it up because devs keep using it. I'll admit it, writing games in flash (or java) is pretty quick and easy. But quick-n-easy comes at a price, a price to the users
I work for the Department of Redundancy Department.
But...they were using Apples. Everyone knows that the Apple OSs can't be hacked. So it is perfectly OK to click on any link that strikes ones fancy. Isn't it?
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
And, unless the attack affects one user account only...
If the goal is to penetrate a company's systems, one user account is all you need. From there you can get the credentials to get to the juicy stuff.
Multiuser OSes essentially only protect the system files. Guess what? Hackers don't care about your system files. They want your user data.
He turns off Java, Flash, ActiveX, etcetera until he decides it is important to have one of them on.
And acts like this will stop him from getting a java/flash/activex malware.
It won't.
There are two types of people in the world: Those who crave closure
Being cross platform still means it affected Macs. So the GPs tirade against the idea that Macs are immune to malware is valid. The GP was not claiming that other systems were immune to it.
I used to do Mac support and have spent plenty of time removing viruses from the old Mac System 6/7/8/9.x machines. I have never seen a Mac OSX virus 'in the wild'.
Like any other form of security theatre, if you go long enough without being attacked, you get alert fatigue and begin to consider the threat negligible or non-existent and begin to consider yourself immune. I don't even have an anti-virus software on my home computers and would probably need to hear about a mass outbreak before I would consider installing any given my experiences of the performance hit windows machines seem to take when running anti-viral software.
I used to swear by McAffe or Norton's, now I consider them potentially worse than half the malware out there for how they turn a perfectly good machine to molasses.
Sara
Designer, Gamer, Macgrrl in an XP World
any engineer who visited the site and had Java enabled in their browser would have been affected
It seems like not many Mac developers would have been affected - because (1) you have to specifically install Java, and (2) as the response from Apple states Java (in the browser) is disabled if you do not use it for 35 days...
But it would be great to know the sites involved so we would know if we were at risk.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I can't find any reference to what the attack actually does. Does it crash the machine? Erase the hard drive? Cause ugly pop-ups? Spam email?
The only thing worse than a Democrat is a Republican.
Correct me if I'm wrong but isn't Java included with the OS?
No, you have to download and install it.
And even if you do that, if Java is not used for 35 days the system disables it.
Now THAT's how to handle Java so most people will not get burned...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
How exactly is software that doesn't run going to get exploited, pray tell? Objects dependent on any code outside firefox are replaced with plain-boring html until I click-to-run them, which is the only time their associated libraries get loaded into memory at all.
Perhaps in this case it was a targeted site that was compromised, but the point still stands.
By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.
It also points out the problem with complex coding platforms like Java.
As I never liked Java because of many other factors, this is just icing on the cake to my issues with it. Java is terrible.
On OS X, I can purchase/download a game from a third party maker, and be off and running.
For now.
Give it a few more releases (assuming Apple still thinks they're on top of the world then). They'll make it harder and harder to do just that, until finally you're jailbreaking your laptop to install programs. And you'll just treat that as standard operating procedure.
Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.
Well, that's what they are doing with iOS. However some people have objections about that as well.
It says it was Oracle Java, and Oracle does not provide Java 6 for OS X so it must have been Java 7.
Sounds like their aim needs some practice.
/* No Comment */
Being cross platform still means it affected Macs. So the GPs tirade against the idea that Macs are immune to malware is valid. The GP was not claiming that other systems were immune to it.
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware. Even totally clueless 'drone' type users don't assume that. I know because a friend of mine has a small Apple shop and people regularly show up at his dealership and ask about infection risks on OS X and half the time they walk out with a free info booklet on malware and having bought a basic anti malware suite (he installs and configures it for free). This guy is just another nerdy zealot venting his irrational hatred of all things Apple. That "OS X is immune to malware and h4x0rs" mantra is so old it has whiskers on it and regurgitating it makes him just as lame as those sad plonkers who still spell Microsoft with a $ sign.
Funny, if it's Windows that gets hit, the first thing said around here is that the OS should be secure enough to prevent such attacks.
That's because the attacks are usually around IE or open ports. So of course people would blame the OS for the security failure.
If the attacks are "usually" around IE or open ports, when was the last such attack?
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Seriously?
It'll get exploited when he is running it.
There are two types of people in the world: Those who crave closure
You do realise that this was a bug in Oracle Java don't you? That's a cross platform vulnerability, the Mal/JavaJar-B trojan for example also affected Windows, Linux and Unix systems.
A few years ago, when Apple shipped iPods with Windows Virus they said "As you might imagine, we are upset at Windows for not being more hardy against such viruses...". So now they now should be upset with themselves.
Actually, before you ripped it out of context, the full quote was: "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it." So even at the time they admitted they were upset with themselves even though they could't help but take a shot at Microsoft for reasons that have to do with events that took place while you were probably still in diapers. Come to think of it I could fill a book with snide comments by Linux Fanbois about Windows security made on this forum, comments that ignore the fact that there is way more malware targeted at Windows than there malware targeted at Linux. If you take that into account Microsoft is doing a pretty good job on security, snide comments by Apple Marketing drones and Slashdot Linux fanbois not withstanding.
