or Connect
AppleInsider › Forums › Software › Mac OS X › Apple issues second OS X Java update this week
New Posts  All Forums:Forum Nav:

Apple issues second OS X Java update this week

post #1 of 29
Thread Starter 
Apple on Thursday rolled out its second Java update for OS X in less than a week via Software Update.

Java for OS X 2012-002 appeared on Software Update just two days after version 2012-001 was released on Tuesday. Apple also released Java for Mac OS X 10.6 Update 7 earlier in the week.

It's not immediately clear, however, how the most recent update differs from the earlier version, as Apple's links for more detail and information point to the same page as the old update. Java for OS X 2012-001 resolved multiple vulnerabilities in Java, the most serious of which could "allow and untrusted Java applet to execute arbitrary code outside the Java sandbox."

On Wednesday, a Russian antivirus company revealed that an estimated 600,000 Macs had been infected by a "Flashback" trojan that exploited the Java vulnerability to turn the computers into bots. The majority of the infected computers were located in the U.S.




The virus was first discovered by a security firm last September. F-SEcure has posted a tutorial on how to detect and removethe threat.




[ View article on AppleInsider ]
post #2 of 29
Well something must've gone wrong, or there was an oversight. Hopefully it was of the unremarkable variety.
post #3 of 29
Again, is it a "trojan" or a "virus"? Get your terms together.
post #4 of 29
After I installed the earlier Java update, my MBP would no longer output a signal to my external monitor at home (mini DP to DVI), but it was outputting fine to my external monitor at work.

I just installed this second update and my external monitor at home immediately started working again.
post #5 of 29
Quote:
Originally Posted by AppleInsider View Post

It's not immediately clear, however, how the most recent update differs from the earlier version, as Apple's links for more detail and information point to the same page as the old update.

In fact, the "Download" button brings down 2012-001, not 2012-002. The SHA1 hash of the "new" download matches that of 2012-001. At least, that was the case an hour or so ago when I downloaded it.

So it appears as if Apple merely changed the name of the entry on the Support Downloads page, but not the issue date or that to which it links (info or file).
post #6 of 29
As a person whose Mac was infected under Lion by this trojan, and removed it yesterday, I sure would like to know more about why Apple included another Java update 2 days after the first one.

Edit: Since posting, I have found what was changed by Apple in this new Java update. This is from Apple's Java mailing list:

Java developers,

Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.

For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.

Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.

Manual download links:
Java for OS X 2012-002: <http://support.apple.com/kb/DL1515>
Java for Mac OS X 10.6 Update 7: <http://support.apple.com/kb/DL1516>
post #7 of 29
I'm wondering why I haven't received this Java security update or the first one in Apple's software update. Is the Java code this updates something that needs to be installed outside of a regular Lion install?
post #8 of 29
Quote:
Originally Posted by adamw View Post

...
Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.

Manual download links:
Java for OS X 2012-002: <http://support.apple.com/kb/DL1515>
...

That link does not work for me. As I said, it downloads 2012-001. After installation, Software Update still wants to install 002.

Eventually, I captured 002 by copying the directory produced by Software Update (before the install completes and deletes it) - /Library/Updates/041-5436. I was then able to copy this directory to my other machines and install 002 by executing the package 041-5436.English.dist.

I understand that the Java packagers wanted to get a release out immediately and cut a lot of corners. However, I don't believe that they should have changed the name of the 001 update on the Support Downloads page.

If the update is only available through Software Update, they should just have pulled the 001 package from the Support Downloads page.

I'm sure that many people will be confused (as I was) by downloading what they believed to be the 002 update from the Support Downloads page, only to have it re-install the 001 package.
post #9 of 29
Since I found I was infected with this yesterday and removed it, I was told to download the "Little Snitch" app, which I googled and installed the 3 hour demo of. I thought my system was clean of this trojan, as I followed the F-Secure removal instructions, but it appears this trojan installs other stuff once it gets in (via the Java exploit).

Little Snitch informed me that a file named .rserv (~/.rserv) in my Users directory on my Mac was trying to connect to cuojshtbohtnet.com or .net and several other strange sounding web sites. I denied them doing so and Googled .rserv and another program on my Mac that was doing similar attempts.

Also watch out for a file named: com.adobe.reader.plist in user launch agents directory. It was attempting to contact these same strange websites as .rserv was. I Googled these names and found in the last few days many other Mac users are seeing this same behavior when catching these "buggers" via the "Little Snitch" app.

Again, even though my system showed clean via the F-Secure instructions after I removed the infected files they mention, I believe I still had 2 other infected program files (same file date of March 29th also) related to this trojan that went undetected, and were only found by running this "Little Snitch" app which monitors programs trying to use your outgoing Internet connection.
post #10 of 29
I thought Apple got rid of Java, did I miss something?
post #11 of 29
Quote:
Originally Posted by ljocampo View Post

I'm wondering why I haven't received this Java security update or the first one in Apple's software update. Is the Java code this updates something that needs to be installed outside of a regular Lion install?

