MacInTouch Reader Reports

Security: Java

May. 21, 2009
May. 22, 2009
May. 23, 2009
May. 25, 2009
May. 26, 2009
Jun. 16, 2009
Jun. 17, 2009
Jun. 9, 2011
Apr. 3, 2012
Apr. 4, 2012
Apr. 5, 2012
Apr. 6, 2012
Apr. 7, 2012

Newer entries...
May. 21, 2009

item.92605

Gary Hoover

After reading the posting about Java vulnerabilities [see links below], I decided to click the link to the proof of concept exploit. I was quite surprised to find that Virus Barrier detected and seemed to eradicate the exploit. Since the 'say' command was never invoked I checked the Virus Barrier logs for more info. Here's what I found:

Exploit 'Java/Evasion.A' detected in file 'HelloWordlApplet.class-7bd66a7d-6a1f546a.class'
Exploit 'Java/Evasion.A' eradicated from file 'HelloWorldApplet.class-7bd66a7d-6a1f546a.class'

I don't know if this is useful information but it was interesting enough to note.

Write once, own everyone, Java deserialization
Critical Mac OS X Java Vulnerabilities
[proof of concept exploit/test]

item.92548

Louis Zulli

Using the Java Preferences utility in /Applications/Utilities, I set "Run applets" to "In their own process" instead of "Within the browser process." This seems to prevent the proof-of-concept applet at http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html from working, which it certainly did when "Within the browser process" was selected.

I have no idea if making this change in Java Preferences is a good idea, or if it is a better idea then disabling Java in Safari completely. Maybe some expert can comment.

Here is what the Java Console shows when the proof-of-concept fails:

Java Plug-in 1.6.0_11
Using JRE version 1.6.0_13 Java HotSpot(TM) 64-Bit Server VM
User home directory = /Users/Louis
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
java.lang.RuntimeException: Bootstrap failure
at HelloWorldApplet.init(HelloWorldApplet.java:33)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Plugin2Manager.java:1494)
at java.lang.Thread.run(Thread.java:637)
Caused by: java.lang.NullPointerException
at HelloWorldApplet.init(HelloWorldApplet.java:29)
... 2 more
Exception: java.lang.RuntimeException: Bootstrap failure

item.92596

Eric Taylor

FWIW, if you need to push the Disable Java command out to a bunch of machines via ARD (and turn off Open "Safe" Downloads), this is what you need:

defaults write com.apple.safari WebKitJavaEnabled -bool FALSE; defaults write com.apple.safari AutoOpenSafeDownloads -bool FALSE

I couldn't figure out an easy way to do the same for FireFox, unfortunately.

Essentially, you would need to append:

user_pref("security.enable_java", false);

to the end of ~/Library/FireFox/Application\ Support/(some gibberish profile)/prefs.js

Maybe:

echo "user_pref("security.enable_java", false);
" >> ~/Library/Application\ Support/FireFox/*/prefs.ini

In the end, I only have a couple Firefox users though, so I just manually told them what to do.

May. 22, 2009

item.92667

Michael Bonnesen

I can confirm Gary Hoover's report. Virus Barrier does indeed intercept and block the Java vulnerability, in my case four files from the proof of concept site. Very impressive. Virus Barrier comes up with a clear warning as soon as an attempt to run the Java Applet on the test site is launched.

Excerpts from the Virus Barrier log:

Status Green
Date 22/05/09 8.42.31
Comment File 'Exec.class-1611fe4d-53b8ff78.class' was added to quarantine

Status Red
Date 22/05/09 8.42.25
Comment Exploit 'Java/Evasion.A' detected in file 'Exec.class-1611fe4d-53b8ff78.class'
User mibo (501)

Status Green
Date 22/05/09 8.42.24
Comment File 'Exec$1.class-4620a35a-44ab8def.class' was added to quarantine

Status Red
Date 22/05/09 8.42.12
Comment Exploit 'Java/Evasion.A' detected in file 'Exec$1.class-4620a35a-44ab8def.class'

Status Green
Date 22/05/09 8.42.11
Comment File 'FunLoader.class-5863c98b-74ce498c.class' was added to quarantine

Status Red
Date 22/05/09 8.42.00
Comment Exploit 'Java/Evasion.A' detected in file 'FunLoader.class-5863c98b-74ce498c.class'

Status Green
Date 22/05/09 8.41.56
Comment File 'HelloWorldApplet.class-7bd66a7d-4009ea01.class' was added to quarantine

Status Red
Date 22/05/09 8.41.02
Comment Exploit 'Java/Evasion.A' detected in file 'HelloWorldApplet.class-7bd66a7d-4009ea01.class'

item.92640

Sol Berger

What is the difference between Enable Java and Enable JacaScript in Preferences? Which is the least harmful? Must both be checked in order for it to work?

I am using Camino 2.01b and FireFox 3.5b4.

May. 23, 2009

item.92687

Brian Timares

Sol Berger wonders,

"What is the difference between Enable Java and Enable JacaScript...".

Java and Javascript are unrelated. As far as I know, Javascript was named to take advantage of the buzz that Java had at the time it was released.

