Latest Mac trojan spreads through Microsoft Word documents

13

Comments

  • Reply 41 of 65
    irnchrizirnchriz Posts: 1,616member
    How about I fix this for you AI..



    Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.



    There, sorted.
  • Reply 42 of 65
    auxioauxio Posts: 2,717member
    Quote:
    Originally Posted by d-range View Post


    While technically correct, almost all Java runtimes that you will find on desktop systems are built off the exact same source code as the official Oracle runtime. They open-sourced it about 5 years ago, and anyone can build their own JRE and JDK as long as you are abide by the license terms. OpenJDK (which is the de facto standard JDK you'll find on open-source operating systems) is now even officially the reference implementation of the language and SDK.



    Apple's JRE implementation predates OpenJDK by a long shot. I remember working with Apple's engineers at the WWDC in 2003 tracking down JRE bugs via gdb, and their implementation looked significantly different from others I'd worked with before at the time (notably the Linux Blackdown implementation). It was mostly done in Objective-C and Cocoa. Which is how they were able to create the Cocoa-Java bridge (popular at the time, but now defunct).



    Before you get all high and mighty about how many lines of code you've written in Java and whatnot, remember that some of us have also worked with Java for a very long time as well. So let's change the tone a bit.



    With regard to the programming language wars -- totally irrelevant. Any application runtime can and will have security holes to be exploited. Just because you've moved on to the next programming language du jour doesn't mean that people won't find similar security holes along the way with its runtime.



    You don't like the language, that's fine: every painter is allowed to have their own preferences in tools and mediums. But I've suffered enough developers who have to evangelize whatever new technology they decide to claim as their own (while completely dismissing everything else they've ever worked with before) to know that 'blind faith' is rarely beneficial.



    Java still serves a purpose, there are still a number of good cross-platform applications which use it, so to launch a smear campaign against it which plays on FUD doesn't benefit anyone.
  • Reply 43 of 65
    Quote:
    Originally Posted by irnchriz View Post


    How about I fix this for you AI..



    Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.



    There, sorted.



    Just to add. Microsoft has this security bulletin linked by CVE regarding this vulnerability. Here is the Microsoft bulletin (from 2009) and it was patched back then for both Office 2004 and 2008 (and Windows version of Office).



    So the Office angle of this attack was already patched if you have Office 2004 / 2008, just make sure you are up to date with your updates on Office.
  • Reply 44 of 65
    heinzelheinzel Posts: 120member
    Quote:
    Originally Posted by sedney View Post


    I'm using Word 2008 - didn't know it was a joke - better than giving Microsoft more money for the latest version though



    Actually, Office 2011 is a lot better than 2008, especially Excel has improved to the point where it's not utter crap anymore, but rather just plain crap half of the time...
  • Reply 45 of 65
    Quote:
    Originally Posted by irnchriz View Post


    How about I fix this for you AI..



    Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.



    There, sorted.



    Thanks for clarifying this, Phewww. I'm on 2011 office for mac and so will my mom when she gets her new iMac tomorrow. Hopefully all is good
  • Reply 46 of 65
    Most of the media is very sloppy about differentiating a virus from a trojan. My wife and daughter still use Windows and so I have to maintain their machines. I always keep them patched up. But, I can't remember the last time the security software caught something. That's because I taught my wife and daughter three simple things.



    1. In life, if something seems too good to be true, it usually isn't true. On the internet it is never true.

    2. If someone wants you to click on a URL, look carefully at the part just before the ".com". If it is not who claimed to have sent it, don't click. And, if you are the least bit suspicious, go directly to the URL instead of clicking the link.

    3. Any time you have a suspicion about something go to snopes.com and see if it's legit.



    With these simple ideas, they just don't get themselves in trouble. It helps that they don't download porn, or torrents or other stuff that gets them on the bad side of the internet tracks. No platform can be secure against stupidity. So when people say that OS X is inherently more secure, that doesn't mean that a careless user is not going to be able to compromise their machine. It means that it is unlikely that a cautious user is not going to get in trouble.
  • Reply 47 of 65
    charlitunacharlituna Posts: 7,217member
    Quote:
    Originally Posted by I am a Zither Zather Zuzz View Post


    That is because OSX is inherently insecure.



    Which is why my desktop which hasn't had flash, java or Office installed since I bought it last August is teeming with trojans, viruses etc



    Oh wait.
  • Reply 48 of 65
    mazda 3smazda 3s Posts: 1,613member
    Quote:
    Originally Posted by irnchriz View Post


    How about I fix this for you AI..



