Author Topic: Java security issue? **Apple releases UPDATE**  (Read 4903 times)

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26388
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
Java security issue? **Apple releases UPDATE**
« Reply #15 on: April 04, 2012, 11:46:45 AM »
kimmer has provided screen shots of the Java Preferences App that you will find in your Utilities directory, I think you've already found it. Note, if you don't have file suffixes enabled the app won't have ".app" on the end of the name, which just adds confusion to the name, in my opinion. When you run that app, you'll see the Runtime versions installed on your System (see kimmer's first image). Simply un-check any that you don't want to run and they will, thus, be dis-abled.

Here's a screen shot of the Safari Java settings.
[attachment=2535:Safari_J...settings.gif]


BTW, who said it was "evil?" Not me. But Apple has been discouraging its use for several years. That's warning enough for most developers, I would think. Those that refuse to read the "writing o the wall" just don't care about Mac users, IMHO. That's why I looked for a replacement for the financial software that was a replacement for that other Mac "stalwart," Quicken. Java is/was great for building cross-platform apps, but its obviously slower than native code and doesn't always make use of the built-in APIs, so why depend on it? That's why I suggest complaining/dropping any app that requires it; voting with the wallet.

Interweb use is another matter, it amazes me that some sites (banks?!) use Java as a "security" measure! To my mind, using a known malware vector for "security enhancement" is a sign of lazy developers/ignorant IT/"it's the way we've always done it" thinking. "Stupid is not always 'evil' but it's still stupid!" laughhard.gif

I wasn't aware that JAlbumn used of Java, I figured the "J" was for javascript, which I avoid, also, particularly on a website. Only time I am tempted is for CSS alternatives for IE, but I figure those users can "enjoy" their problems until MS figures out their 800 pound gorilla is on a speed diet! But I don't have to support any commercial clients, fortunately. Nor do I need any support for anything in MS Office, again, fortunately. clap.gif

All that said, Java is available for those who want/need it. But the user is the one responsible for keeping it up-to-date. If you want to use it, know how to keep it up-to-date and stop expecting Apple to do it for you. They have made it clear they no longer support it. Frankly, this update seems pretty fast to me, the posting I made about it is only a few weeks old. dntknw.gif
« Last Edit: April 04, 2012, 12:13:01 PM by Xairbusdriver »
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline kimmer

  • Administrator
  • TS Addict
  • *****
  • Posts: 9086
    • View Profile
Java security issue? **Apple releases UPDATE**
« Reply #16 on: April 04, 2012, 02:14:02 PM »
I downloaded the updates to Safari and java (and yeesh, now my iMac is sluggish!).

NOW ... please give me some guidance here. Since I'll need java to run OpenOffice I turned java back on (see 1st screen shot). It seemed to be an "all or nothing" type of thing so both versions are enabled, but I guess that's okay. I also turned on the temp file button. Where I'm totally confused now is what do I turn back on under security and verify? See my last 3 screen shots for more info.

This is an interesting discussion. Thanks.

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26388
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
Java security issue? **Apple releases UPDATE**
« Reply #17 on: April 04, 2012, 03:16:26 PM »
I think you can just use the General pane to disable Java until you need it. The app that needs it should attempt to open/run the VM and then throw up a small dialog asking you to "install" Java. But all you need to do is just use the Java Preferences app to enable it, again. That is, unless you also need to restart the Mac! rolleyes.gif I haven't actually tried disabling it and turning it back on, but those prefs should stay set between times. BTW, I have practically all those items in the next to last shot checked! wink.gif

Further, I did the update earlier and I'm not seeing any changes in speed. dntknw.gif You might try tapping the side of your iMac (not too hard, mind you) to see if you have any stuck electrons. scram.gif
« Last Edit: April 04, 2012, 03:18:08 PM by Xairbusdriver »
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline krissel

  • Administrator
  • TS Addict
  • *****
  • Posts: 14735
    • View Profile
Java security issue? **Apple releases UPDATE**
« Reply #18 on: April 06, 2012, 09:25:12 PM »
Ars has an article that explains how to check your Mac for "infection" and how to get rid of it if you are one of the unlucky ones.

