or Connect
AppleInsider › Forums › Software › Mac OS X › Java-based Trojan horse targets computers running Apple's Mac OS X
New Posts  All Forums:Forum Nav:

Java-based Trojan horse targets computers running Apple's Mac OS X - Page 2

post #41 of 94
Quote:
Originally Posted by RationalTroll View Post

Maybe. How many other OSes are affected by this exploit?

Oh for f**ks sake! This is not an OS exploit!
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #42 of 94
Open Safari Prefs, click the Security tab, un-check "Enable Java."

BOOM. Done. The applet won't run, it can't deliver its payload, the world is safe.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #43 of 94
Quote:
Originally Posted by SockRolid View Post

Open Safari Prefs, click the Security tab, un-check "Enable Java."

BOOM. Done. The applet won't run, it can't deliver its payload, the world is safe.

Unplug computer. Boom, done. You are safe.
Please don't be insane.
Reply
Please don't be insane.
Reply
post #44 of 94
Quote:
Originally Posted by SockRolid View Post

Open Safari Prefs, click the Security tab, un-check "Enable Java."

BOOM. Done. The applet won't run, it can't deliver its payload, the world is safe.

You should also uncheck the General, "Open safe files after downloading" option-- the one which Apple thinks is a good idea to enable by default.
post #45 of 94
Quote:
Originally Posted by Phone-UI-Guy View Post

Why would anyone click "Allow" in this context?


Couldnt be more obvious than that. Whoever falls for that trap deserves it..
post #46 of 94
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
post #47 of 94
Quote:
Originally Posted by SockRolid View Post

Open Safari Prefs, click the Security tab, un-check "Enable Java."

BOOM. Done. The applet won't run, it can't deliver its payload, the world is safe.

it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #48 of 94
Quote:
Originally Posted by Wurm5150 View Post

Couldnt be more obvious than that. Whoever falls for that trap deserves it..

Hmmm. Sounds kinda mean-spirited to me. Yes, on the one hand, it's better to be safe than sorry, but there's really no need to take a "blame the victim" stance on this. The fact that the dialogue box was designed with an "allow" button suggests that there are some instances where it's not malicious. I'm not much of a computer geek, so I don't really know what "digital signatures" mean, and because of that I tend to err on the side of caution. I think people who just click "allow" all the time are not particularly smart, but I wouldn't say they "deserve" being victimized by the consequences.
"Don't be a dick!"Wil Wheaton
Reply
"Don't be a dick!"Wil Wheaton
Reply
post #49 of 94
Quote:
Originally Posted by CIM View Post

And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.

This is such an idiotic thing to say in light of iPhone/iOS jailbreaking. Do you even know what the fuck jail breaking is?

It is a security exploit that allows unauthorized third party to inject and execute arbitrary code on your device. In this case code "unlocks" your device and gives you root privileges.

And this happens each time days after new iOS is released. In fact, one of the latest exploits can be done from a freaking web page (jailbreak iPhone by visiting a web page)!!! How's that for iOS security?

Yet, some idiot like you it bitching about Java "exploit" which is not really exploit, but social engineering asking idiotic user to install malware for them.

Jesus man, OS X users are the stupidest of users out there.

Mac Pro, 8 Core, 32 GB RAM, nVidia GTX 285 1 GB, 2 TB storage, 240 GB OWC Mercury Extreme SSD, 30'' Cinema Display, 27'' iMac, 24'' iMac, 17'' MBP, 13'' MBP, 32 GB iPhone 4, 64 GB iPad 3

Reply

Mac Pro, 8 Core, 32 GB RAM, nVidia GTX 285 1 GB, 2 TB storage, 240 GB OWC Mercury Extreme SSD, 30'' Cinema Display, 27'' iMac, 24'' iMac, 17'' MBP, 13'' MBP, 32 GB iPhone 4, 64 GB iPad 3

Reply
post #50 of 94
Quote:
Originally Posted by Dr Millmoss View Post

Ugh. This kind of remark never fails to creep me out. Maybe you're not doing as good a job developing the software as you think you are. Ever consider that?

"Programming today is a race between software engineers striving to build bigger and better idiot- proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning."

Mac Pro, 8 Core, 32 GB RAM, nVidia GTX 285 1 GB, 2 TB storage, 240 GB OWC Mercury Extreme SSD, 30'' Cinema Display, 27'' iMac, 24'' iMac, 17'' MBP, 13'' MBP, 32 GB iPhone 4, 64 GB iPad 3

Reply

Mac Pro, 8 Core, 32 GB RAM, nVidia GTX 285 1 GB, 2 TB storage, 240 GB OWC Mercury Extreme SSD, 30'' Cinema Display, 27'' iMac, 24'' iMac, 17'' MBP, 13'' MBP, 32 GB iPhone 4, 64 GB iPad 3

Reply
post #51 of 94
Quote:
Originally Posted by esummers View Post

I wouldn't be surprised if OS X even sandboxes the documents directory separately (like the iPhone) for each application in the future (Lion maybe?) to make this even less of an issue.