Go to the Apple logo on the top and hit it and you will see Apple updates right there. I downloaded 2 today. i have the LION OS also.
post #12 of 29
Quote:
Originally Posted by JeffDM View Post

I thought Apple got rid of Java, did I miss something?

Java isn't developed by apple. They stopped supplying it as part of the OSX installation, in the same way as they don't provide other third party software, such as the flash plug in. It's a third party software, and as it,s no longer essential to the OS it's not going to be included as part of the standard installation.

I think their judgement in leaving java behind has now been justified...
post #13 of 29
I've had Java disabled in my Safari security prefs for years (something similar to this was going around, I suspect).

What am I missing by not having Java enabled? As far as I can tell, the sites operate quite well without Java.
post #14 of 29
Quote:
Originally Posted by ljocampo View Post

I'm wondering why I haven't received this Java security update or the first one in Apple's software update. Is the Java code this updates something that needs to be installed outside of a regular Lion install?

You haven't installed Java yet. Go to a web page that requires it and search on "java version test". Perform the test to force the download.
post #15 of 29
The new Java update fixed my problem launching Stanza on Lion that started with the first update. I was about to give up on Stanza and accept it was just too old but now it's back to working fine again. Obviously the first Java update broke some existing apps and that has now been corrected.
post #16 of 29
Quote:
Originally Posted by linuxhead64 View Post

You haven't installed Java yet. Go to a web page that requires it and search on "java version test". Perform the test to force the download.

Actually, my recommendation would be to not install it at all unless you have a need for it. Especially given Apple's tendency to release updates for it weeks/months after Oracle does.
post #17 of 29
Quote:
Originally Posted by nkhm View Post

Java isn't developed by apple. They stopped supplying it as part of the OSX installation, in the same way as they don't provide other third party software, such as the flash plug in. It's a third party software, and as it,s no longer essential to the OS it's not going to be included as part of the standard installation.

I think their judgement in leaving java behind has now been justified...

I raised my question because I thought that Apple wasn't supporting it or including anymore, but the updates are still coming through Apple, for the latest OS.
post #18 of 29
I know E*trade uses Java for their real time streaming quotes so I have to keep it activated in Safari. java is not quite dead just yet. I bet there are a lot of site using it legitimately.
post #19 of 29
Quote:
Today we re-shipped our Java 1.6.0_31 for OS X Lion today...This new "Java for OS X 2012-002" ... identical to "Java for OS X 2012-001..Java for Mac OS X 10.6 Update 7...

WTF is with all these different naming conventions? No wonder users are confused about which is the most recent version for their system and whether they've been updated.
post #20 of 29
I wonder where "solipsism x" and "mister me" are right now? Surely they would like to weigh in on the mac virus debacle. Perhaps they are too busy eating crow right now.
post #21 of 29
I'm generally on Apple's side whenever some media outlet cries wolf over some imagined Apple security blunder. In the past, it's all been massively exaggerated.

However, in this case, Apple really screwed up. They screwed up because 10 years ago they insisted on distributing their own version of Java, and then backed away from that commitment and neglected Java to the point where major updates would be a year late and security updates where months late.

This is the case of the latter. It's one thing to delay integrating features, which is an acceptable annoyance. But delaying these sorts of security updates, especially for trojans/viruses that can bypass a user's administrative password, is grossly irresponsible.

Until Apple can completely handover OS X Java distribution to Oracle (the Java 7 JRE will distributed by Oracle in the fall), Apple needs to be far more vigilant in applying these sorts of security updates.

Also, Apple needs to ensure that Java is disabled by default in Safari, which I don't believe it is now.

And, for the record, I know the "600,000" Mac botnet figure is exaggerated. That doesn't excuse Apple's neglect.
post #22 of 29
Quote:
Originally Posted by marvfox View Post

Go to the Apple logo on the top and hit it and you will see Apple updates right there. I downloaded 2 today. i have the LION OS also.

Doing this just calls up Apple's Software Update program. I was clear that I've done that been there, and Software Update says there is nothing to update.
post #23 of 29
Quote:
Originally Posted by linuxhead64 View Post

You haven't installed Java yet. Go to a web page that requires it and search on "java version test". Perform the test to force the download.

OK I now understand what's going on. I have this utility program in the Utility folder called 'Java Preferences." Seeing this I wrongly thought Java was installed. I double clicked on the program and it told me I need to install the Java Runtime. It offered to get it and install it for me but I declined. If I haven't needed this since I installed Lion, I probably will never need it, and could download it if I ever do need it. Problem solved. This Java security fix for the trojan which can't infect me since I have no Java Runtime installed. Plus I use Little Snitch and ClamxAV.
post #24 of 29
Quote:
Originally Posted by ericblr View Post

I wonder where "solipsism x" and "mister me" are right now? Surely they would like to weigh in on the mac virus debacle. Perhaps they are too busy eating crow right now.