http://arstechnica.com/apple/news/2012/04/...d=related_right


Turning Java off in my browsers is one of the first things I do when I set up a new one. Haven't really run into much need to activate it.
« Last Edit: April 06, 2012, 09:26:14 PM by krissel »


A Techsurvivors founder

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26388
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
Java security issue? **Apple releases UPDATE**
« Reply #19 on: April 06, 2012, 10:01:52 PM »
C|Net is claiming that a "security" company in Russia (aka, Dr. Webb) is now offering a web site that will run the three extremely simple Terminal commands that will show if you are infected. I think C|Net has reached a new low in the ethics department. rolleyes.gif And probably the "intelligence" area, also. wallbash.gif I'm sure much of the paranoia about AV developers creating malware just to prove you need their software is just that: paranoia. But I find it incredible that anyone would suggest visiting a site in a location known for delivering more malware than anywhere else in the galaxy in order to determine ones computer 'health!'. Updates the old saying a little: "The 'bear' is guarding the hen house!?" laughhard.gif

Has anyone seen even a link to a site that purports to know of someone who has seen a computer that is actually infected? dntknw.gif wacko.gif
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline Paddy

  • Administrator
  • TS Addict
  • *****
  • Posts: 13797
    • View Profile
    • https://www.paddyduncan.com
Java security issue? **Apple releases UPDATE**
« Reply #20 on: April 07, 2012, 06:09:34 PM »
Yup - someone at ehMac says he got it. http://www.ehmac.ca/mac-ipod-help-troubles...moval-help.html

And in another discussion, the claim that 600,000 Macs are infected is discussed:

http://www.ehmac.ca/mac-ipod-help-troubles...an-alert-9.html
"If computers get too powerful, we can organize them into committees. That'll do them in." ~Author unknown •iMac 5K, 27" 3.6Ghz i9 (2019) • 16" M1 MBP(2021) • 9.7" iPad Pro • iPhone 13

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26388
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
Java security issue? **Apple releases UPDATE**
« Reply #21 on: April 07, 2012, 08:41:23 PM »
I've seen those numbers reported, actually attributed to that "Dr. Webb." But that is a wee bit short of a credible source, in my humble opinion. rolleyes.gif And I'm not about to visit his webb site! I think his(?) site has cross-hairs! laughhard.gif
« Last Edit: April 07, 2012, 08:44:51 PM by Xairbusdriver »
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline Paddy

  • Administrator
  • TS Addict
  • *****
  • Posts: 13797
    • View Profile
    • https://www.paddyduncan.com
Java security issue? **Apple releases UPDATE**
« Reply #22 on: April 08, 2012, 11:15:36 AM »
I agree - "Dr. Web" isn't a reliable source, but Kapersky confirmed the botnet:

https://www.securelist.com/en/blog/20819344...otnet_confirmed
"If computers get too powerful, we can organize them into committees. That'll do them in." ~Author unknown •iMac 5K, 27" 3.6Ghz i9 (2019) • 16" M1 MBP(2021) • 9.7" iPad Pro • iPhone 13

Offline kimmer

  • Administrator
  • TS Addict
  • *****
  • Posts: 9086
    • View Profile
Java security issue? **Apple releases UPDATE**
« Reply #23 on: April 08, 2012, 02:31:51 PM »
I don't know about anyone else, but I'm a bit – actually a lot – confused. We have several threads on this threat, but the upshot is that this is a real threat. I get confused by the terms java and flash. Is this a flash vulnerability or a java vulnerability? My understanding is that it's a java issue. I've downloaded the repair from Apple. I also have java turned off in Safari, but I'm unable to figure out how to turn java off in both Chrome and Firefox.

Now, if I'm correct, a user can figure out easily if their Mac is infected by running 3 simple terminal commands.
QUOTE(Xairbusdriver @ Apr 2 2012, 05:46 PM) <{POST_SNAPBACK}>
Are you referring to this <malware reported a few weeks ago at TS>?


I've run those commands (as has Sneakers), and our iMac's are clean, but how do we keep them clean?

I'd really appreciate someone who understands all this to do a nice, clean, short summary.