I hope not! I don't want to be asked every time I want to open a JPEG in GraphicConverter instead of PS, or a PDF in Preview instead of Acrobat Reader, for "permission" simply because those weren't the programs that created the original document.

Quote:
Originally Posted by Wurm5150 View Post

Couldnt be more obvious than that. Whoever falls for that trap deserves it..

It may shock you, but not everyone who uses computers are technically inclined (btw, if you are reading/replying to this thread, you are technically inclined). Applet? Access? What sort of permission? It's obvious to YOU. But to grandma? A 10-year old?

All they know is they want to watch the video the link leads to. And of course I want to watch it on my computer, so I'll allow it. They don't realize that other things can be going on in the background that they are not aware of. Or are you suggesting that only people with Masters degrees should be allowed to use computers?

(It does however suggest that grandma and little Johnny should not be logging into your computer with an admin account! )
post #52 of 94
Quote:
Originally Posted by Mario View Post

"Programming today is a race between software engineers striving to build bigger and better idiot- proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning."

Yes, the real problem in the world is that most people don't think like software engineers. It's not software engineers who are failing, it's everybody else.
Please don't be insane.
Reply
Please don't be insane.
Reply
post #53 of 94
Quote:
Originally Posted by Joe hs View Post

It looks like in the near future I may have to purchase antivirus, no?

Why? Based on this story?

This is a story about a trojan that DOES NOT WORK.
post #54 of 94
Quote:
Originally Posted by esummers View Post

Good point. How can a program that does malicious things that you _deliberately_ install be considered a trojan? Sounds like this is a misclassification by these "security firms".

In the city of Troy, man years ago, the Trojans _deliberately_ allowed a horse to enter. The horse was filled with malicious things.

That is where the name came from.
post #55 of 94
Quote:
Originally Posted by Mr. H View Post

Quote:
Originally Posted by RationalTroll
Maybe. How many other OSes are affected by this exploit?

Oh for f**ks sake! This is not an OS exploit!

Cool.

But Java runs everywhere.

So obviously a Java exploit is affecting every OS it runs on.

Can you kindly tell us which other OSes have seen this exploit?
post #56 of 94
Quote:
Originally Posted by RationalTroll View Post

So obviously a Java exploit is affecting every OS it runs on.

Can you kindly tell us which other OSes have seen this exploit?

You've A: Answered your own question or B: Don't know when to quit.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already fucked.

 

Reply
post #57 of 94
Quote:
Originally Posted by Johnny Mozzarella View Post

Or to put it in layman's terms...You are the hole!

Funny!

Reminds me of the joke years back about the Quaker email 'worm/virus' that stated something like: this is a low-tech virus. please go to your c: drive and delete all files. thank thee.
The Universe is Intelligent and Friendly
Reply
The Universe is Intelligent and Friendly
Reply
post #58 of 94
Quote:
Originally Posted by RationalTroll View Post

Cool.

But Java runs everywhere.

So obviously a Java exploit is affecting every OS it runs on.

Can you kindly tell us which other OSes have seen this exploit?

I think the point Mr. H is trying to make is that while viruses look for vulnerabilities within the design of an OS, a trojan horse takes advantage of the vulnerabilities of a user by embedding itself into a piece of software the user is likely to install or "allow". So, discussion about OS exploits is kind of moot.
"Don't be a dick!"Wil Wheaton
Reply
"Don't be a dick!"Wil Wheaton
Reply
post #59 of 94
Quote:
Originally Posted by RationalTroll View Post

Cool.

But Java runs everywhere.

So obviously a Java exploit is affecting every OS it runs on.

Can you kindly tell us which other OSes have seen this exploit?

Oh for f**ks sake again! This is not an exploit of any flaw in any software, be it OS, Java, or anything else. It is an exploit of the user, and that's it!
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #60 of 94
Confirms Apple's decision to remove Java.
post #61 of 94
Quote:
Originally Posted by Quadra 610 View Post

Confirms Apple's decision to remove Java.

OK, look, this is just baiting me right? I mean, you did read the thread before posting in it, didn't you?

