Oh for f**ks sake again! This is not an exploit of any flaw in any software, be it OS, Java, or anything else. It is an exploit of the user, and that's it!
Take a chill pill, dude. Either RecursiveTroll will get it or he/she won't. Most of us get what you mean, I think.
You sound like an idiot...removing java from the OS X install has NOTHING to do with the security of Java. If there is a security hole here, it's the fault of the OS, not the plug-in.
It is specifically asking you, the user, to allow modification. Therefore, the OS does indeed know that something that normally should not be modified is going to get changed. The OS is outright asking you to allow these changes.
No matter what OS that prompt would happen to show up on, because it is a program designed in Java it will run anywhere. I wouldn't fault OS X, Windows, Linux or anything else. This one is on the user.
This Trojan runs perfectly fine, it's not exploiting a hole in Java, nor a hole in OS X.
The decision to remove Java from OS X installs means Apple thinks their popularity will entice Oracle to keep Java up to date on their own. It also means OS X updates are finally going to get smaller to download. Perhaps we can have updates more frequently, rather than wait for the updates to come through Apple we can download them ourselves separately.
It may work, it may not. Maybe Oracle won't put in the resources necessary to maintain feature parity with Windows and Linux. Maybe they will who knows? I know there were times I wish my nVidia updates would have come out prior to an OS update. Without Apple's input and help in maintaining the code the updates may get fewer and farther between, or not be coded as well.
There's something to having the hardware manufacturer writing the software for their platform, is there not?
Disclosure: I'm a Java developer, but I do enterprise server-side development, not web development.
Having said that, I agree with Apple's decision to deprecate Java, and I'm not foaming at the mouth like some Java devs are. Apple has been slowly backing out of their commitment to Java made in 2000, and this is the continuation of that long process. Losing the Java devs who buy Mac Pros and MacBook Pros would have been devastating to Apple in 2000, now it's a manageable loss. Hopefully, Apple is putting lots of pressure on Oracle to provide a full Java implementation on Mac. They've certainly laid the groundwork for this by re-working their Java file/directory structure from a byzantine mess of files installed all over the filesystem with only one Java runtime allowed per version, to localizing it to a specific directory in which multiple Java runtimes can be installed for the same version. Apple is putting a significant effort into bowing out of its Java commitment gracefully.
Also, I feel it's Oracle's responsibility to provide a full Java runtime for OS X, including Swing/GUI. Oracle acquired Sun's commitments when they acquired the company, and they absolutely should not back out, especially having committed to Java FX 2.0.
Also, the Apple Java devs are wonderful, committed and very helpful people people. They take a lot of abuse on the java-dev mailing list, and are bound by really tight NDAs that prevent them from commenting on any of the Apple Java policy decisions, but are extremely helpful for specific technical questions, answering emails on the weekends. I make special mention of Mike Swingler.
I'm concerned about the potential lack of Java on Mac from anyone, and it will make me consider my choice of platform. I'm otherwise extremely satisfied with the Mac experience, and would be extremely reluctant to switch to Linux or Windows (which makes my skin crawl just thinking about it).
Quote:
Originally Posted by technohermit
Seriously Quadra?
This Trojan runs perfectly fine, it's not exploiting a hole in Java, nor a hole in OS X.
The decision to remove Java from OS X installs means Apple thinks their popularity will entice Oracle to keep Java up to date on their own. It also means OS X updates are finally going to get smaller to download. Perhaps we can have updates more frequently, rather than wait for the updates to come through Apple we can download them ourselves separately.
It may work, it may not. Maybe Oracle won't put in the resources necessary to maintain feature parity with Windows and Linux. Maybe they will who knows? I know there were times I wish my nVidia updates would have come out prior to an OS update. Without Apple's input and help in maintaining the code the updates may get fewer and farther between, or not be coded as well.
There's something to having the hardware manufacturer writing the software for their platform, is there not?
Oh please, one coulda easily written this Objective-C.
However, if a hole exists that a application can penetrate within the operating system, then shouldn't it be fixed regardless of the user's IQ?
This CAN'T be fixed. Either you allow a user to install software or you do not.
If you decide to not allow a user to install software, you no longer have a general purpose computer, you now have a static appliance. That's not the machine people buy computers to be.