Java is an entire (programing) environment, not just a language but also a "virtual machine" that runs Java programs. Java was designed with many safeguards in place such as the notion of it running in a "sandbox" where it can't impact anything outside the virtual machine (although as we've heard here on Macintouch, there is a nasty bug that allows escaping the sandbox that Apple has not yet fixed).

Javascript is a scripting language for browsers, although like many scripting languages it does more than it was originally targeted for. It unfortunately was designed and written with (in my opinion) little regard for security or for users. I use Firefox, not because I like it, but because the NoScript extension (together with Adblock and some judicious router blocks) make my browsing much safer and pleasant.

As far as the 'web expert' who feels that deleting history is a security tactic, that's true only if one's SO snoops. Browser history is not a browser security risk. The problem is Javascript and the best way to handle it is to deny-by-default.

item.92693

Gregory Weston

Sol Berger asks:

"What is the difference between Enable Java and Enable JavaScript in Preferences? Which is the least harmful? Must both be checked in order for it to work?"

The answer is that they're completely different tools with different uses. Sites can use either, neither or both. The similarity in naming is from the fact that JavaScript adopted the syntax and some other facets of Java.

Turning off JavaScript will essentially cripple your effective usage of a large percentage of web sites in existence today.

Java much less so.

item.92708

David Ballenger

In regard to Louis Zulli:

Using the Java Preferences utility in /Applications/Utilities, I set "Run applets" to "In their own process" instead of "Within the browser process."

I have version 12.2.0 of Java Preferences and I can't find that setting. Which tab is it under in your Java Preferences?

item.92719

Andrew Schultz

Sol Berger asked:

What is the difference between Enable Java and Enable JacaScript in Preferences? Which is the least harmful? Must both be checked in order for it to work?

Java is a programming language that for the web enables 'applets' to be run inside the browser. Sounds like right now unless you do use applets you should disable it until the problem is patched.

Javascript is a scripting language that allows a web designer to do lots of different things - enable interactivity, communicate with databases, etc. There are always exploits to be had with a scripting language but you lose a lot of the Web 2.0 without it.

Aside from both having 'Java' in the name - they don't have anything to do with the other.

Confusing, but true.

item.92729

Steve Setzer

Sol Berger:
Java and JavaScript are two different technologies. For average users, turning off Java will "break" a few sites; turning off JavaScript will break a lot more sites. However, many sites use neither.

The "StartPanic.com" problem is JavaScript based.

The problem described at "landonf.bikemonkey.org" is Java based.

There are other security problems with both technologies.

Of the two mentioned here in the past few days, the Java one is more immediately dangerous, as by itself it could result in dangerous software being installed on your computer; to be harmed by the JavaScript one ("StartPanic") you would have to first be hit by it, and then be fooled into taking additional actions.

For maximum safety, turn off both technologies. Then see if your favorite sites still work. If some don't, turn JavaScript (not Java) back on and check again. Etc.

The things that make the Web truly useful are also the things that make it dangerous. I don't quite know what to do about that, and I sure don't know what to recommend to others.

item.92734

MacInTouch Reader

Michael Bonnesen wrote:

I can confirm Gary Hoover's report. Virus Barrier does indeed intercept and block the Java vulnerability, in my case four files from the proof of concept site. Very impressive. Virus Barrier comes up with a clear warning as soon as an attempt to run the Java Applet on the test site is launched.

The log gives the name of the exploit it blocked. This indicates that it has been added to the virus defs already by the vendor. It probably would not block a new applet until it got added to the defs and we don't know how long that takes.

May. 25, 2009

item.92771

Sol Berger

I thank you one and all for your rather timely answers. I have now activated only the JavaScript (and turned off the Java module).

I will try it and see how it goes for the next few days. I also added ABP to my latest version of FF.

I am not using Safari as it has never worked for me in the sense that it only prints (mostly) everything is single spaced format when I am copying text to print. Somehow, it is not recognizing CR/LF (especially in MacInTouch) while Camino 2.0b2 and FF 3.5b4 (and all previous versions) work perfectly.

Again, thanks.

item.92780

Neil Fogliani

Regarding the Java and JavaScript potential security problems:
I use my Mac lot to get to several bank websites, pay some bills, visit several IRA financial sites and do some stock trading in most of the sites I visit. I have been using the Safari browser to do the above mentioned tasks. What is the best work around and what browser is recommended to reduce or eliminate security risks?

Also, what is the estimated time before a fix is released for the Mac machines?

Thanks

May. 26, 2009

item.92751

Philip M

For those who believe Firefox/noscript will solve this problem, maybe not. On the original website cited by Robert Mohns,

http://news.ycombinator.com/item?id=617546

there is a further discussion of how you can get access to visited pages just using Cascading Style Sheets! (No javascript or java at all). Essentially the code that allows "visited" links to be displayed in a different color, is abused to get access to the original links. (Robert Mohns points this bit of information in his post, but it wasn't clear there that CSS -itself- was vulnerable to this, not just javascript.)

Details here:

http://www.w3.org/TR/CSS21/selector.html#link-pseudo-classes

As for how to "patch" CSS? Oh boy, is that even technically feasible? Is there a setting one can turn off in a browser to prevent this? The author at w3.org thinks that the browser could be set up to mark all links for CSS as "visited", and keep some kind of internal tally (i.e. not accessible via CSS) on which ones actually had been visited. That sounds like some programming to me. "visited"/"unvisited" can be useful

I don't understand this stuff very well, so maybe what they're talking about it is not as big a deal as the javascript problem. I'm scared though. I thought it was worth pointing out. Maybe someone who understands CSS/DOM better than I do (almost anyone) can chime in. I know noscript can prevent cross-scripting attacks. But this?

