Java-based Trojan horse targets computers running Apple's Mac OS X - Page 2

Oh for f**ks sake! This is not an OS exploit!

Open Safari Prefs, click the Security tab, un-check "Enable Java."

BOOM. Done. The applet won't run, it can't deliver its payload, the world is safe.

Unplug computer. Boom, done. You are safe.

You should also uncheck the General, "Open safe files after downloading" option-- the one which Apple thinks is a good idea to enable by default.

Couldnt be more obvious than that. Whoever falls for that trap deserves it..

Hmmm. Sounds kinda mean-spirited to me. Yes, on the one hand, it's better to be safe than sorry, but there's really no need to take a "blame the victim" stance on this. The fact that the dialogue box was designed with an "allow" button suggests that there are some instances where it's not malicious. I'm not much of a computer geek, so I don't really know what "digital signatures" mean, and because of that I tend to err on the side of caution. I think people who just click "allow" all the time are not particularly smart, but I wouldn't say they "deserve" being victimized by the consequences.

This is such an idiotic thing to say in light of iPhone/iOS jailbreaking. Do you even know what the fuck jail breaking is?

It is a security exploit that allows unauthorized third party to inject and execute arbitrary code on your device. In this case code "unlocks" your device and gives you root privileges.

And this happens each time days after new iOS is released. In fact, one of the latest exploits can be done from a freaking web page (jailbreak iPhone by visiting a web page)!!! How's that for iOS security?

Yet, some idiot like you it bitching about Java "exploit" which is not really exploit, but social engineering asking idiotic user to install malware for them.

Jesus man, OS X users are the stupidest of users out there.

"Programming today is a race between software engineers striving to build bigger and better idiot- proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning."

I hope not! I don't want to be asked every time I want to open a JPEG in GraphicConverter instead of PS, or a PDF in Preview instead of Acrobat Reader, for "permission" simply because those weren't the programs that created the original document.


It may shock you, but not everyone who uses computers are technically inclined (btw, if you are reading/replying to this thread, you are technically inclined). Applet? Access? What sort of permission? It's obvious to YOU. But to grandma? A 10-year old?

All they know is they want to watch the video the link leads to. And of course I want to watch it on my computer, so I'll allow it. They don't realize that other things can be going on in the background that they are not aware of. Or are you suggesting that only people with Masters degrees should be allowed to use computers?

(It does however suggest that grandma and little Johnny should not be logging into your computer with an admin account! )

Yes, the real problem in the world is that most people don't think like software engineers. It's not software engineers who are failing, it's everybody else.

Why? Based on this story?

This is a story about a trojan that DOES NOT WORK.

In the city of Troy, man years ago, the Trojans _deliberately_ allowed a horse to enter. The horse was filled with malicious things.

That is where the name came from.

Cool.

But Java runs everywhere.

So obviously a Java exploit is affecting every OS it runs on.

Can you kindly tell us which other OSes have seen this exploit?

You've A: Answered your own question or B: Don't know when to quit.

Funny!

Reminds me of the joke years back about the Quaker email 'worm/virus' that stated something like: this is a low-tech virus. please go to your c: drive and delete all files. thank thee.

I think the point Mr. H is trying to make is that while viruses look for vulnerabilities within the design of an OS, a trojan horse takes advantage of the vulnerabilities of a user by embedding itself into a piece of software the user is likely to install or "allow". So, discussion about OS exploits is kind of moot.

Oh for f**ks sake again! This is not an exploit of any flaw in any software, be it OS, Java, or anything else. It is an exploit of the user, and that's it!

Confirms Apple's decision to remove Java.

OK, look, this is just baiting me right? I mean, you did read the thread before posting in it, didn't you?

Oh, and: Apple is not removing Java. They are ceasing to update it and presumably Oracle will take over.

Take a chill pill, dude. Either RecursiveTroll will get it or he/she won't. Most of us get what you mean, I think.

It is specifically asking you, the user, to allow modification. Therefore, the OS does indeed know that something that normally should not be modified is going to get changed. The OS is outright asking you to allow these changes.

No matter what OS that prompt would happen to show up on, because it is a program designed in Java it will run anywhere. I wouldn't fault OS X, Windows, Linux or anything else. This one is on the user.

Seriously Quadra?

This Trojan runs perfectly fine, it's not exploiting a hole in Java, nor a hole in OS X.

The decision to remove Java from OS X installs means Apple thinks their popularity will entice Oracle to keep Java up to date on their own. It also means OS X updates are finally going to get smaller to download. Perhaps we can have updates more frequently, rather than wait for the updates to come through Apple we can download them ourselves separately.

It may work, it may not. Maybe Oracle won't put in the resources necessary to maintain feature parity with Windows and Linux. Maybe they will who knows? I know there were times I wish my nVidia updates would have come out prior to an OS update. Without Apple's input and help in maintaining the code the updates may get fewer and farther between, or not be coded as well.

There's something to having the hardware manufacturer writing the software for their platform, is there not?

Disclosure: I'm a Java developer, but I do enterprise server-side development, not web development.

Having said that, I agree with Apple's decision to deprecate Java, and I'm not foaming at the mouth like some Java devs are. Apple has been slowly backing out of their commitment to Java made in 2000, and this is the continuation of that long process. Losing the Java devs who buy Mac Pros and MacBook Pros would have been devastating to Apple in 2000, now it's a manageable loss. Hopefully, Apple is putting lots of pressure on Oracle to provide a full Java implementation on Mac. They've certainly laid the groundwork for this by re-working their Java file/directory structure from a byzantine mess of files installed all over the filesystem with only one Java runtime allowed per version, to localizing it to a specific directory in which multiple Java runtimes can be installed for the same version. Apple is putting a significant effort into bowing out of its Java commitment gracefully.