    Latest Mac trojan spreads through Microsoft Word documents on unpatched versions of Office for Mac 2004 and 2008, which have had NO security patches installed since early 2009.



    There, sorted.



    Quote:
    Originally Posted by Sasparilla View Post


    Just to add. Microsoft has this security bulletin linked by CVE regarding this vulnerability. Here is the Microsoft bulletin (from 2009) and it was patched back then for both Office 2004 and 2008 (and Windows version of Office).



    So the Office angle of this attack was already patched if you have Office 2004 / 2008, just make sure you are up to date with your updates on Office.



    So why is this even a story on AI today if it was patched nearly three years ago? AI grasping at straws?
  • Reply 49 of 65
    hudson1hudson1 Posts: 800member
    Quote:
    Originally Posted by Mazda 3s View Post


    So why is this even a story on AI today if it was patched nearly three years ago? AI grasping at straws?



    I'm guessing that it was only recently verified to be an OS X problem -- likely the patch was in response to an Office for Windows breach.
  • Reply 50 of 65
    Ditto. Began when I updated to 10.7.3 and the latest Flash.



    Quote:
    Originally Posted by mr O View Post


    I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.



    I am now watching youtube videos on Firefox. No problems there.



    Yes I am using the latest Apple's operating system and I am doing regular updates.



  • Reply 51 of 65
    cgjcgj Posts: 276member
    Quote:
    Originally Posted by canadan View Post


    Thanks for clarifying this, Phewww. I'm on 2011 office for mac and so will my mom when she gets her new iMac tomorrow. Hopefully all is good



    One does hope you're not paying for that piece of crap Pirate Bay gives you a great discount.
  • Reply 52 of 65
    tallest skiltallest skil Posts: 43,388member
    Quote:
    Originally Posted by CGJ View Post


    One does hope you're not paying for that piece of crap Pirate Bay gives you a great discount.



    I don't condone that. I don't care how terrible the company or software.



    But that's me.
  • Reply 53 of 65
    softekysofteky Posts: 136member
    Quote:
    Originally Posted by mr O View Post


    I am having troubles watching some of the youtube videos in Safari. The video never plays or attempts to play. Ultimately it is asking me to force reload the other open pages.



    I am now watching youtube videos on Firefox. No problems there.



    Yes I am using the latest Apple's operating system and I am doing regular updates.



    This is a known HTML5 issue with the way youtube encodes video. Firefox uses a different mechanism. Safari can play the videos but only when its cookies have been reset for youtube.com. Trouble is, they keep resetting back to the default which is the "bad" setting. To fix this temporarily, in Safari go to Preferences:Privacy, click the "Details" button located below and to the right of the "Remove All Website Data..." button. Select the "youtube.com" line item (might need to scroll for it) and then hit the "Remove" button.



    If necessary, reload your current (non-playing) youtube page and it should play fine (until youtube resets its cookies back to default again).



    There may be a way to fool Youtube into thinking you're not running Safari (under the "Develop" menu) but none of the alternatives I've tried there has worked for me.
  • Reply 54 of 65
    Quote:
    Originally Posted by I am a Zither Zather Zuzz View Post


    That is because OSX is inherently insecure.



    Windows is built on DOS. DOS had 0% security. Windows NT moved away from DOS as its under-pinning but due to needing backwards compatibility with old DOS programs implemented DOS in a way that it introduced more security holes while largely breaking the DOS apps it was trying to remain compatible with.



    Windows NT 4.0 was built on top of Windows NT 3.51 in much the same way Win95 was built on top of Windows 3.11. In both cases new security holes were brought in while most of the old ones remained for backwards compatibility reasons.



    2K was built on top of NT 4.0, XP on top of 2K, Vista was a rewrite but to retain backwards compatibility introduced a new way to achieve the same security flaws and of course Win7 is built on top of Vista, and Win8 is built on top of Win7.



    Mac OS X however is built on top of FreeBSD which in itself was designed ground up to be extremely secure. The UNIX under-pinnings of Mac OS X means it is actually inherently SECURE.



    Of course anyone with half a brain who can do some research would have found that out in a heartbeat but thanks for trying.
  • Reply 55 of 65
    hill60hill60 Posts: 6,992member
    Quote:
    Originally Posted by tdmelvin View Post


    ^^^ This! Changed over to iWork for everything, and haven't looked back once. Everything converts and exports fine; at least for me and my needs.



    ...but, but, but you need Office because you might have to write a 6,000 page spreadsheet with advanced pivot tables which is REAL work, apparently Numbers doesn't cut it.*



    *In the world according to Microsoft apologists.