Oh, and: Apple is not removing Java. They are ceasing to update it and presumably Oracle will take over.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #62 of 94
Quote:
Originally Posted by Mr. H View Post

Oh for f**ks sake again! This is not an exploit of any flaw in any software, be it OS, Java, or anything else. It is an exploit of the user, and that's it!

Take a chill pill, dude. Either RecursiveTroll will get it or he/she won't. Most of us get what you mean, I think.
"Don't be a dick!"Wil Wheaton
Reply
"Don't be a dick!"Wil Wheaton
Reply
post #63 of 94
Quote:
Originally Posted by fishstick_kitty View Post

You sound like an idiot...removing java from the OS X install has NOTHING to do with the security of Java. If there is a security hole here, it's the fault of the OS, not the plug-in.



It is specifically asking you, the user, to allow modification. Therefore, the OS does indeed know that something that normally should not be modified is going to get changed. The OS is outright asking you to allow these changes.

No matter what OS that prompt would happen to show up on, because it is a program designed in Java it will run anywhere. I wouldn't fault OS X, Windows, Linux or anything else. This one is on the user.
post #64 of 94
Quote:
Originally Posted by Quadra 610 View Post

Confirms Apple's decision to remove Java.

Seriously Quadra?

This Trojan runs perfectly fine, it's not exploiting a hole in Java, nor a hole in OS X.

The decision to remove Java from OS X installs means Apple thinks their popularity will entice Oracle to keep Java up to date on their own. It also means OS X updates are finally going to get smaller to download. Perhaps we can have updates more frequently, rather than wait for the updates to come through Apple we can download them ourselves separately.

It may work, it may not. Maybe Oracle won't put in the resources necessary to maintain feature parity with Windows and Linux. Maybe they will who knows? I know there were times I wish my nVidia updates would have come out prior to an OS update. Without Apple's input and help in maintaining the code the updates may get fewer and farther between, or not be coded as well.

There's something to having the hardware manufacturer writing the software for their platform, is there not?
post #65 of 94
Disclosure: I'm a Java developer, but I do enterprise server-side development, not web development.

Having said that, I agree with Apple's decision to deprecate Java, and I'm not foaming at the mouth like some Java devs are. Apple has been slowly backing out of their commitment to Java made in 2000, and this is the continuation of that long process. Losing the Java devs who buy Mac Pros and MacBook Pros would have been devastating to Apple in 2000, now it's a manageable loss. Hopefully, Apple is putting lots of pressure on Oracle to provide a full Java implementation on Mac. They've certainly laid the groundwork for this by re-working their Java file/directory structure from a byzantine mess of files installed all over the filesystem with only one Java runtime allowed per version, to localizing it to a specific directory in which multiple Java runtimes can be installed for the same version. Apple is putting a significant effort into bowing out of its Java commitment gracefully.

Also, I feel it's Oracle's responsibility to provide a full Java runtime for OS X, including Swing/GUI. Oracle acquired Sun's commitments when they acquired the company, and they absolutely should not back out, especially having committed to Java FX 2.0.

Also, the Apple Java devs are wonderful, committed and very helpful people people. They take a lot of abuse on the java-dev mailing list, and are bound by really tight NDAs that prevent them from commenting on any of the Apple Java policy decisions, but are extremely helpful for specific technical questions, answering emails on the weekends. I make special mention of Mike Swingler.

I'm concerned about the potential lack of Java on Mac from anyone, and it will make me consider my choice of platform. I'm otherwise extremely satisfied with the Mac experience, and would be extremely reluctant to switch to Linux or Windows (which makes my skin crawl just thinking about it).

Quote:
Originally Posted by technohermit View Post

Seriously Quadra?

This Trojan runs perfectly fine, it's not exploiting a hole in Java, nor a hole in OS X.

The decision to remove Java from OS X installs means Apple thinks their popularity will entice Oracle to keep Java up to date on their own. It also means OS X updates are finally going to get smaller to download. Perhaps we can have updates more frequently, rather than wait for the updates to come through Apple we can download them ourselves separately.

It may work, it may not. Maybe Oracle won't put in the resources necessary to maintain feature parity with Windows and Linux. Maybe they will who knows? I know there were times I wish my nVidia updates would have come out prior to an OS update. Without Apple's input and help in maintaining the code the updates may get fewer and farther between, or not be coded as well.

There's something to having the hardware manufacturer writing the software for their platform, is there not?
post #66 of 94
Quote:
Originally Posted by CIM View Post

And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.

Oh please, one coulda easily written this Objective-C.

Quote:
Originally Posted by Mr. H View Post

Nope, the security hole is the user, as Johnny Mozzarella said.

However, if a hole exists that a application can penetrate within the operating system, then shouldn't it be fixed regardless of the user's IQ?