He being me, just for reference. The vast vast vast vast majority of malware infections come from sites you never intended to visit: domain squatters, advertisers working with shady sites, SEO space-wasters, bogus links. I only run 3rd party software I actually have reason to trust.
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware. Even totally clueless 'drone' type users don't assume that. I know because a friend of mine has a small Apple shop and people regularly show up at his dealership and ask about infection risks on OS X and half the time they walk out with a free info booklet on malware and having bought a basic anti malware suite (he installs and configures it for free). This guy is just another nerdy zealot venting his irrational hatred of all things Apple. That "OS X is immune to malware and h4x0rs" mantra is so old it has whiskers on it and regurgitating it makes him just as lame as those sad plonkers who still spell Microsoft with a $ sign.
Come to my company. We have many users with Apples at home that swear to me that their Apples cannot get viruses, malware, hacked, etc... They all want to use them on the company network.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Speaking from my perspective only, it's been quite a while since I felt that way about Windows, and it seems to me that the majority of comments about Microsoft being singled out unfairly have been from people claiming that Linux- or Mac-fanbois would be freaking out if the same exact thing had happened on a Windows box.
There was a time that a HUGE number of exploits existed against Windows itself (or IE, which is part of Windows), and an equal number of exploits existed against other major MS products such as Word, Excel, and Outlook. This was when everyone was wound up and ready to blame Microsoft for anything. In some cases, they were wrongly blamed for exploits against third-party products such as Firefox, and there were certainly times when the same people who decried MS for those third party exploits defended Apple or Linux in nearly identical circumstances, but really, overall, the Windows ecosystem *was* less secure back then. Now, things have mostly evened out, and it seems to me that 99% of the exploits these days go through Java, Flash or Acrobat.
One interesting thing that Apple has done is the whole shift towards the app store even for desktops, with the sandboxing requirement. Love it or hate it, if they've done it right, it will indeed make the system more secure. It'll be interesting to see if Microsoft starts moving that direction as well.
The CB App. What's your 20?
This wouldn't have happened if Steve was alive!
Call me ignorant, but the recent wave of Java bugs, are they Oracle implementation bugs, or problems with the Java specification? Are OpenJDK/IcedTea affected?
Perhaps in this case it was a targeted site that was compromised, but the point still stands. By making it harder to "phish" people, they must use other means which potentially expose them much easier than an email spam campaign.
No, your point does not stand. You were blaming the stupid users with too much time browsing porn sites or whatnot as well as the corporation that did not train them properly.
There isn't much you can do against a browser plugin silently executing malicious code planted into a normally harmless popular website. No matter how knowledgeable were the respective FB developers, if the cited information is correct and complete, there was no way he they could have avoided the problem except by having java blocked/disabled.
No Apple user I know and who has even basic knowledge of what malware is claims Macs are immune to malware.
Actually, Macs claim that they are immune to PC Viruses.
Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
Sure IT may get an increase in calls at the start, but it is worth it in the long run.
Riiiigth.
Write once, run anywhere.
"This is a new campaign. It's not like the other ones you read about where everyone can tell it's China," the first person said." I'm a bit lost with all attacks, java security alerts, java patches, java this, java that. Could we give each java alerts a feminine first name like we do with tornado ?
Why does everywhere seem to be keeping the identity of the site in question top secret?
That's rather unacceptable, as many other developers using said site could also have been impacted.
This helps no one other than the admins of a site who failed to properly secure it and they shouldn't have right to anonymity of their site when others may well be at risk.
Apologies, my hand grazed the touchpad and my laptop took that as an indication I wanted to moderate you as flamebait. Posting to undo.
Change is certain; progress is not obligatory.
If the App Store became a requirement, then they would be forced to stop.
They would also be forced to give Apple a 30% cut of their sales and let Apple and Apple only decide if their software was "appropriate" for your computer.
What political party do you join when you don't like Bible-thumpers *or* hippies?
Oh shit.
Let's be honest here. Apple doesn't dislike Flash and Java because of security. They dislike them because people can use them to play games and use apps without Apple getting their 30% cut.
Yes, because Apple had an app store in 2007 when the first iPhone came out without Flash support. Even after the store came around, all those free apps though... 30% of nothing is—let me do the math here. Nothing into nothin'. Carry the nothin'...
Let's be honest here. Apple doesn't like Flash and Java IN PART because people could then use them to play games and use apps without Apple getting a 30% cut, IN PART because of security issues, and IN PART because the user experience on mobile for existing content was bad. Bad enough that even Adobe finally killed mobile Flash development, despite Flash-capable Android rising to prominence.
(Yes, new content could be developed targeting mobile Flash, but let's be honest again--the main reason people wanted Flash on their mobile devices was to access *existing* content, despite their mouse-oriented UI)
To be clear, she makes her connections on the internet. She makes her money on her knees. At least that's what I heard from kutahuja's mom.
Reply to undo Mod.
Of course news about a fake are Fake News.
Virus scanners on Windows catch Java exploits! Having a virus scanner technology could have prevented this.
Sure. Virus scanners can catch 0-day vulnerabilities. Whatever you say.
Of course news about a fake are Fake News.