Latest Mac trojan spreads through Microsoft Word documents - Page 2

Thank you for eloquently expressing my feelings towards Java so succinctly. It is the COBOL of the 21st century.

How about I fix this for you AI..

Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.

There, sorted.

Apple's JRE implementation predates OpenJDK by a long shot. I remember working with Apple's engineers at the WWDC in 2003 tracking down JRE bugs via gdb, and their implementation looked significantly different from others I'd worked with before at the time (notably the Linux Blackdown implementation). It was mostly done in Objective-C and Cocoa. Which is how they were able to create the Cocoa-Java bridge (popular at the time, but now defunct).

Before you get all high and mighty about how many lines of code you've written in Java and whatnot, remember that some of us have also worked with Java for a very long time as well. So let's change the tone a bit.

With regard to the programming language wars -- totally irrelevant. Any application runtime can and will have security holes to be exploited. Just because you've moved on to the next programming language du jour doesn't mean that people won't find similar security holes along the way with its runtime.

You don't like the language, that's fine: every painter is allowed to have their own preferences in tools and mediums. But I've suffered enough developers who have to evangelize whatever new technology they decide to claim as their own (while completely dismissing everything else they've ever worked with before) to know that 'blind faith' is rarely beneficial.

Java still serves a purpose, there are still a number of good cross-platform applications which use it, so to launch a smear campaign against it which plays on FUD doesn't benefit anyone.

Just to add. Microsoft has this security bulletin linked by CVE regarding this vulnerability. Here is the Microsoft bulletin (from 2009) and it was patched back then for both Office 2004 and 2008 (and Windows version of Office).

So the Office angle of this attack was already patched if you have Office 2004 / 2008, just make sure you are up to date with your updates on Office.

Actually, Office 2011 is a lot better than 2008, especially Excel has improved to the point where it's not utter crap anymore, but rather just plain crap half of the time...

Thanks for clarifying this, Phewww. I'm on 2011 office for mac and so will my mom when she gets her new iMac tomorrow. Hopefully all is good

Most of the media is very sloppy about differentiating a virus from a trojan. My wife and daughter still use Windows and so I have to maintain their machines. I always keep them patched up. But, I can't remember the last time the security software caught something. That's because I taught my wife and daughter three simple things.

1. In life, if something seems too good to be true, it usually isn't true. On the internet it is never true.
2. If someone wants you to click on a URL, look carefully at the part just before the ".com". If it is not who claimed to have sent it, don't click. And, if you are the least bit suspicious, go directly to the URL instead of clicking the link.
3. Any time you have a suspicion about something go to snopes.com and see if it's legit.

With these simple ideas, they just don't get themselves in trouble. It helps that they don't download porn, or torrents or other stuff that gets them on the bad side of the internet tracks. No platform can be secure against stupidity. So when people say that OS X is inherently more secure, that doesn't mean that a careless user is not going to be able to compromise their machine. It means that it is unlikely that a cautious user is not going to get in trouble.

Which is why my desktop which hasn't had flash, java or Office installed since I bought it last August is teeming with trojans, viruses etc

Oh wait.

So why is this even a story on AI today if it was patched nearly three years ago? AI grasping at straws?

I'm guessing that it was only recently verified to be an OS X problem -- likely the patch was in response to an Office for Windows breach.

Ditto. Began when I updated to 10.7.3 and the latest Flash.

One does hope you're not paying for that piece of crap Pirate Bay gives you a great discount.

I don't condone that. I don't care how terrible the company or software.

But that's me.

This is a known HTML5 issue with the way youtube encodes video. Firefox uses a different mechanism. Safari can play the videos but only when its cookies have been reset for youtube.com. Trouble is, they keep resetting back to the default which is the "bad" setting. To fix this temporarily, in Safari go to Preferences:Privacy, click the "Details" button located below and to the right of the "Remove All Website Data..." button. Select the "youtube.com" line item (might need to scroll for it) and then hit the "Remove" button.

If necessary, reload your current (non-playing) youtube page and it should play fine (until youtube resets its cookies back to default again).

There may be a way to fool Youtube into thinking you're not running Safari (under the "Develop" menu) but none of the alternatives I've tried there has worked for me.

Windows is built on DOS. DOS had 0% security. Windows NT moved away from DOS as its under-pinning but due to needing backwards compatibility with old DOS programs implemented DOS in a way that it introduced more security holes while largely breaking the DOS apps it was trying to remain compatible with.

Windows NT 4.0 was built on top of Windows NT 3.51 in much the same way Win95 was built on top of Windows 3.11. In both cases new security holes were brought in while most of the old ones remained for backwards compatibility reasons.

2K was built on top of NT 4.0, XP on top of 2K, Vista was a rewrite but to retain backwards compatibility introduced a new way to achieve the same security flaws and of course Win7 is built on top of Vista, and Win8 is built on top of Win7.

Mac OS X however is built on top of FreeBSD which in itself was designed ground up to be extremely secure. The UNIX under-pinnings of Mac OS X means it is actually inherently SECURE.

Of course anyone with half a brain who can do some research would have found that out in a heartbeat but thanks for trying.

...but, but, but you need Office because you might have to write a 6,000 page spreadsheet with advanced pivot tables which is REAL work, apparently Numbers doesn't cut it.*

*In the world according to Microsoft apologists.

P.S. I am also quite happy with iWork, it does everything I need to do.

Off course it's got nothing to do with Google wanting people to switch to Chrome.

I see Google was whining the other day about parts of the web becoming unavailable for their exploitation.

I'm the last person anyone would call a "Microsoft apologist" (are there any around now, anyway?) but when your business builds advanced reports littered with pivot tables then no, Numbers won't work. Good for you that all you need are simple worksheets where Numbers does fine. Others don't have that luxury. Like it or not, Excel is the one Microsoft product that most consider as as a gold standard and few see anything coming along that's going to change that.

So if I do not have MS Office installed and opened one of these files using Pages (or another app), it would still do something to my Mac?

As you so eloquently said: Let's clear up the misconceptions here

There have been a legion and a half security issues within the Java specification. Yes I said in the specification, not only in the implementation. Often those vulnerabilities are in what and how the specification says some things must be handled. This is why there have been more than just a few cross platform Java vulnerabilities over the years.

You also don't seem to realize that OpenJDK Java 7 is not released yet on OS X, so the code Apple turned over the project, not Oracle, has not been turned around to the Java 7 public yet. The previous Java versions are all in-house Apple development efforts, so yes Apple has final responsibility for those. A responsibility that isn't so easy the way Oracle/Sun has treated non-in-house JRE development over the years.

So you might have accidentally made a couple mostly correct guesses in your analysis, but the rest showed you don't have enough knowledge about what you are were writing. So rather than grasp at straws and fatally oversimplify, just stick to what you know.

These people using the advanced features of excel are often behind corporate firewalls, are they not?

For the average home user, the target of these attacks, who is incapable of running automatic Office updates which patched this vulnerability in 2009, I'd hazard a guess to say that most of them aren't using advanced features of Office and so can make do with iWork.

There can be a lot of explanations for this. 1 of the most common that we've seen is MS Office for Mac updates webkit & breaks Safari, a manual download & re-install fixes the issues. In your case I'm not sure that is the cause, I'd open Disk Utility from /Applications/Utilities and run a Permissions repair. From time to time the flash installer breaks permissions with certain flash releases & running a permissions repair resolves the issues. Permissions repair looks at the installer's receipts & makes sure permissions during install are the same as what the receipt says they should be. A reboot after that wouldn't hurt, if you're on Lion I would uncheck for it to save your settings at logout when prompted.

[QUOTE=AppleInsider;2096368]A new version of a backdoor trojan for Apple's OS X operating system takes advantage of an exploit in Microsoft Word to spread.


Let's hear it for the majorcrap Office, Outlook, Explorer, and Operating System virus proliferation platform. It's like an petri dish on steroids.

Windows is bringing viruses on Mac too. Lol.

 

 

I use ClicktoFlash, it works much better than being an HTML5 beta tester and I have no issues at all with Safari on YouTube.  I noticed long ago that their HTML5 was goofy in Safari, not sure who's fault that is but don't much care.  Since it's Google it's forever beta so good luck getting them to give a crap about it.