Once the inevitable decision is made to allow a user to install software there is only so much that can be done, such as the dialog box that says there are some problems with the software's identification and do you really want to install it. Once that button is hit to say yes, anything else the OS could possibly do is a version of the Halting Problem. And that is mathematically proven to be an impossible task. Any partial solutions will necessarily be incomplete, and therefore flawed and automatically vulnerable -- yes a built-in and unavoidable vulnerability, one that is unidentified, but guaranteed to be there.
You cannot even say well we will avoid that by only allowing users to install software that has a valid certificate. The vast majority of software does not have certificates, and most open source and education generated software cannot even qualify for a certificate because there is no "Financially Responsible Entity". For every solution we can create there we can create multiple problems.
It all comes down to trust and possession. Once anyone is in possession of a machine, and trusted to do anything with it, they can cause bad things to happen, unintentionally or intentionally.
This CAN'T be fixed. Either you allow a user to install software or you do not.
If you decide to not allow a user to install software, you no longer have a general purpose computer, you now have a static appliance. That's not the machine people buy computers to be.
Once the inevitable decision is made to allow a user to install software there is only so much that can be done, such as the dialog box that says there are some problems with the software's identification and do you really want to install it. Once that button is hit to say yes, anything else the OS could possibly do is a version of the Halting Problem. And that is mathematically proven to be an impossible task. Any partial solutions will necessarily be incomplete, and therefore flawed and automatically vulnerable -- yes a built-in and unavoidable vulnerability, one that is unidentified, but guaranteed to be there.
You cannot even say well we will avoid that by only allowing users to install software that has a valid certificate. The vast majority of software does not have certificates, and most open source and education generated software cannot even qualify for a certificate because there is no "Financially Responsible Entity". For every solution we can create there we can create multiple problems.
It all comes down to trust and possession. Once anyone is in possession of a machine, and trusted to do anything with it, they can cause bad things to happen, unintentionally or intentionally.
Thank you!
One other "possibility": only allow the user to install software that won't do anything "bad". However, what do you define as "bad", and how do you determine what software will do before it's installed/run?
You could have a whitelist of "not bad" apps (blacklists (as used by Virus/Malware scanners) are a crappy idea because of the lag time between a "bad" app being released and that app being added to the blacklist).
You could implement some advanced form of AI in the OS that analyses the program to determine it it's going to try and do something "bad". If you think that sounds trivial, trust me it isn't.
That quite explicitly IS the halting problem. There is no way to examine code in an automated way to endure there is no badness in it, because you cannot guarantee you know all the ways a program could possibly be bad (just like Turing showed we can never know all the conditions for which all possible programs might continue). You cannot use a list, because to generate the list you need the previously impossible program, people are too slow an too error prone to do it on the scale necessary. Even with the greatest AI ever, it is still a computer program governed by Computability and the Halting Problem.
Brains avoid the Halting Problem by guessing when to stop, not actually computing when to stop. The guess, called a heuristic, could be used in the list generation software, but it's only a guess, and who wants a list of software we only guess to be safe?
It's flat out an unsolvable problem. We can only minimize it. Even in tightly administered networks that don't give normal users install privileges, the admins have them (oops there's that trust bugaboo again!) and if an admin screws up the whole network is pwned.
How does any malware modify the system? Either by the user entering the password or by some security hole like a buffer overflow. You seem to imply that things like execution of arbitrary code due to buffer overflows (or other security flaws) do not exist, when they are being reported almost weekly for some piece of software.
so can this java applet do all that? is there a zero day exploit it can use out there? or does it totally rely on stupid?
You sound like an idiot...removing java from the OS X install has NOTHING to do with the security of Java. If there is a security hole here, it's the fault of the OS, not the plug-in.
Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security. Frankly for most users it's probably better just not to have it installed at all. I'm sure most people don't have any Java programs installed, and no matter how secure Java is it still poses an additional security risk.
And if you run Little Snitch you'll get two warnings, the one shown above and one from Little Snitch asking you if you want to allow the trojan to connect to an external server.
Just say no.
Yup just thought the same thing. Just block the thing and you then run one of the free tools. We'll see if this will become a big deal.
Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security.
I am also inclined to believe so. And for those who already forgot it, let me recall that sometime last year (or the beginning of this one) there was a serious security hole in java that remained unpatched for many months in OS X. Since then I disabled java in Safari and never looked back again. Of course this is not the reason why Apple is leaving java, but I suspect that it played an important role in combination with the slow down in the java updates rate for Mac OS X, which probably happened for other reasons.
For the present one, yes, the user is the weak link in the chain and I don't see what else could be done if not to alert the user that unknown code is about to run.