Seems the only way to live securely is constantly to clear history. Or "private browse". Or Firefox with "history" turned off. That's a pain.

Jun. 16, 2009

item.94147

Eric Taylor

It seems that Apple's "JavaForMacOSX10.4Release9" update patches the Java security flaw uncovered by Landon Fuller. When I attempt to run his demo of the flaw, I now get a bootsrap failure error with Java enabled.

Jun. 17, 2009

item.94247

MacInTouch Reader

The recent Java update broke the GUI interface for IBM's Tivoli backup software...

See http://alerts.its.psu.edu/alert-1140

Jun. 9, 2011

item.136345

Rex

Oracle released Java updates for Windows, Solaris, and Linux, which fix 17 security vulnerabilities, 9 of which are extremely critical (10 on a scale of 10).

Oracle Java SE Critical Patch Update Advisory - June 2011

According to Oracle:

"Apple supplies their own version of Java. Use the Software Update feature (available on the Apple menu) to check that you have the most up-to-date version of Java for your Mac."

Apr. 3, 2012

item.155184

MacInTouch

Mac Flashback trojan exploits unpatched Java vulnerability, no password needed

Developers behind the Flashback trojan for the Mac have updated it to exploit a vulnerability in the Java software framework that has yet to be patched for machines running Mac OS X, an antivirus firm warned on Monday.

Flashback.K, as the latest variant is called, is able to hijack Macs even when users don't enter an administrative password. Instead, it does this by exploiting a critical Java vulnerability classified as CVE-2012-0507, F-Secure researchers wrote in a blog post. Although Oracle released a fix for the security threat in February, a patch has yet to be released for OS X users.


New Flashback Variant Takes Advantage of Unpatched Java Vulnerability

A new variant of the Flashback malware, Flashback, has been found in the wild. This variant uses a Java vulnerability, as a previous variant did. This variant takes advantage of two Java vulnerabilities, one of which has not yet been patched by Apple in the version of Java that they supply.

Apr. 4, 2012

item.155259

MacInTouch Reader

In response to this story, I've simply disabled Java on my Mac (using "Java Preferences.app" in the official Utilities folder). Not sure if I'll leave it off permanently or not... but I'm wondering: how important is Java for most people anyway? What kinds of things tend to stop working if it's disabled?

Apr. 5, 2012

item.155331

Ira Lansing

Java is most commonly used for web sites and related things, but there are some applications that require Java.

When I first upgraded to OS X 10.7 (Java is not installed by default), my first prompt to install and use Java did not come from a browser or web site, but from the Desktop application Moneydance (financial software).

item.155342

John Kehoe

Folks asking about disadvantages of disabling Java on their Mac may find that they made the best choice. I have never installed Java on my Macs over the years and never missed it. On the other hand, the Windows machines we use at work must have Java due to certain web based functions. Like any service or software on a computer, if you don't need it, don't install it. That has worked for me but I'm curious to hear from other MacInTouch folks regarding their experiences.

item.155293

Gregory Weston

A MacInTouch Reader wonders:

"how important is Java for most people anyway? What kinds of things tend to stop working if it's disabled?"

If it was safe to extrapolate from what I've seen online in the last day, not very. I've run across an awful lot of postings from Lion users wondering why they're not being offered the update, the answer being that they never installed Java on their machines in the first place.

I *don't* think it's safe to extrapolate from that, but I'm still inclined to believe that Java is a minority requirement among Mac users in 2012 from observing those around me.

item.155296

Ken Heins

Re: Java for OS X Lion 2012-001 which delivers improved reliability, security, and compatibility for Java SE 6

Hmmmm; going to wait

When I download the installer and open, I get this message;
"There may be a problem with this disk image. Are you sure you want to open it? Opening this disk may make your computer less secure or cause other problems."

Anybody else?

item.155302

Tom Van Vleck

I installed the Java update yesterday, and see no problems so far. My test to make sure Java is working is to run a few applets, and then launch Eclipse, which depends on Java.

Other software I use that depends on Java includes Cyberduck and various Adobe products such as Flash CS5.

item.155307

Arthur Kent

Re:

"In response to this story, I've simply disabled Java on my Mac (using "Java Preferences.app" in the official Utilities folder). Not sure if I'll leave it off permanently or not... but I'm wondering: how important is Java for most people anyway? What kinds of things tend to stop working if it's disabled?"

I'd also like to know too. I have it disabled (under 10.6.8), but what are the "ramifications" of leaving it like that?

item.155316

Kurt L.

A reader asked what kinds of problems might result from disabling Java. The short and simple answer is that some web sites will stop working (those that actually execute Java, not Javascript). Java-enabled web sites tend to be relatively rare, fortunately. You may also run into the odd application installed on your Mac that runs in the Java environment; the most common one that I can think of is ClickRepair, the audio de-clicker.

item.155327

Rob Packett

I've long-since disabled Java and JavaScript for all my computers/browsers. Whenever I find a site that doesn't work without one or the other, I either enable for sites I *really* trust, or weigh the tiny nuisance of temporarily enabling against the value from enabling. Security versus convenience always comprises a trade-off. I usually continue without even temporarily enabling them.

If you're still wondering, try the approach yourself.

item.155328

Raj Gurdwara

A MaInTouch reader said:

I've simply disabled Java on my Mac (using "Java Preferences.app" in the official Utilities folder)...

I disabled Java in all of my browsers long ago -- see:

https://community.rapid7.com/videos/1373

After reading this post on MacInTouch, I tried turning Java completely off using Java Preferences.app, but as soon as I did this, Firefox 11.0 wouldn't quit properly. I kept getting the "application quit unexpectedly..." message every time I pressed command-Q. After about 5 minutes, Firefox 11.0 wouldn't launch at all. It would just immediately quit giving me the same "application quit unexpectedly..." message.

Restoring the defaults in the Java Preferences.app has Firefox 11.0 working perfectly again. I wonder why Firefox won't work properly unless Java is enabled in Java Preferences.app even though it works fine when the Java extension itself is disabled from _within_ Firefox?

item.155358

MacInTouch Reader

Does anyone know if the latest Java trojan can infect Mac OS X Tiger, using Safari 4.1.3?

Apr. 6, 2012

item.155360

Steve St-Laurent

Is there any information on how to determine whether one has been infected by this Java exploit?

item.155363

Chuck Carlson

Yes, I got that same error message about the Java for Lion downloaded from Apple being bad. Disconcerting to say the least.

item.155370

MacInTouch Reader

How can one tell if one has been infected/compromised by this flash malware?

[As the malware mutates, it's hard to keep track of all the technical details, and there's no simple tool we've seen for identifying it, but F-Secure descriptions include some detection and removal tips, based on Terminal command-line operations. -Ric Ford]

item.155373

Ira Lansing

Re:

When I download the installer and open, I get this message;
"There may be a problem with this disk image. Are you sure you want to open it? Opening this disk may make your computer less secure or cause other problems."

Anybody else?

Yes, I saw that as well. I thought it might have been because I stopped and started the download a couple of times and thought I had finished but hadn't. When it was completely downloaded it did go through the installation process with no apparent problems that I could see.

item.155379

David Kilbridge

In addition to disabling Java in each browser's preferences UI, I've disabled the Java plugins in /Library/Internet Plug-ins/ as a second line of defense. I've left JavaPreferences.app alone, so Java-based desktop apps should still work as before.

BTW, Tantek Çelik warned us about this a year and a half ago.

item.155382

Adam Bezark

Is there an *easy* way to find out if my system has been infected with the Trojan? I've seen some solutions that require ten or more steps in Terminal. I'll do that if needed, but isn't there a simple app or script that can check?

And will applying the Java update "cure" an already infected system?

item.155383

Mike Kraemer

The news item which have been posted recently regarding the Java vulnerability all seem to come from the anti-virus software companies. I wonder if the virus warnings act as ads for their products rather than any real concern for the Mac community as a whole. Are the numbers they cited in the announcement inflated to make the problem look much worse?

[The reference for "more than 600,000" infections came originally from an obscure Russian-language website that doesn't appear to be promoting Mac products. It's unclear if that estimate is accurate, but it's very clear that a serious, open Java security hole has only belatedly been patched via Apple, and only for Mac OS X 10.6 and 10.7. -Ric Ford]

item.155391

Samuel Herschbein

Ken Heins said:

... When I download the installer and open, I get this message; "There may be a problem with this disk image. ...

On occasion I've gotten bad downloads from Safari.

I'd download it again, and watch the Downloads window to see if it progresses properly.

[I downloaded the Lion Java Update this morning (on a Tiger system) and got the same scary error - "This disk image you are opening may be damaged and could damage your system". Apple's Support Downloads page lists this as "Java for OS X Lion 2012-002" but clicking that link gets you "Java for OS X Lion 2012-001", which is certainly confusing. I'm on a FiOS connection, which should be very solid. I re-downloaded in a different browser with the same result. -Ric Ford]

item.155393

Robert Waltz

In response to the question about what uses Java, the answer is -- very little that is specific to Macintosh, but a lot of things that are cross-platform. One that I know is the development environment for Android (Android phones themselves use Java as their main programming language).

Also, if you have any custom code, that may well be in Java.

The bottom line is, if you use only Apple products such as Safari and Mail, or Mac-specific products, it is probably safe to turn off Java. But if you live in a mixed-platform environment, you're likely to need it for something.

item.155394

John Grout

There are multiple options for the Java Runtime Environment (JRE) on any computer, including Macs.

One option is to not install a JRE or JDK (Java Development Kit, which includes a JRE). This will prevent both stand-alone Java applications and Java applets downloaded by Web pages from being executed.

Another is to install a JRE or JDK but disable Java in Web browsers so stand-alone Java applications will still work but Java applets can't be executed at all.

The default when a JRE or JDK is installed is to allow both stand-alone apps and applets to run and to put tight limits on what applets can do without explicit consent from the user.

With this exploit, users are conned by official-looking messages into granting that consent, much as users are conned by spam emails into clicking on links to dangerous Web sites.