Also, I feel it's Oracle's responsibility to provide a full Java runtime for OS X, including Swing/GUI. Oracle acquired Sun's commitments when they acquired the company, and they absolutely should not back out, especially having committed to Java FX 2.0.

Also, the Apple Java devs are wonderful, committed and very helpful people people. They take a lot of abuse on the java-dev mailing list, and are bound by really tight NDAs that prevent them from commenting on any of the Apple Java policy decisions, but are extremely helpful for specific technical questions, answering emails on the weekends. I make special mention of Mike Swingler.

I'm concerned about the potential lack of Java on Mac from anyone, and it will make me consider my choice of platform. I'm otherwise extremely satisfied with the Mac experience, and would be extremely reluctant to switch to Linux or Windows (which makes my skin crawl just thinking about it).

Oh please, one coulda easily written this Objective-C.


However, if a hole exists that a application can penetrate within the operating system, then shouldn't it be fixed regardless of the user's IQ?

Sure. Did I say such holes shouldn't be fixed? Hint: this is a Trojan and it doesn't exploit any security holes in OS X or Java.

This CAN'T be fixed. Either you allow a user to install software or you do not.

If you decide to not allow a user to install software, you no longer have a general purpose computer, you now have a static appliance. That's not the machine people buy computers to be.

Once the inevitable decision is made to allow a user to install software there is only so much that can be done, such as the dialog box that says there are some problems with the software's identification and do you really want to install it. Once that button is hit to say yes, anything else the OS could possibly do is a version of the Halting Problem. And that is mathematically proven to be an impossible task. Any partial solutions will necessarily be incomplete, and therefore flawed and automatically vulnerable -- yes a built-in and unavoidable vulnerability, one that is unidentified, but guaranteed to be there.

You cannot even say well we will avoid that by only allowing users to install software that has a valid certificate. The vast majority of software does not have certificates, and most open source and education generated software cannot even qualify for a certificate because there is no "Financially Responsible Entity". For every solution we can create there we can create multiple problems.

It all comes down to trust and possession. Once anyone is in possession of a machine, and trusted to do anything with it, they can cause bad things to happen, unintentionally or intentionally.

Thank you!

One other "possibility": only allow the user to install software that won't do anything "bad". However, what do you define as "bad", and how do you determine what software will do before it's installed/run?

You could have a whitelist of "not bad" apps (blacklists (as used by Virus/Malware scanners) are a crappy idea because of the lag time between a "bad" app being released and that app being added to the blacklist).

You could implement some advanced form of AI in the OS that analyses the program to determine it it's going to try and do something "bad". If you think that sounds trivial, trust me it isn't.

That quite explicitly IS the halting problem. There is no way to examine code in an automated way to endure there is no badness in it, because you cannot guarantee you know all the ways a program could possibly be bad (just like Turing showed we can never know all the conditions for which all possible programs might continue). You cannot use a list, because to generate the list you need the previously impossible program, people are too slow an too error prone to do it on the scale necessary. Even with the greatest AI ever, it is still a computer program governed by Computability and the Halting Problem.

Brains avoid the Halting Problem by guessing when to stop, not actually computing when to stop. The guess, called a heuristic, could be used in the list generation software, but it's only a guess, and who wants a list of software we only guess to be safe?

It's flat out an unsolvable problem. We can only minimize it. Even in tightly administered networks that don't give normal users install privileges, the admins have them (oops there's that trust bugaboo again!) and if an admin screws up the whole network is pwned.

so can this java applet do all that? is there a zero day exploit it can use out there? or does it totally rely on stupid?

Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security. Frankly for most users it's probably better just not to have it installed at all. I'm sure most people don't have any Java programs installed, and no matter how secure Java is it still poses an additional security risk.

Yup just thought the same thing. Just block the thing and you then run one of the free tools. We'll see if this will become a big deal.

Someone who wasn't paying attention or is use to all the nonsense that happens on Windows?

I am also inclined to believe so. And for those who already forgot it, let me recall that sometime last year (or the beginning of this one) there was a serious security hole in java that remained unpatched for many months in OS X. Since then I disabled java in Safari and never looked back again. Of course this is not the reason why Apple is leaving java, but I suspect that it played an important role in combination with the slow down in the java updates rate for Mac OS X, which probably happened for other reasons.

For the present one, yes, the user is the weak link in the chain and I don't see what else could be done if not to alert the user that unknown code is about to run.

Why? The best antivirus software on the planet is not going to prevent the biggest cause of infection these days...the freaking idiot behind the keyboard that allows any dialog box that pops up.

I would like to point out in the original myth the Trojans were warned NOT to bring the horse into the city by Trojan priest Laocoön but was killed by Poseidon via sea serpent.

OSX is being Laocoön here and the user doesn't have the excuse of Poseidon but rather his own stupidity in letting his horse in his city.

This isn't a Java exploit.

It is a Social Engineering exploit written in Java for several platforms at once. There are few measures to prevent Social Engineering attacks that a) work; and b) are worth the price in terms of usability.

Your negation of any hypothetical need for an antivirus in the future is at best laughable if not irresponsible.

He said "near future" not the future in general. User savvy is still all that's required on OS X, and in any case, anti-virus can't protect against new threats that haven't been added to the blacklist yet. Even with anti-virus, you still need the aforementioned savvy. In fact, there is a risk to the less savvy user that if they install an anti-virus package, they think they don't need to be careful any more about what they allow their computer to do, because the anti-virus will protect them, right?