It looks like in the near future I may have to purchase antivirus, no?
Why? The best antivirus software on the planet is not going to prevent the biggest cause of infection these days...the freaking idiot behind the keyboard that allows any dialog box that pops up.
Do people not read threads before posting in them? You seem not to understand what a Trojan is, but if you'd read the thread you may be enlightened.
To expand on what's been said already, think about the name: Trojan. Where does that name come from? Answer: the Trojan Horse. The whole point of a Trojan is that it makes the user think they want it, so the user installs it and runs it, but then it does unpleasant things. But you gave it your password, you gave it permission to run, it's your fault that it just pilfered all your contacts or deleted all your files etc etc. Trojans do not exploit OS or 3rd party software vulnerabilities, they exploit user vulnerabilities.
I would like to point out in the original myth the Trojans were warned NOT to bring the horse into the city by Trojan priest Laocoön but was killed by Poseidon via sea serpent.
OSX is being Laocoön here and the user doesn't have the excuse of Poseidon but rather his own stupidity in letting his horse in his city.
Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security. Frankly for most users it's probably better just not to have it installed at all. I'm sure most people don't have any Java programs installed, and no matter how secure Java is it still poses an additional security risk.
This isn't a Java exploit.
It is a Social Engineering exploit written in Java for several platforms at once. There are few measures to prevent Social Engineering attacks that a) work; and b) are worth the price in terms of usability.
Your negation of any hypothetical need for an antivirus in the future is at best laughable if not irresponsible.
He said "near future" not the future in general. User savvy is still all that's required on OS X, and in any case, anti-virus can't protect against new threats that haven't been added to the blacklist yet. Even with anti-virus, you still need the aforementioned savvy. In fact, there is a risk to the less savvy user that if they install an anti-virus package, they think they don't need to be careful any more about what they allow their computer to do, because the anti-virus will protect them, right?
Comments
Confirms Apple's decision to remove Java.
OK, look, this is just baiting me right? I mean, you did read the thread before posting in it, didn't you?
Oh, and: Apple is not removing Java. They are ceasing to update it and presumably Oracle will take over.
Oh for f**ks sake again! This is not an exploit of any flaw in any software, be it OS, Java, or anything else. It is an exploit of the user, and that's it!
Take a chill pill, dude. Either RecursiveTroll will get it or he/she won't. Most of us get what you mean, I think.
You sound like an idiot...removing java from the OS X install has NOTHING to do with the security of Java. If there is a security hole here, it's the fault of the OS, not the plug-in.
It is specifically asking you, the user, to allow modification. Therefore, the OS does indeed know that something that normally should not be modified is going to get changed. The OS is outright asking you to allow these changes.
No matter what OS that prompt would happen to show up on, because it is a program designed in Java it will run anywhere. I wouldn't fault OS X, Windows, Linux or anything else. This one is on the user.
Confirms Apple's decision to remove Java.
Seriously Quadra?
This Trojan runs perfectly fine, it's not exploiting a hole in Java, nor a hole in OS X.
The decision to remove Java from OS X installs means Apple thinks their popularity will entice Oracle to keep Java up to date on their own. It also means OS X updates are finally going to get smaller to download. Perhaps we can have updates more frequently, rather than wait for the updates to come through Apple we can download them ourselves separately.
It may work, it may not. Maybe Oracle won't put in the resources necessary to maintain feature parity with Windows and Linux. Maybe they will who knows? I know there were times I wish my nVidia updates would have come out prior to an OS update. Without Apple's input and help in maintaining the code the updates may get fewer and farther between, or not be coded as well.
There's something to having the hardware manufacturer writing the software for their platform, is there not?
Having said that, I agree with Apple's decision to deprecate Java, and I'm not foaming at the mouth like some Java devs are. Apple has been slowly backing out of their commitment to Java made in 2000, and this is the continuation of that long process. Losing the Java devs who buy Mac Pros and MacBook Pros would have been devastating to Apple in 2000, now it's a manageable loss. Hopefully, Apple is putting lots of pressure on Oracle to provide a full Java implementation on Mac. They've certainly laid the groundwork for this by re-working their Java file/directory structure from a byzantine mess of files installed all over the filesystem with only one Java runtime allowed per version, to localizing it to a specific directory in which multiple Java runtimes can be installed for the same version. Apple is putting a significant effort into bowing out of its Java commitment gracefully.