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26388
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
Java security issue? **Apple releases UPDATE**
« Reply #24 on: April 08, 2012, 04:08:32 PM »
Well, I'm certainly no expert, and I only understand enough to try to keep the three 'animals' in separate cages! But I never let lack of knowledge prevent my talking about something! blush-anim-cl.gif

This is a security problem that was found in Java. I try to always capitalize it and often add a parenthetical comment that it is not "javascript." Perhaps this except from Wikipedia will help:
QUOTE
Java is a programming language originally developed by James Gosling at Sun Microsystems (which has since merged into Oracle Corporation) and released in 1995 as a core component of Sun Microsystems' Java platform...Java applications are typically compiled to bytecode (class file) that can run on any Java Virtual Machine (JVM) regardless of computer architecture...It is intended to let application developers "write once, run anywhere" (WORA), meaning that code that runs on one platform does not need to be recompiled to run on another. Java is currently one of the most popular programming languages in use, particularly for client-server web applications, with a reported 10 million users.
Note that "client-server" applications are not what most people use on their personal computers.

I also try to always use lower-case for javascript, often emphasizing the "script" part. Again, from Wikipedia:
QUOTE
JavaScript was formalized in the ECMAScript language standard and is primarily used in the form of client-side JavaScript, implemented as part of a Web browser in order to provide enhanced user interfaces and dynamic websites. This enables programmatic access to computational objects within a host environment.
Basically, javascript is not a compiled language. It is merely a text file that your browser uses and interprets to do certain things. It's most widely seen use my regular computer users is in a browser to create actions/behaviors on a web site.

Finally, there is Flash®. I usually add the "®" or "™" symbol to make it plain that it is a product of some company, namely Adobe, Inc.

They are all three separate "animals" all with their own set of problems and best uses. The basic, generalized, key differences:
Java is maintained by Oracle, make it "easy" to write something that will run on any computer that has a virtual machine designed for it.
javascript is simply a text file, just like 99% of what any web site uses. It usually needs your browser to interpret it in order to do anything.
Flash™ is well named as it mainly adds "fluff" to a site and seldom useful decoration/animation to something. That's my opinion, of course! :get sick: It became more and more difficult to make it work on the evolving OSs for computers/tablets/phone/etc.
Read the Wikipedia for more detailed explanations...if you really want to know! :wall bash:

I suspect we all aren't reading new threads as they appear and it may be because we come to TS via different methods. This sometimes leads to duplicate topics in multiple threads. Keeping things organized is why we pay the Administrators the big bucks! laughhard.gif
« Last Edit: April 08, 2012, 04:21:51 PM by Xairbusdriver »
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26388
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
Java security issue? **Apple releases UPDATE**
« Reply #25 on: April 08, 2012, 04:14:32 PM »
QUOTE
how do we keep them clean?
Generally, the same way you avoid all other web-transmitted malware: Avoid untrusted sites, never click an email link, never but pirated software, etc. Of course, you can turn most of these off or simply avoid using them. javascript has several Add-Ons/Plugins available for most browsers that will block it or allow you to let it run, same for Java and Flash. But some sites simply won't be usable without one or all three. Hopefully, HTML5 and CSS3 will help put an end to most javascript. Flash is finally showing its age and lack of wide support and may disappear even before javascript. Java will probably last much longer, if only because it is running on servers.
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes:

Offline Paddy

  • Administrator
  • TS Addict
  • *****
  • Posts: 13797
    • View Profile
    • https://www.paddyduncan.com
Java security issue? **Apple releases UPDATE**
« Reply #26 on: April 08, 2012, 06:50:45 PM »
Kimmer, your confusion may have something to do with the original way this trojan spread - it was part of a fake Flash installer. From the CNET article Jon linked to:

QUOTE
This malware was initially found in September 2011 while being distributed as a fake Flash Player installer (hence its "Flashback" name). In in the past few months it has evolved to exploiting Java vulnerabilities to  target Mac systems.

While the exploits used by recent variants of the Flashback malware have been for older, patched vulnerabilities, over the weekend another variant surfaced that appears to be taking advantage of Java vulnerability (CVE-2012-0507) that currently is unpatched in OS X.