    P.S. I am also quite happy with iWork, it does everything I need to do.
  • Reply 56 of 65
    hill60hill60 Posts: 6,992member
    Quote:
    Originally Posted by softeky View Post


    This is a known HTML5 issue with the way youtube encodes video. Firefox uses a different mechanism. Safari can play the videos but only when its cookies have been reset for youtube.com. Trouble is, they keep resetting back to the default which is the "bad" setting. To fix this temporarily, in Safari go to Preferences:Privacy, click the "Details" button located below and to the right of the "Remove All Website Data..." button. Select the "youtube.com" line item (might need to scroll for it) and then hit the "Remove" button.



    If necessary, reload your current (non-playing) youtube page and it should play fine (until youtube resets its cookies back to default again).



    There may be a way to fool Youtube into thinking you're not running Safari (under the "Develop" menu) but none of the alternatives I've tried there has worked for me.



    Off course it's got nothing to do with Google wanting people to switch to Chrome.



    I see Google was whining the other day about parts of the web becoming unavailable for their exploitation.
  • Reply 57 of 65
    hudson1hudson1 Posts: 800member
    Quote:
    Originally Posted by hill60 View Post


    ...but, but, but you need Office because you might have to write a 6,000 page spreadsheet with advanced pivot tables which is REAL work, apparently Numbers doesn't cut it.*



    *In the world according to Microsoft apologists.



    P.S. I am also quite happy with iWork, it does everything I need to do.



    I'm the last person anyone would call a "Microsoft apologist" (are there any around now, anyway?) but when your business builds advanced reports littered with pivot tables then no, Numbers won't work. Good for you that all you need are simple worksheets where Numbers does fine. Others don't have that luxury. Like it or not, Excel is the one Microsoft product that most consider as as a gold standard and few see anything coming along that's going to change that.
  • Reply 58 of 65
    chris_cachris_ca Posts: 2,543member
    Quote:
    Originally Posted by DrDoppio View Post


    Haha, very funny.



    For those that didn't get the joke, Android has nothing to do with this -- it has neither the JVM, nor MS Office. This is a Mac OS problem exclusively.



    So if I do not have MS Office installed and opened one of these files using Pages (or another app), it would still do something to my Mac?
  • Reply 59 of 65
    hirohiro Posts: 2,663member
    Quote:
    Originally Posted by auxio View Post


    Let's clear up the misconceptions here:<snip>



    So, if security holes exist in the Mac OS X Java runtime only (not all Java runtimes), then the problem is with that particular implementation, and not the Java specification itself.



    One more interesting point: up until Mac OS X 10.7, it was Apple themselves who created and maintained the Java runtime for Mac OS X. I believe, but am not certain, that the source code for that exact runtime was passed on to Oracle when the reigns of maintenance switched hands. Which, if true, means that it could potentially be Apple's fault these security holes exist, not Oracle's.



    Regardless, to mindlessly maintain that Java is the problem is to only look skin deep.



    As you so eloquently said: Let's clear up the misconceptions here



    There have been a legion and a half security issues within the Java specification. Yes I said in the specification, not only in the implementation. Often those vulnerabilities are in what and how the specification says some things must be handled. This is why there have been more than just a few cross platform Java vulnerabilities over the years.



    You also don't seem to realize that OpenJDK Java 7 is not released yet on OS X, so the code Apple turned over the project, not Oracle, has not been turned around to the Java 7 public yet. The previous Java versions are all in-house Apple development efforts, so yes Apple has final responsibility for those. A responsibility that isn't so easy the way Oracle/Sun has treated non-in-house JRE development over the years.



    So you might have accidentally made a couple mostly correct guesses in your analysis, but the rest showed you don't have enough knowledge about what you are were writing. So rather than grasp at straws and fatally oversimplify, just stick to what you know.
  • Reply 60 of 65
    hill60hill60 Posts: 6,992member
    Quote:
    Originally Posted by Hudson1 View Post


    I'm the last person anyone would call a "Microsoft apologist" (are there any around now, anyway?) but when your business builds advanced reports littered with pivot tables then no, Numbers won't work. Good for you that all you need are simple worksheets where Numbers does fine. Others don't have that luxury. Like it or not, Excel is the one Microsoft product that most consider as as a gold standard and few see anything coming along that's going to change that.



    These people using the advanced features of excel are often behind corporate firewalls, are they not?



    For the average home user, the target of these attacks, who is incapable of running automatic Office updates which patched this vulnerability in 2009, I'd hazard a guess to say that most of them aren't using advanced features of Office and so can make do with iWork.
Sign In or Register to comment.