Also, I feel it's Oracle's responsibility to provide a full Java runtime for OS X, including Swing/GUI. Oracle acquired Sun's commitments when they acquired the company, and they absolutely should not back out, especially having committed to Java FX 2.0.
Also, the Apple Java devs are wonderful, committed and very helpful people people. They take a lot of abuse on the java-dev mailing list, and are bound by really tight NDAs that prevent them from commenting on any of the Apple Java policy decisions, but are extremely helpful for specific technical questions, answering emails on the weekends. I make special mention of Mike Swingler.
I'm concerned about the potential lack of Java on Mac from anyone, and it will make me consider my choice of platform. I'm otherwise extremely satisfied with the Mac experience, and would be extremely reluctant to switch to Linux or Windows (which makes my skin crawl just thinking about it).
Seriously Quadra?
This Trojan runs perfectly fine, it's not exploiting a hole in Java, nor a hole in OS X.
The decision to remove Java from OS X installs means Apple thinks their popularity will entice Oracle to keep Java up to date on their own. It also means OS X updates are finally going to get smaller to download. Perhaps we can have updates more frequently, rather than wait for the updates to come through Apple we can download them ourselves separately.
It may work, it may not. Maybe Oracle won't put in the resources necessary to maintain feature parity with Windows and Linux. Maybe they will who knows? I know there were times I wish my nVidia updates would have come out prior to an OS update. Without Apple's input and help in maintaining the code the updates may get fewer and farther between, or not be coded as well.
There's something to having the hardware manufacturer writing the software for their platform, is there not?
And this is (one reason) why Apple is getting rid of Java and Flash on Macs, kids.
Oh please, one coulda easily written this Objective-C.
Nope, the security hole is the user, as Johnny Mozzarella said.
However, if a hole exists that a application can penetrate within the operating system, then shouldn't it be fixed regardless of the user's IQ?
However, if a hole exists that a application can penetrate within the operating system, then should it be fixed regardless of the user?
Sure. Did I say such holes shouldn't be fixed? Hint: this is a Trojan and it doesn't exploit any security holes in OS X or Java.
Oh please, one coulda easily written this Objective-C.
However, if a hole exists that a application can penetrate within the operating system, then shouldn't it be fixed regardless of the user's IQ?
This CAN'T be fixed. Either you allow a user to install software or you do not.
If you decide to not allow a user to install software, you no longer have a general purpose computer, you now have a static appliance. That's not the machine people buy computers to be.
Once the inevitable decision is made to allow a user to install software there is only so much that can be done, such as the dialog box that says there are some problems with the software's identification and do you really want to install it. Once that button is hit to say yes, anything else the OS could possibly do is a version of the Halting Problem. And that is mathematically proven to be an impossible task. Any partial solutions will necessarily be incomplete, and therefore flawed and automatically vulnerable -- yes a built-in and unavoidable vulnerability, one that is unidentified, but guaranteed to be there.
You cannot even say well we will avoid that by only allowing users to install software that has a valid certificate. The vast majority of software does not have certificates, and most open source and education generated software cannot even qualify for a certificate because there is no "Financially Responsible Entity". For every solution we can create there we can create multiple problems.
It all comes down to trust and possession. Once anyone is in possession of a machine, and trusted to do anything with it, they can cause bad things to happen, unintentionally or intentionally.
This CAN'T be fixed. Either you allow a user to install software or you do not.
If you decide to not allow a user to install software, you no longer have a general purpose computer, you now have a static appliance. That's not the machine people buy computers to be.
Once the inevitable decision is made to allow a user to install software there is only so much that can be done, such as the dialog box that says there are some problems with the software's identification and do you really want to install it. Once that button is hit to say yes, anything else the OS could possibly do is a version of the Halting Problem. And that is mathematically proven to be an impossible task. Any partial solutions will necessarily be incomplete, and therefore flawed and automatically vulnerable -- yes a built-in and unavoidable vulnerability, one that is unidentified, but guaranteed to be there.
You cannot even say well we will avoid that by only allowing users to install software that has a valid certificate. The vast majority of software does not have certificates, and most open source and education generated software cannot even qualify for a certificate because there is no "Financially Responsible Entity". For every solution we can create there we can create multiple problems.
It all comes down to trust and possession. Once anyone is in possession of a machine, and trusted to do anything with it, they can cause bad things to happen, unintentionally or intentionally.
Thank you!
One other "possibility": only allow the user to install software that won't do anything "bad". However, what do you define as "bad", and how do you determine what software will do before it's installed/run?