HP Omni 100-5100z, 500GB HDD, 4GB RAM; ASUS Transformer, 16GB, Android 4.0 ICS
Although I no longer own Apple products like I did before, I'll continue to post my opinions.

Reply

HP Omni 100-5100z, 500GB HDD, 4GB RAM; ASUS Transformer, 16GB, Android 4.0 ICS
Although I no longer own Apple products like I did before, I'll continue to post my opinions.

Reply
post #67 of 94
Quote:
Originally Posted by Zc456 View Post

However, if a hole exists that a application can penetrate within the operating system, then should it be fixed regardless of the user?

Sure. Did I say such holes shouldn't be fixed? Hint: this is a Trojan and it doesn't exploit any security holes in OS X or Java.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #68 of 94
Quote:
Originally Posted by Zc456 View Post

Oh please, one coulda easily written this Objective-C.



However, if a hole exists that a application can penetrate within the operating system, then shouldn't it be fixed regardless of the user's IQ?

This CAN'T be fixed. Either you allow a user to install software or you do not.

If you decide to not allow a user to install software, you no longer have a general purpose computer, you now have a static appliance. That's not the machine people buy computers to be.

Once the inevitable decision is made to allow a user to install software there is only so much that can be done, such as the dialog box that says there are some problems with the software's identification and do you really want to install it. Once that button is hit to say yes, anything else the OS could possibly do is a version of the Halting Problem. And that is mathematically proven to be an impossible task. Any partial solutions will necessarily be incomplete, and therefore flawed and automatically vulnerable -- yes a built-in and unavoidable vulnerability, one that is unidentified, but guaranteed to be there.

You cannot even say well we will avoid that by only allowing users to install software that has a valid certificate. The vast majority of software does not have certificates, and most open source and education generated software cannot even qualify for a certificate because there is no "Financially Responsible Entity". For every solution we can create there we can create multiple problems.

It all comes down to trust and possession. Once anyone is in possession of a machine, and trusted to do anything with it, they can cause bad things to happen, unintentionally or intentionally.
.
Reply
.
Reply
post #69 of 94
Quote:
Originally Posted by Hiro View Post

This CAN'T be fixed. Either you allow a user to install software or you do not.

If you decide to not allow a user to install software, you no longer have a general purpose computer, you now have a static appliance. That's not the machine people buy computers to be.

Once the inevitable decision is made to allow a user to install software there is only so much that can be done, such as the dialog box that says there are some problems with the software's identification and do you really want to install it. Once that button is hit to say yes, anything else the OS could possibly do is a version of the Halting Problem. And that is mathematically proven to be an impossible task. Any partial solutions will necessarily be incomplete, and therefore flawed and automatically vulnerable -- yes a built-in and unavoidable vulnerability, one that is unidentified, but guaranteed to be there.

You cannot even say well we will avoid that by only allowing users to install software that has a valid certificate. The vast majority of software does not have certificates, and most open source and education generated software cannot even qualify for a certificate because there is no "Financially Responsible Entity". For every solution we can create there we can create multiple problems.

It all comes down to trust and possession. Once anyone is in possession of a machine, and trusted to do anything with it, they can cause bad things to happen, unintentionally or intentionally.

Thank you!

One other "possibility": only allow the user to install software that won't do anything "bad". However, what do you define as "bad", and how do you determine what software will do before it's installed/run?

You could have a whitelist of "not bad" apps (blacklists (as used by Virus/Malware scanners) are a crappy idea because of the lag time between a "bad" app being released and that app being added to the blacklist).

You could implement some advanced form of AI in the OS that analyses the program to determine it it's going to try and do something "bad". If you think that sounds trivial, trust me it isn't.
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
post #70 of 94
That quite explicitly IS the halting problem. There is no way to examine code in an automated way to endure there is no badness in it, because you cannot guarantee you know all the ways a program could possibly be bad (just like Turing showed we can never know all the conditions for which all possible programs might continue). You cannot use a list, because to generate the list you need the previously impossible program, people are too slow an too error prone to do it on the scale necessary. Even with the greatest AI ever, it is still a computer program governed by Computability and the Halting Problem.

Brains avoid the Halting Problem by guessing when to stop, not actually computing when to stop. The guess, called a heuristic, could be used in the list generation software, but it's only a guess, and who wants a list of software we only guess to be safe?

It's flat out an unsolvable problem. We can only minimize it. Even in tightly administered networks that don't give normal users install privileges, the admins have them (oops there's that trust bugaboo again!) and if an admin screws up the whole network is pwned.
.
Reply
.
Reply
post #71 of 94
Quote:
Originally Posted by noirdesir View Post

How does any malware modify the system? Either by the user entering the password or by some security hole like a buffer overflow. You seem to imply that things like execution of arbitrary code due to buffer overflows (or other security flaws) do not exist, when they are being reported almost weekly for some piece of software.

so can this java applet do all that? is there a zero day exploit it can use out there? or does it totally rely on stupid?
post #72 of 94
Quote:
Originally Posted by fishstick_kitty View Post

You sound like an idiot...removing java from the OS X install has NOTHING to do with the security of Java. If there is a security hole here, it's the fault of the OS, not the plug-in.

Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security. Frankly for most users it's probably better just not to have it installed at all. I'm sure most people don't have any Java programs installed, and no matter how secure Java is it still poses an additional security risk.
post #73 of 94
Quote:
Originally Posted by WelshDog View Post

And if you run Little Snitch you'll get two warnings, the one shown above and one from Little Snitch asking you if you want to allow the trojan to connect to an external server.

Just say no.

Yup just thought the same thing. Just block the thing and you then run one of the free tools. We'll see if this will become a big deal.
--SHEFFmachine out
Da Bears!
Reply
--SHEFFmachine out
Da Bears!
Reply
post #74 of 94
Quote:
Originally Posted by Phone-UI-Guy View Post

Why would anyone click "Allow" in this context?


Someone who wasn't paying attention or is use to all the nonsense that happens on Windows?
post #75 of 94
Quote:
Originally Posted by Mynameisjoe View Post

Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security.

I am also inclined to believe so. And for those who already forgot it, let me recall that sometime last year (or the beginning of this one) there was a serious security hole in java that remained unpatched for many months in OS X. Since then I disabled java in Safari and never looked back again. Of course this is not the reason why Apple is leaving java, but I suspect that it played an important role in combination with the slow down in the java updates rate for Mac OS X, which probably happened for other reasons.

For the present one, yes, the user is the weak link in the chain and I don't see what else could be done if not to alert the user that unknown code is about to run.
post #76 of 94
Quote:
Originally Posted by Joe hs View Post

It looks like in the near future I may have to purchase antivirus, no?

Why? The best antivirus software on the planet is not going to prevent the biggest cause of infection these days...the freaking idiot behind the keyboard that allows any dialog box that pops up.
post #77 of 94
Quote:
Originally Posted by Mr. H View Post

Do people not read threads before posting in them? You seem not to understand what a Trojan is, but if you'd read the thread you may be enlightened.

To expand on what's been said already, think about the name: Trojan. Where does that name come from? Answer: the Trojan Horse. The whole point of a Trojan is that it makes the user think they want it, so the user installs it and runs it, but then it does unpleasant things. But you gave it your password, you gave it permission to run, it's your fault that it just pilfered all your contacts or deleted all your files etc etc. Trojans do not exploit OS or 3rd party software vulnerabilities, they exploit user vulnerabilities.

I would like to point out in the original myth the Trojans were warned NOT to bring the horse into the city by Trojan priest Laocoön but was killed by Poseidon via sea serpent.

OSX is being Laocoön here and the user doesn't have the excuse of Poseidon but rather his own stupidity in letting his horse in his city.
post #78 of 94
Quote:
Originally Posted by Mynameisjoe View Post

Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security. Frankly for most users it's probably better just not to have it installed at all. I'm sure most people don't have any Java programs installed, and no matter how secure Java is it still poses an additional security risk.

This isn't a Java exploit.

It is a Social Engineering exploit written in Java for several platforms at once. There are few measures to prevent Social Engineering attacks that a) work; and b) are worth the price in terms of usability.
.
Reply
.
Reply
post #79 of 94
Quote:
Originally Posted by Mr. H View Post

Quote:
Originally Posted by Joe hs View Post

It looks like in the near future I may have to purchase antivirus, no?

No.

Your negation of any hypothetical need for an antivirus in the future is at best laughable if not irresponsible.
post #80 of 94
Quote:
Originally Posted by Sensi View Post

Your negation of any hypothetical need for an antivirus in the future is at best laughable if not irresponsible.

He said "near future" not the future in general. User savvy is still all that's required on OS X, and in any case, anti-virus can't protect against new threats that haven't been added to the blacklist yet. Even with anti-virus, you still need the aforementioned savvy. In fact, there is a risk to the less savvy user that if they install an anti-virus package, they think they don't need to be careful any more about what they allow their computer to do, because the anti-virus will protect them, right?
it's = it is / it has, its = belonging to it.
Reply
it's = it is / it has, its = belonging to it.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Java-based Trojan horse targets computers running Apple's Mac OS X