P.S. Java and Javascript aren't related.

item.155396

Lachlan David

My financial institution uses Java to provide their internet banking service - which fills me with confidence right about now.

Can anyone weigh in on why java is used by financial institutions for these kinds of services? Is it just the cross-platform nature of it?

Cheers.

item.155398

John Baltutis

Gregory Weston stated:

...I've run across an awful lot of postings from Lion users wondering why they're not being offered the update, the answer being that they never installed Java on their machines in the first place."
Clarification. Java's installed. What's not is the Java Runtime Environment, a subcomponent that's not installed automatically.

This, in the Terminal, Mac OS X 10.6.8

java -version

should show this:

java version "1.6.0_31

Java(TM) SE Runtime Environment (build 1.6.0_31-b04-413-10M3623)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01-413, mixed mode)

item.155399

MacInTouch Reader

I'm the reader who asked how important Java is on your Mac and what disabling it might break. It's now been about 24 hours since I disabled it. Regarding a couple of responses from other readers...

Re:

"Other software I use that depends on Java includes... Flash CS5."

I assume you're talking about the Flash authoring app that Adobe sells. I don't have it installed, but regarding the free Flash player (browser plug-in)... to my utter amazement, since I disabled Java yesterday, I can now play Flash videos on the BBC and a couple of other sites, with no problems, for the first time. Of course this could be a coincidence, and I have no idea what the problem was (a security setting?) or why disabling Java may have fixed it, but I have no time for experiments at the moment.

Re:

"...I tried turning Java completely off using Java Preferences.app, but as soon as I did this, Firefox 11.0 wouldn't quit properly.... Restoring the defaults in the Java Preferences.app has Firefox 11.0 working perfectly again. I wonder why Firefox won't work properly unless Java is enabled in Java Preferences.app even though it works fine when the Java extension itself is disabled from _within_ Firefox?"

Like you, I already had Java disabled inside Mac Firefox 11.0 itself, but unlike you, I've had no new problems with FF since disabling Java system-wide. Firefox still quits and re-launches normally. Perhaps it's an add-on (extension or plug-in) that you've installed in Firefox?

item.155402

Matt P

Correct me if I'm wrong... but after perusing the "fix" solutions for this Java issue, it seems it's not going ot be able to do anything unless I actually put in my password when some random "Update" window comes up trying to fool me into thinking it's a software update installing. Further, it appears that it must connect to a site, so if I'm running Little Snitch and it tries to connect to some IP number, I will know about it, yes?

Sound like same thing as most other so-called Mac hacks, depends on the naivety of the user to actually implement this infection.

Please let me know if I'm wrong. I'd also like to hear from someone who actually has had this happen to them and corrected it. The claim of half a million users being affected does nothing for me unless I actually see reports of real people being affected in the real world.

Too much of the time we get all these doom and gloom warnings, and they are only from the companies promoting their virus scan applications. I'm sure a whole lot of sales of their apps are made every time they announce something. I'm certainly not discounting these reports, I'd just be much more inclined to take action if I actually see some reports from real users that have been exploited.

item.155403

Mark Willke

I'm curious if Mac OS X 10.5.8 on a G5 is at risk. I've disabled Java in Safari and Firefox, but is there some additional procedure that can or should be done to remove Java from the computer overall? Or is it just the web browsers that I need to worry about? Thanks.

item.155405

George Crawford

Does anyone know if this malware also works on 10.5 and 10.4 machines, both Intel and PowerPC? Also is the terminal fix the same if it does? The Java can't be updated on these machines.

item.155397

Antony Gravett

A second-line, post-Java defense against the Flashback malware appears to be to create a folder called "Little Snitch" in the root-level (not user's) Library folder.

This is detected by the malware and causes it to delete itself and take no further action. Of all the detections listed by F-Secure, this is the only one not requiring an actual app to be present.

Just thought I'd pass that on - it's untested, but might be good insurance for many?

item.155387

Antony Gravett

I am supporting a small all-Mac company, and the instructions in the various links you provided were great but added a lot of confusion to the question, "how do I just turn Java off?"

Here is what I asked our group to do, because it was the simplest way to turn off Java at the source, so to speak:

1. Quit any web browsers you have open (e.g., Safari or Firefox), and then open the application Java Preferences " it is in Applications > Utilities (you can also find it quickly by typing "Java" into Spotlight). If you are running OSX Lion, you may not have this application installed, which indicates that Java is not installed on your machine, and you don't need to follow the rest of this procedure.

2. On the General sub-tab that displays in Java Preferences, uncheck all the checkboxes, including the one next to "Enable applet plug-in and Web Start applications" and any to the left of each Java version listed.

3. Quit the Java Preferences application (the bottom menu item in the Java Preferences menu, or Command+Q). It's not essential, but I would suggest that you restart your computer as a final step.

Tony

item.155406

Andrew Main

Looking around the various links posted yesterday (April 5) re. the "Java vulnerability patched this week by Apple", on the Intego page titled "Hundreds of Thousands of Macs Infected by Flashback Malware" I saw a link for "Apple Issues Second Java Update to Patch Vulnerability Exploited by Flashback Malware, &dated April 6, which informs:

Java for OS X 2012-002 seems to be the same as the first update, and the support document for this update gives no information (and is, in fact, incorrect, as it names the update Java for OS X Lion 2012-001, whereas Software Update displays it as Java for OS X 2012-002.

The "support document" link goes to Apple KB HT5055, "About Java for OS X Lion 2012-001" which is very similar to DL1515, "Java for OS X Lion 2012-001"; only the latter, however, offers a download link.

On Apple's Download page I see only the two Java updates dated April 3 (and no 002 version). And Software Update does not report any "Java for OS X 2012-002" (I've installed the 001 version).

I don't know where Intego found an 002 version. Anyone else?

[Apple's Support Downloads page lists "Java for OS X Lion 2012-002", a link that leads, instead, to "Java for OS X Lion 2012-001". I have no idea what's going on there. -Ric Ford]

item.155419

Eric Hildum

I seriously doubt that 600,000 Macs have been infected. I inspected a number of Macs, including some that I really expected to be infected because of their usage pattern, but found nothing.

Installed the Java update on all the machines, and basically let them go. Not a big deal in my case.

[John Gruber at Daring Fireball found a number of his readers whose Macs had been infected (see below). -MacInTouch]


Flashback Trojan Reportedly Controls Half a Million Macs and Counting

Via email and public Twitter replies, I've seen reports from about a dozen or so DF readers who've been hit by this. And they all seem like typical DF readers -- sophisticated, experienced, if not downright expert Mac users. It's not an epidemic, but it's definitely real, and insidious.

item.155420

Eric Hildum

Robert Waltz writes

The bottom line is, if you use only Apple products such as Safari and Mail, or Mac-specific products, it is probably safe to turn off Java. But if you live in a mixed-platform environment, you're likely to need it for something.

[...] However, many Adobe products do require the Java installation, as do Eclipse and a number of educational titles.

item.155435

MacInTouch Reader

To determine if you possibly have been infected with Flashback K , there is a simple way to check . But it's not totally conclusive

You can do a rudimentary check on your system by running the following two commands in the Terminal (copy and paste them):

defaults read /Applications/Safari.app/Contents/Info.plist LSEnvironment

defaults read /Applications/Firefox.app/Contents/Info.plist LSEnvironment

These commands will read the property list within the applications and check to see if they have been modified to launch other applications when opened. In the output for these commands, if you see text that includes "DYLD_INSERT_LIBRARIES" followed by a path that points to a specific file, then your system has been infected. If you do not see this text output and instead see "The domain/default pair...does not exist," then your system has not been infected.

- got this from CNET. My system checked out OK

item.155452

Stephen Hart

Several readers seemed to have problems downloading the two Java updates as stand-alone updaters.

I had no problems with Software Update, which downloaded and installed 001 a couple of days ago and 002 today.

It looks as if the Apple Security Updates page merely hasn't been updated to include 002.

item.155458

Tracy Valleau

FWIW, I believe that you only need to disable Java in Safari (or other web browser) and not in total. That prevents browser-based attacks, but will allow Java-based apps to continue to run properly. (Someone please correct me if I'm wrong about that.)

Here is a script that will check for you without using the terminal:

http://macstuff.beachdogs.org/blog/

and finally: no, you do not need to put in a password to be infected. If certain conditions are met, you get infected just by driving by.

item.155416

Don Eby

To add to Lachlan David's question on banks using Java, as I understand it MoneyDance is written in Java. Does that put my financial data at more risk?

item.155424

Gary Kellogg

Adam Bezark asks,

"Is there an *easy* way to find out if my system has been infected with the Trojan? I've seen some solutions that require ten or more steps in Terminal. I'll do that if needed, but isn't there a simple app or script that can check?"

I like the instructions at Trojan-Downloader:OSX/Flashback.I [F-Secure]

If you get "...file not found" after the first command, then just go to Step 8 and if your get a "...file not found" you are good to go. That was my experience. I do not know if the security update will remove the malware if it is present.

item.155429

Jeff Bagby

re: "Java for OS X Lion 2012-001" vs. "Java for OS X Lion 2012-002"

I checked my Java version from Terminal using the "java -version" command, post "2012-001" and post "2012-002" updates.

The 001 version returns the value:
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04-413-11M3623)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01-413, mixed mode)

The 002 version returns the value:
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04-414-11M3626)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01-414, mixed mode)

This on a MacMini2,1, OS X 10.7.3 build 11D50

I have Java installed because CrashPlan requires it.

item.155441

MacInTouch Reader

Andrew Main. asked...

I don't know where Intego found an 002 version. Anyone else?

I ran Software Update today and it said I needed to install:

"Java for OS X 2012-002 delivers improved compatibility, security, and reliability by updating Java SE 6 to 1.6.0_31."

This also included instructions to quit any web browsers and Java applications before installing. I do not recall if I closed my browser when I installed the Java for OS X 2012-001 on Tuesday. I have gotten spoiled about installing software without closing all applications. Perhaps this is a second release to catch the systems where the first update did not install properly.

item.155451

Simon Wagstaff

Re. detecting Java/Flashback malware:

http://www.clamxav.com

"ClamXav is a free virus scanner for Mac OS X. It uses the very popular ClamAV open source antivirus engine as a back end and has the ability to detect both Windows and Mac threats."

ClamAV appears to be regularly adding the Flashback malware to its database:

Search Results: flashback

item.155454

Steve Brecher

Re:

...a serious, open Java security hole has only belatedly been patched via Apple, and only for Mac OS X 10.6 and 10.7. -Ric Ford

W/r 10.6: only 10.6.8. On 10.6.7 the patch issues an alert saying that 10.6.8 is required.

item.155455

Steve Brecher

Matt P said,

"Correct me if I'm wrong... but after perusing the 'fix' solutions for this Java issue, it seems it's not going ot be able to do anything unless I actually put in my password..."

That is not correct. A password is not required, although it changes the logic path of the malware.

item.155456

Steven MacDonald

Re:

"Is there any information on how to determine whether one has been infected by this Java exploit?"

see: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

item.155446

Mike Viksna

Steve St-Laurent:
"Is there any information on how to determine whether one has been infected by this Java exploit?"

From the links provided here on MacInTouch, I arrived at http://www.f-secure.com/weblog/archives/00002336.html.

About half way down the page they provide a terminal command to check for infections:

defaults read /Applications/%browser%.app/Contents/Info LSEnvironment

Cut and paste that into a terminal window, substituting your browser for "%browser%" (e.g., defaults read /Applications/Safari.app/Contents/Info LSEnvironment). Followed by return/enter. Repeat for all browsers you use.

If I'm reading the instructions correctly you will get a response of "The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist" if you are not infected.

If you are infected, follow the instructions on the page for removal.

This has been a major black eye for Apple. I didn't install Java from Oracle's site and I don't think most people will associate the exploit with Oracle's "failure" to provide an update for Java on OS X. I did use software update to install both the Java updates without issue (as opposed to downloading a .dmg, which seems to be causing problems).

As an aside, I did install Flash from Adobe's site and curse them, not Apple, everytime a new exploit requires a new update... and I do use Chrome because of it's built-in Flash, but I trust Google only slightly more than I trust the hackers out there exploiting Flash vulnerabilities.

item.155431

Jmar Gambol

Was I the only one surprised to find I had never installed Java on my most recent reinstall of Lion?

item.155413

David Henderson

I found this email at:
   http://prod.lists.apple.com/archives/java-dev/2012/Apr/msg00022.html

Java developers,

Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.

For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.

Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.

<snip>

item.155410

Bill Martin

Re:

"Java(TM) SE Runtime Environment (build 1.6.0_31-b04-413-10M3623)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01-413, mixed mode)"

Actually, mine reads one bump up:
java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04-414-11M3626)
Java HotSpot(TM) 64-Bit Server VM (build 20.6-b01-414, mixed mode)

Apr. 7, 2012

item.155423

Gary Kellogg

I disabled Java desktop (i.e., stand alone) applications using Java Preferences. Soon after, I went to use myPhoneDesktop and it failed to launch because it could not find Java.

I fired up "About This Mac" and checked the Software section. myPhoneDesktop did not appear there. Only listings were Intel, Universal, and PPC. So how to determine at least roughly which of my apps are Java? I opened the package contents and noticed a number of files inside with ".jar" extensions.

So I used the freeware program "EasyFind" to search Applications and its subfolders for package contents containing ".jar" files. A number of them came up. On my system, I have PDF OCR X, the Configuration portion of Adobe Fireworks, myPhoneDesktop, the Configuration portion of Adobe Dreamweaver, Zumocast, a portion of GraphicConverter, Cyberduck, and TiVo Transfer.

There are enough of these for me to consider either scripting to enable Java, launch an app, and then disable Java on closure if possible or to just leave Java for Desktop operational. What are your opinions of this? It seems that Java under Safari is the primary vector for malware, and I have had that switched off since I don't know when.

item.155426

Gene Woodward

Reader Lachlan David commented:

My financial institution uses Java to provide their internet banking service - which fills me with confidence right about now.

I believe you're saying that you access banking services from your web browser, and that the [financial institution] is running java on their servers. If so, let me ask:

How exactly would your bank's servers become infected with such malware?

Client machines connecting to arbitrary websites are used very differently than java application servers at a [financial institution]. Connections to such servers are highly restricted: you may see responses from such servers, but your direct connection is to a webserver that passes your requests along to a java application server. Direct connections to the java server from the internet would not pass any [financial institution]'s security policies. Connections from the server to the internet would likewise be restricted.

Frankly, I'd be more worried about malware installed on a personal computer used to log in to the [financial institution]. Use an infected computer and your keystrokes could be captured or your browser's session hijacked (among other things).

item.155443

MacInTouch Reader

More results after my disabling Java system-wide (on Snow Leopard) a couple of days ago...

I just decided to check the Java Preferences.app (in the Utilities folder) again. This time, when I double-clicked it, my Hands Off firewall (similar to Little Snitch) gave me a series of network alerts, unlike last time. Most of them were for contacting weird network addresses like "::1 on TCP port 50306" and "::ffff:127.0.0.1" -- I recognize the second one as a local non-routable address but have no idea what the first one is. I allowed these connections. But then Java Preferences.app tried to connect to a *real* IP address that Hands Off identified as belonging to Zedo.com. According to Wikipedia, Zedo is an advertising network.

Why the hell is an Apple application for adjusting Java preferences trying to connect to an ad network?!

Regarding the cross-platform issues that somebody else mentioned, my Windows 7 running inside VMware Fusion is now generating a whole series of warnings/errors inside the Windows "Action Center" about things like my video card not working, Internet Explorer not working, Winamp having problems, etc. None of these warnings are true: everything appears to be working normally.

Are these events -- the BBC videos playing well for the first time, attempts to contact Zedo, and my Windows VM generating false warnings -- are they all just coincidences, or are they fallout from my disabling Java system-wide?

item.155467

MacInTouch Reader

Several people have already chimed in with examples of things that no longer work if Java is disabled, such as the Eclipse development environment and Moneydance.

To add to the list, several installers and updaters rely on Java, such as the installer for GoToMeeting. WebEx also uses Java. In addition, components of OpenOffice use Java, as so several other open source application suites.

item.155471

Graham Needham

Some parts of Adobe Creative Suite and their individual applications require Java to run. See Install Java (JRE) | Mac OS 10.7 Lion [Adobe help]

Typically, Adobe does not list specific products or components though.

item.155478

MacInTouch Reader

To the many folks advising 'just turn off Java, Macs don't really need it anymore'... I offer the following:

When Intuit did not offer a Intel version of Quicken 2007 the huge user base of finance applications, specifically Quicken 2007, were faced with finding an alternative. One of the most popular alternatives was, and is, Moneydance.

Guess what Moneydance needs to work?

Yup, Java!

item.155482

Thomas Banacek

Lachlan David asked:

"My financial institution uses Java to provide their internet banking service - which fills me with confidence right about now."

The security issue has no bearing on apps that run using java. It doesn't magically make your bank's data corrupted or vulnerable. If such was a concern, you should just stop using the Internet to do banking, since browsers have issues all the time.

The issue here is a specially crafted program can get installed and run on your computer without your knowledge (which is why I find it hilarious when 'expert' Mac users keep saying this only affects the stupid uncaring "type your password without thinking" users; since they could be infected and not know it).

As to delivery, the usual way is through hacked web sites (that's also how a lot of Windows malware gets distributed). So you could go to what you think is a safe site, and still get infected.

Once it's installed, it could do anything it was programmed to do. Some people will argue it doesn't count as an infection unless it gets root access. To me, user access is bad enough. They have the capability to read/transmit all your files, or delete them if they desire. I would rather be on a botnet than have my files be deleted or uploaded somewhere!

Finally, years ago there was a report on how Mac OS X caches your admin rights (or was it sudo) when you typed in your password. This could be exploited by a program running in the background that could look for certain activity then try to issue a sudo command or the like to piggy back on the granted rights. The theory being, you're infected, program running in the background in the user space, and then you go and, I don't know, install iWork. At that point, the malware gets root access and infects deeper.

Any idea if that is still the case?

[If you use the "sudo" command and provide a password, that password/authorization will be retained for a little while, so subsequent use of sudo will work without re-entering a password. You can see similar behavior on the App Store on an iPhone, where entering your AppleID password will provide persistent authorization for a little while (e.g. for App updates). I haven't heard of this mechanism being abused by Mac malware, so far, but that might be possible. -Ric Ford]

item.155484

Norman Walker

I agree with Mike Kraemer! Does anyone know anyone who has personally experienced this malware? I have checked every Macintosh in my office, home, children's, grandchildren's and friends, using the terminal solutions offered by F-Secure, and found nothing! Nada, zilch, zero! All these machines are very heavily online!

item.155477

MacInTouch Reader

... A 'free' Developer account might have noticed that Apple has had a Preview available since mid-February 2012 for the Java-1.6.0_31 official update (at the time showing build-level 10m3616 for the SL/10.6.8 system which I still must stay with; there was a Preview of _31 for Lion available also at that time).

Of course, since _31 is now "officially" official, the Previews have disappeared there (I just checked before typing/sending this note).  But I've kept a copy of the SL _31 Preview, if for no other reason than to have some evidence of lack of promptness in releasing a fix for the possibly huge trojan problem.

I came across the known security hole when I let Firefox run thru http://www.mozilla.com/plugincheck/ (I very-rarely use Safari and most-other browsers).  If you have not upgraded to _31 (either using the Preview build or the official release of it), the plugincheck page will flag the java plugin as having a known problem, and provides a link to the usual http://www.java.com/en/download/manual.jsp place for non-Macs to fetch the updated version.  (Both Mac java plugins were flagged in my system: the official JavaPlugin2_NPAPI.plugin as well as the  MRJPlugin.plugin from the JEP project at http://javaplugin.sourceforge.net/ -- and yet I did not have any indications of actually being infected according to F-Secure's procedure.) ...

item.155489

Stephen Spector

I can tell you at least *one* thing that got fixed [in Java for OS X Lion 2012-002]. Stanza is an app the uses Java to read pubs. It worked fine until update 001. It crashed the Java application stub in 001. It works again in 002.

item.155490

Tracy Valleau

Norman Walker asked if anyone has actually experienced this malware. I spent some time with one of my less-savvy clients yesterday telling him how to remove his infestation.

It's real.

Next Page...


MacInTouch Amazon link...

Talk to MacInTouch     Support  •  Find/Go