You could have a whitelist of "not bad" apps (blacklists (as used by Virus/Malware scanners) are a crappy idea because of the lag time between a "bad" app being released and that app being added to the blacklist).
You could implement some advanced form of AI in the OS that analyses the program to determine it it's going to try and do something "bad". If you think that sounds trivial, trust me it isn't.
Brains avoid the Halting Problem by guessing when to stop, not actually computing when to stop. The guess, called a heuristic, could be used in the list generation software, but it's only a guess, and who wants a list of software we only guess to be safe?
It's flat out an unsolvable problem. We can only minimize it. Even in tightly administered networks that don't give normal users install privileges, the admins have them (oops there's that trust bugaboo again!) and if an admin screws up the whole network is pwned.
How does any malware modify the system? Either by the user entering the password or by some security hole like a buffer overflow. You seem to imply that things like execution of arbitrary code due to buffer overflows (or other security flaws) do not exist, when they are being reported almost weekly for some piece of software.
so can this java applet do all that? is there a zero day exploit it can use out there? or does it totally rely on stupid?
You sound like an idiot...removing java from the OS X install has NOTHING to do with the security of Java. If there is a security hole here, it's the fault of the OS, not the plug-in.
Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security. Frankly for most users it's probably better just not to have it installed at all. I'm sure most people don't have any Java programs installed, and no matter how secure Java is it still poses an additional security risk.
And if you run Little Snitch you'll get two warnings, the one shown above and one from Little Snitch asking you if you want to allow the trojan to connect to an external server.
Just say no.
Yup just thought the same thing. Just block the thing and you then run one of the free tools. We'll see if this will become a big deal.
Why would anyone click "Allow" in this context?
Someone who wasn't paying attention or is use to all the nonsense that happens on Windows?
Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security.
I am also inclined to believe so. And for those who already forgot it, let me recall that sometime last year (or the beginning of this one) there was a serious security hole in java that remained unpatched for many months in OS X. Since then I disabled java in Safari and never looked back again. Of course this is not the reason why Apple is leaving java, but I suspect that it played an important role in combination with the slow down in the java updates rate for Mac OS X, which probably happened for other reasons.
For the present one, yes, the user is the weak link in the chain and I don't see what else could be done if not to alert the user that unknown code is about to run.
It looks like in the near future I may have to purchase antivirus, no?
Why? The best antivirus software on the planet is not going to prevent the biggest cause of infection these days...the freaking idiot behind the keyboard that allows any dialog box that pops up.
Do people not read threads before posting in them? You seem not to understand what a Trojan is, but if you'd read the thread you may be enlightened.
To expand on what's been said already, think about the name: Trojan. Where does that name come from? Answer: the Trojan Horse. The whole point of a Trojan is that it makes the user think they want it, so the user installs it and runs it, but then it does unpleasant things. But you gave it your password, you gave it permission to run, it's your fault that it just pilfered all your contacts or deleted all your files etc etc. Trojans do not exploit OS or 3rd party software vulnerabilities, they exploit user vulnerabilities.
I would like to point out in the original myth the Trojans were warned NOT to bring the horse into the city by Trojan priest Laocoön but was killed by Poseidon via sea serpent.
OSX is being Laocoön here and the user doesn't have the excuse of Poseidon but rather his own stupidity in letting his horse in his city.
Actually that is exactly the reason. That's not to say that Java is insecure like the commenter was implying. However one of major the reasons Apple is no longer going to write their own Java updates is because they were always a version behind, and the biggest reason you want to have the latest release of Java is security. Frankly for most users it's probably better just not to have it installed at all. I'm sure most people don't have any Java programs installed, and no matter how secure Java is it still poses an additional security risk.
This isn't a Java exploit.
It is a Social Engineering exploit written in Java for several platforms at once. There are few measures to prevent Social Engineering attacks that a) work; and b) are worth the price in terms of usability.
It looks like in the near future I may have to purchase antivirus, no?
No.
Your negation of any hypothetical need for an antivirus in the future is at best laughable if not irresponsible.
Your negation of any hypothetical need for an antivirus in the future is at best laughable if not irresponsible.
He said "near future" not the future in general. User savvy is still all that's required on OS X, and in any case, anti-virus can't protect against new threats that haven't been added to the blacklist yet. Even with anti-virus, you still need the aforementioned savvy. In fact, there is a risk to the less savvy user that if they install an anti-virus package, they think they don't need to be careful any more about what they allow their computer to do, because the anti-virus will protect them, right?