Perhaps you'd like to revise your belief of what a "virus" is.

Note that OS X remains as secure as it has always been. You install third party crap (Java, Flash, et. al.), you're going to get this sort of thing.
post #25 of 29
Quote:
Originally Posted by adamw View Post

Since I found I was infected with this yesterday and removed it, I was told to download the "Little Snitch" app, which I googled and installed the 3 hour demo of. I thought my system was clean of this trojan, as I followed the F-Secure removal instructions, but it appears this trojan installs other stuff once it gets in (via the Java exploit).

Little Snitch informed me that a file named .rserv (~/.rserv) in my Users directory on my Mac was trying to connect to cuojshtbohtnet.com or .net and several other strange sounding web sites. I denied them doing so and Googled .rserv and another program on my Mac that was doing similar attempts.

Also watch out for a file named: com.adobe.reader.plist in user launch agents directory. It was attempting to contact these same strange websites as .rserv was. I Googled these names and found in the last few days many other Mac users are seeing this same behavior when catching these "buggers" via the "Little Snitch" app.

Again, even though my system showed clean via the F-Secure instructions after I removed the infected files they mention, I believe I still had 2 other infected program files (same file date of March 29th also) related to this trojan that went undetected, and were only found by running this "Little Snitch" app which monitors programs trying to use your outgoing Internet connection.

This is a great/valuable post, adamw.

I would say in light of these additional findings to do this:

(1) Remove that .rserv file from your home Folder
(2) Unload the fake com.adobe.reader.plist LaunchAgent file with launchctl and remove it
(3) If you are Terminal.app savvy, add something like

127.0.0.1 cuojshtbohtnet.com cuojshtbohtnet.net

to your /etc/hosts file iff you can remember the exact spelling of the domain name(s) (those 2 names aren't real domains, according to a DNS lookup)
post #26 of 29
Thanks for the extra information about removing the trojan...

Here is a new report which finds that a secondary source, Kaspersky Labs, has also verified the 600,000+ figure of Macs infected with this trojan. They did testing to confirm Dr. Web's initial reporting of the trojan's number of infected Macs. Very interesting. They say 1% of Macs are infected with this trojan.

http://www.zdnet.com/blog/bott/secon...lashback/4737?
post #27 of 29
I was windows user for 14 years, so maybe that's why I've stop hating OS maker for every malware found. In that case I would become most notorious microsoft hater.

I see that apple has speed up their java update, that's good
post #28 of 29
Quote:
Originally Posted by WelshDog View Post

I know E*trade uses Java for their real time streaming quotes so I have to keep it activated in Safari. java is not quite dead just yet. I bet there are a lot of site using it legitimately.

Maybe. I wonder if it's still really necessary for the web though. The site I've seen Java used on last week was done poorly and I've seen the same task done much better using other methods, and that's the only time I've seen Java used on the web so far this decade. Even the one huge Java evangelist that I know seems to have changed his mind about the platform. I don't think the platform will ever really go away, but its glory days, if it had any, are over.
post #29 of 29
Quote:
Originally Posted by JavaCowboy View Post

Also, Apple needs to ensure that Java is disabled by default in Safari, which I don't believe it is now.

I'd say all 3rd-party code execution should only be enabled on a case-by-case basis, including Flash.

They need to fix the root of the problem though, which is the dynamic library linking to the Safari executable. Browsers should be the most isolated and locked down apps in the whole OS.

Allowing a user-level dynamic library to install and run without permission and hijack a browser is just asking for trouble. At the very least, Safari could check pre-loaded libraries and warn users that Safari is running in a modified state.

Quote:
Originally Posted by JavaCowboy View Post

And, for the record, I know the "600,000" Mac botnet figure is exaggerated.

They did a sample of incoming unique connections to a dummy server. It wasn't an estimate. If anything, it's a minimum amount of infections:

https://news.drweb.com/show/?i=2341&lng=en&c=14

Quote:
Originally Posted by ericblr

I wonder where "solipsism x" and "mister me" are right now? Surely they would like to weigh in on the mac virus debacle. Perhaps they are too busy eating crow right now.

For those who are commenting on the supposedly impenetrable security of OS X, there are a few things to consider:

- this is an exploit in Java, which is no longer preinstalled with OS X
- it is an exploit that is only available while Java is enabled in Safari

This vulnerability does not affect OS X 10.7 in its default state. So OS X, as Apple currently ships it has no known security flaws. OS X 10.6 has 1. Far better than the alternatives I reckon.

Users always needs to be cautious over phishing scams and malware distributed via 3rd parties though.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple issues second OS X Java update this week