For OS X systems with Java installed, simply visiting a malicious Web site containing the malware will result in one of two installation routes, both of which have been characteristic of prior variants of the malware. First it will ask for an administrator password, and if supplied it will install its payload into target programs within the /Applications folder. However, if no password is supplied, then the malware will still install to the user accounts where it will run in a more global manner.


So, it would appear that it doesn't just install with no warning whatsoever - there is that initial request. However, it will install itself with no password if none is supplied. I would suggest that if you happen upon a web site that wants to install something (just about anything) just because you've visited the site, that you leave the site immediately.

As for how to disable Java on Chrome, see:
http://www.podfeet.com/wordpress/tutorials...java-in-chrome/

In Firefox:
http://support.mozilla.org/en-US/kb/How%20...0Java%20applets

Hope that helps. smile.gif

I have Java enabled, but turned off in my browsers. I do need Java for various things (some Adobe apps require it, as does JAlbum) but don't generally need it for browsing the web. Do note that some online banking sites require Java and I know that one exception I have in my Java preferences is for a government of Canada web site. Obviously, on trusted sites such as these, you shouldn't have to worry.
"If computers get too powerful, we can organize them into committees. That'll do them in." ~Author unknown •iMac 5K, 27" 3.6Ghz i9 (2019) • 16" M1 MBP(2021) • 9.7" iPad Pro • iPhone 13

Offline kimmer

  • Administrator
  • TS Addict
  • *****
  • Posts: 9086
    • View Profile
Java security issue? **Apple releases UPDATE**
« Reply #27 on: April 08, 2012, 08:37:18 PM »
QUOTE(Paddy @ Apr 8 2012, 03:50 PM) <{POST_SNAPBACK}>
Kimmer, your confusion may have something to do with the original way this trojan spread - it was part of a fake Flash installer.

Yes, thanks! I might have figured this out in a few days, but I'm rummy from the cough syrup. At least that's my excuse. rolleyes.gif

QUOTE
I would suggest that if you happen upon a web site that wants to install something (just about anything) just because you've visited the site, that you leave the site immediately.

yes.gif times 10!

Thanks for the info on Chrome and FF. My prefs were a bit different in Chrome, but I figured it out from the info presented.

QUOTE
I have Java enabled, but turned off in my browsers. I do need Java for various things (some Adobe apps require it, as does JAlbum) but don't generally need it for browsing the web. Do note that some online banking sites require Java and I know that one exception I have in my Java preferences is for a government of Canada web site. Obviously, on trusted sites such as these, you shouldn't have to worry.

I also have it enabled for a few apps, but now it's off in all my browsers (and I can easily turn it on in Safari if my bank site requires me - and I believe they do).

Thanks muchly!

Offline krissel

  • Administrator
  • TS Addict
  • *****
  • Posts: 14735
    • View Profile
Java security issue? **Apple releases UPDATE**
« Reply #28 on: April 10, 2012, 11:24:42 PM »
Apple supposedly is coming up with software to detect and remove said Trojan. Also trying to take down botnet.

http://arstechnica.com/apple/news/2012/04/...ontent=My+Yahoo


A Techsurvivors founder

Offline Xairbusdriver

  • Administrator
  • TS Addict
  • *****
  • Posts: 26388
  • 27" iMac (mid-17), Big Sur, Mac mini, Catalina
    • View Profile
    • Mid-South Weather
Java security issue? **Apple releases UPDATE**
« Reply #29 on: April 11, 2012, 08:25:30 AM »
QUOTE
Apple supposedly is coming up with software to detect and remove said Trojan.
But, but, all they need to do is put a toolbar link to Dr. Webb's site! He has so kindly brought us the alert and created a web-based procedure to do all the work for us poor souls who unwisely visited (and downloaded stuff) other Russian sites. wallbash.gif rolleyes.gif wacko.gif scram.gif
« Last Edit: April 11, 2012, 08:27:34 AM by Xairbusdriver »
THERE ARE TWO TYPES OF COUNTRIES
Those that use metric = #1 Measurement system
And the United States = The Banana system
CAUTION! Childhood vaccinations cause adults! :yes: