or Connect
AppleInsider › Forums › Software › Mac OS X › Latest Mac trojan spreads through Microsoft Word documents
New Posts  All Forums:Forum Nav:

Latest Mac trojan spreads through Microsoft Word documents - Page 2

post #41 of 65
Quote:
Originally Posted by d-range View Post

Maybe you should educate yourself about Java a little more before you make statements like that, because the piece you quoted in your reply is full of factual errors.

That said, I know a fair bit of Java myself, having written somewhere in the neighbourhood of some 300K lines of Java code (rough guesstimate) spread over different projects and problem domains, over a timeframe of about 15 years, and I absolutely ff-ing hate it. It's probably one of the worst programming languages you can use today, and if it weren't for the fact that it garnered such a large following and billions of lines of legacy code, nobody would ever use it voluntarily. There's a reason people felt the need to create something like Scala.

Java as a programming language is garbage. Unless you are masochistic, there are plenty of alternatives you can use that are better in every aspect imaginable except ubiquity.

Thank you for eloquently expressing my feelings towards Java so succinctly. It is the COBOL of the 21st century.
post #42 of 65
How about I fix this for you AI..

Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.

There, sorted.
post #43 of 65
Quote:
Originally Posted by d-range View Post

While technically correct, almost all Java runtimes that you will find on desktop systems are built off the exact same source code as the official Oracle runtime. They open-sourced it about 5 years ago, and anyone can build their own JRE and JDK as long as you are abide by the license terms. OpenJDK (which is the de facto standard JDK you'll find on open-source operating systems) is now even officially the reference implementation of the language and SDK.

Apple's JRE implementation predates OpenJDK by a long shot. I remember working with Apple's engineers at the WWDC in 2003 tracking down JRE bugs via gdb, and their implementation looked significantly different from others I'd worked with before at the time (notably the Linux Blackdown implementation). It was mostly done in Objective-C and Cocoa. Which is how they were able to create the Cocoa-Java bridge (popular at the time, but now defunct).

Before you get all high and mighty about how many lines of code you've written in Java and whatnot, remember that some of us have also worked with Java for a very long time as well. So let's change the tone a bit.

With regard to the programming language wars -- totally irrelevant. Any application runtime can and will have security holes to be exploited. Just because you've moved on to the next programming language du jour doesn't mean that people won't find similar security holes along the way with its runtime.

You don't like the language, that's fine: every painter is allowed to have their own preferences in tools and mediums. But I've suffered enough developers who have to evangelize whatever new technology they decide to claim as their own (while completely dismissing everything else they've ever worked with before) to know that 'blind faith' is rarely beneficial.

Java still serves a purpose, there are still a number of good cross-platform applications which use it, so to launch a smear campaign against it which plays on FUD doesn't benefit anyone.
 
Reply
 
Reply
post #44 of 65
Quote:
Originally Posted by irnchriz View Post

How about I fix this for you AI..

Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.

There, sorted.

Just to add. Microsoft has this security bulletin linked by CVE regarding this vulnerability. Here is the Microsoft bulletin (from 2009) and it was patched back then for both Office 2004 and 2008 (and Windows version of Office).

So the Office angle of this attack was already patched if you have Office 2004 / 2008, just make sure you are up to date with your updates on Office.
post #45 of 65
Quote:
Originally Posted by sedney View Post

I'm using Word 2008 - didn't know it was a joke - better than giving Microsoft more money for the latest version though

Actually, Office 2011 is a lot better than 2008, especially Excel has improved to the point where it's not utter crap anymore, but rather just plain crap half of the time...
42 = 54 base 13
Reply
42 = 54 base 13
Reply
post #46 of 65
Quote:
Originally Posted by irnchriz View Post

How about I fix this for you AI..

Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.

There, sorted.

Thanks for clarifying this, Phewww. I'm on 2011 office for mac and so will my mom when she gets her new iMac tomorrow. Hopefully all is good
post #47 of 65
Most of the media is very sloppy about differentiating a virus from a trojan. My wife and daughter still use Windows and so I have to maintain their machines. I always keep them patched up. But, I can't remember the last time the security software caught something. That's because I taught my wife and daughter three simple things.

1. In life, if something seems too good to be true, it usually isn't true. On the internet it is never true.
2. If someone wants you to click on a URL, look carefully at the part just before the ".com". If it is not who claimed to have sent it, don't click. And, if you are the least bit suspicious, go directly to the URL instead of clicking the link.
3. Any time you have a suspicion about something go to snopes.com and see if it's legit.

With these simple ideas, they just don't get themselves in trouble. It helps that they don't download porn, or torrents or other stuff that gets them on the bad side of the internet tracks. No platform can be secure against stupidity. So when people say that OS X is inherently more secure, that doesn't mean that a careless user is not going to be able to compromise their machine. It means that it is unlikely that a cautious user is not going to get in trouble.
post #48 of 65
Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

That is because OSX is inherently insecure.

Which is why my desktop which hasn't had flash, java or Office installed since I bought it last August is teeming with trojans, viruses etc

Oh wait.
post #49 of 65
Quote:
Originally Posted by irnchriz View Post

How about I fix this for you AI..

Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.

There, sorted.

Quote:
Originally Posted by Sasparilla View Post

Just to add. Microsoft has this security bulletin linked by CVE regarding this vulnerability. Here is the Microsoft bulletin (from 2009) and it was patched back then for both Office 2004 and 2008 (and Windows version of Office).

So the Office angle of this attack was already patched if you have Office 2004 / 2008, just make sure you are up to date with your updates on Office.

So why is this even a story on AI today if it was patched nearly three years ago? AI grasping at straws?
post #50 of 65
Quote:
Originally Posted by Mazda 3s View Post

So why is this even a story on AI today if it was patched nearly three years ago? AI grasping at straws?

I'm guessing that it was only recently verified to be an OS X problem -- likely the patch was in response to an Office for Windows breach.
post #51 of 65
Ditto. Began when I updated to 10.7.3 and the latest Flash.

Quote:
Originally Posted by mr O View Post

I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.

I am now watching youtube videos on Firefox. No problems there.

Yes I am using the latest Apple's operating system and I am doing regular updates.
post #52 of 65
Quote:
Originally Posted by canadan View Post

Thanks for clarifying this, Phewww. I'm on 2011 office for mac and so will my mom when she gets her new iMac tomorrow. Hopefully all is good

One does hope you're not paying for that piece of crap Pirate Bay gives you a great discount.
post #53 of 65
Quote:
Originally Posted by CGJ View Post

One does hope you're not paying for that piece of crap Pirate Bay gives you a great discount.

I don't condone that. I don't care how terrible the company or software.

But that's me.

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply

Originally Posted by asdasd

This is Appleinsider. It's all there for you but we can't do it for you.
Reply
post #54 of 65
Quote:
Originally Posted by mr O View Post

I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.

I am now watching youtube videos on Firefox. No problems there.

Yes I am using the latest Apple's operating system and I am doing regular updates.

This is a known HTML5 issue with the way youtube encodes video. Firefox uses a different mechanism. Safari can play the videos but only when its cookies have been reset for youtube.com. Trouble is, they keep resetting back to the default which is the "bad" setting. To fix this temporarily, in Safari go to Preferences:Privacy, click the "Details" button located below and to the right of the "Remove All Website Data..." button. Select the "youtube.com" line item (might need to scroll for it) and then hit the "Remove" button.

If necessary, reload your current (non-playing) youtube page and it should play fine (until youtube resets its cookies back to default again).

There may be a way to fool Youtube into thinking you're not running Safari (under the "Develop" menu) but none of the alternatives I've tried there has worked for me.
post #55 of 65
Quote:
Originally Posted by I am a Zither Zather Zuzz View Post

That is because OSX is inherently insecure.

Windows is built on DOS. DOS had 0% security. Windows NT moved away from DOS as its under-pinning but due to needing backwards compatibility with old DOS programs implemented DOS in a way that it introduced more security holes while largely breaking the DOS apps it was trying to remain compatible with.

Windows NT 4.0 was built on top of Windows NT 3.51 in much the same way Win95 was built on top of Windows 3.11. In both cases new security holes were brought in while most of the old ones remained for backwards compatibility reasons.

2K was built on top of NT 4.0, XP on top of 2K, Vista was a rewrite but to retain backwards compatibility introduced a new way to achieve the same security flaws and of course Win7 is built on top of Vista, and Win8 is built on top of Win7.

Mac OS X however is built on top of FreeBSD which in itself was designed ground up to be extremely secure. The UNIX under-pinnings of Mac OS X means it is actually inherently SECURE.

Of course anyone with half a brain who can do some research would have found that out in a heartbeat but thanks for trying.
post #56 of 65
Quote:
Originally Posted by tdmelvin View Post

^^^ This! Changed over to iWork for everything, and haven't looked back once. Everything converts and exports fine; at least for me and my needs.

...but, but, but you need Office because you might have to write a 6,000 page spreadsheet with advanced pivot tables which is REAL work, apparently Numbers doesn't cut it.*

*In the world according to Microsoft apologists.

P.S. I am also quite happy with iWork, it does everything I need to do.
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
post #57 of 65
Quote:
Originally Posted by softeky View Post

This is a known HTML5 issue with the way youtube encodes video. Firefox uses a different mechanism. Safari can play the videos but only when its cookies have been reset for youtube.com. Trouble is, they keep resetting back to the default which is the "bad" setting. To fix this temporarily, in Safari go to Preferences:Privacy, click the "Details" button located below and to the right of the "Remove All Website Data..." button. Select the "youtube.com" line item (might need to scroll for it) and then hit the "Remove" button.

If necessary, reload your current (non-playing) youtube page and it should play fine (until youtube resets its cookies back to default again).

There may be a way to fool Youtube into thinking you're not running Safari (under the "Develop" menu) but none of the alternatives I've tried there has worked for me.

Off course it's got nothing to do with Google wanting people to switch to Chrome.

I see Google was whining the other day about parts of the web becoming unavailable for their exploitation.
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
post #58 of 65
Quote:
Originally Posted by hill60 View Post

...but, but, but you need Office because you might have to write a 6,000 page spreadsheet with advanced pivot tables which is REAL work, apparently Numbers doesn't cut it.*

*In the world according to Microsoft apologists.

P.S. I am also quite happy with iWork, it does everything I need to do.

I'm the last person anyone would call a "Microsoft apologist" (are there any around now, anyway?) but when your business builds advanced reports littered with pivot tables then no, Numbers won't work. Good for you that all you need are simple worksheets where Numbers does fine. Others don't have that luxury. Like it or not, Excel is the one Microsoft product that most consider as as a gold standard and few see anything coming along that's going to change that.
post #59 of 65
Quote:
Originally Posted by DrDoppio View Post

Haha, very funny.

For those that didn't get the joke, Android has nothing to do with this -- it has neither the JVM, nor MS Office. This is a Mac OS problem exclusively.

So if I do not have MS Office installed and opened one of these files using Pages (or another app), it would still do something to my Mac?
post #60 of 65
Quote:
Originally Posted by auxio View Post

Let's clear up the misconceptions here:<snip>

So, if security holes exist in the Mac OS X Java runtime only (not all Java runtimes), then the problem is with that particular implementation, and not the Java specification itself.

One more interesting point: up until Mac OS X 10.7, it was Apple themselves who created and maintained the Java runtime for Mac OS X. I believe, but am not certain, that the source code for that exact runtime was passed on to Oracle when the reigns of maintenance switched hands. Which, if true, means that it could potentially be Apple's fault these security holes exist, not Oracle's.

Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.

As you so eloquently said: Let's clear up the misconceptions here

There have been a legion and a half security issues within the Java specification. Yes I said in the specification, not only in the implementation. Often those vulnerabilities are in what and how the specification says some things must be handled. This is why there have been more than just a few cross platform Java vulnerabilities over the years.

You also don't seem to realize that OpenJDK Java 7 is not released yet on OS X, so the code Apple turned over the project, not Oracle, has not been turned around to the Java 7 public yet. The previous Java versions are all in-house Apple development efforts, so yes Apple has final responsibility for those. A responsibility that isn't so easy the way Oracle/Sun has treated non-in-house JRE development over the years.

So you might have accidentally made a couple mostly correct guesses in your analysis, but the rest showed you don't have enough knowledge about what you are were writing. So rather than grasp at straws and fatally oversimplify, just stick to what you know.
.
Reply
.
Reply
post #61 of 65
Quote:
Originally Posted by Hudson1 View Post

I'm the last person anyone would call a "Microsoft apologist" (are there any around now, anyway?) but when your business builds advanced reports littered with pivot tables then no, Numbers won't work. Good for you that all you need are simple worksheets where Numbers does fine. Others don't have that luxury. Like it or not, Excel is the one Microsoft product that most consider as as a gold standard and few see anything coming along that's going to change that.

These people using the advanced features of excel are often behind corporate firewalls, are they not?

For the average home user, the target of these attacks, who is incapable of running automatic Office updates which patched this vulnerability in 2009, I'd hazard a guess to say that most of them aren't using advanced features of Office and so can make do with iWork.
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this webpage so it was reloaded.A problem occurred with this...
Reply
post #62 of 65
Quote:
Originally Posted by mr O View Post

I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.

I am now watching youtube videos on Firefox. No problems there.

Yes I am using the latest Apple's operating system and I am doing regular updates.

There can be a lot of explanations for this. 1 of the most common that we've seen is MS Office for Mac updates webkit & breaks Safari, a manual download & re-install fixes the issues. In your case I'm not sure that is the cause, I'd open Disk Utility from /Applications/Utilities and run a Permissions repair. From time to time the flash installer breaks permissions with certain flash releases & running a permissions repair resolves the issues. Permissions repair looks at the installer's receipts & makes sure permissions during install are the same as what the receipt says they should be. A reboot after that wouldn't hurt, if you're on Lion I would uncheck for it to save your settings at logout when prompted.
post #63 of 65
[QUOTE=AppleInsider;2096368]A new version of a backdoor trojan for Apple's OS X operating system takes advantage of an exploit in Microsoft Word to spread.


Let's hear it for the majorcrap Office, Outlook, Explorer, and Operating System virus proliferation platform. It's like an petri dish on steroids.
post #64 of 65
Windows is bringing viruses on Mac too. Lol.

my way or the highway...

Macbook Pro i7 13" with intel SSD 320 series and 8GB RAM, iPhone 5, iPad 3 (Retina)

Reply

my way or the highway...

Macbook Pro i7 13" with intel SSD 320 series and 8GB RAM, iPhone 5, iPad 3 (Retina)

Reply
post #65 of 65

 

Quote:
Originally Posted by softeky View Post


This is a known HTML5 issue with the way youtube encodes video. Firefox uses a different mechanism. Safari can play the videos but only when its cookies have been reset for youtube.com. Trouble is, they keep resetting back to the default which is the "bad" setting. To fix this temporarily, in Safari go to Preferences:Privacy, click the "Details" button located below and to the right of the "Remove All Website Data..." button. Select the "youtube.com" line item (might need to scroll for it) and then hit the "Remove" button.

If necessary, reload your current (non-playing) youtube page and it should play fine (until youtube resets its cookies back to default again).

There may be a way to fool Youtube into thinking you're not running Safari (under the "Develop" menu) but none of the alternatives I've tried there has worked for me.

 

I use ClicktoFlash, it works much better than being an HTML5 beta tester and I have no issues at all with Safari on YouTube.  I noticed long ago that their HTML5 was goofy in Safari, not sure who's fault that is but don't much care.  Since it's Google it's forever beta so good luck getting them to give a crap about it.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Latest Mac trojan spreads through Microsoft Word documents