Welcome to MacTalk Australia

the largest Australian community for Apple discussions and topics

» Join the discussions, Register Now!
Results 1 to 9 of 9
  1. #1
    Brains's Avatar Brains is offline Still stuck in 1984

    Join Date
    Mar 2005
    Location
    Inside your head
    Posts
    6,559

    Default Unpatched Java leaves Macs vulnerable, thousands infected. Sec Update now available

    Malware culprit found.

    A series of vulnerabilities found in Oracle's Java 1.6.0b29 back in February has left Mac OS X users vulnerable to a browse-by malware attack under the name "FlashBack" for the past two months as Apple delayed releasing a security patch to bring their code in-line with Oracle and version 1.6.0b31.

    According to Apple's security bulletin released today:

    Multiple vulnerabilities exist in Java 1.6.0b29, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.
    The package delivered by the Java applet places two copies of the payload into the system, and adds them as launchagent entries where they are executed at next boot, receiving their runtime authorisation as part of the log-in procedure.

    According to F-Secure, the malware payload currently has a zero detection rate on Mac OS X by all anti-malware suites, including clamxav, Sophos and Trend Micro. Technical details and disassembly of the malware package can be found here.

    One of the more common signs of infection is the presence of files called ".mkeeper", with another similarly-named file in ~/Library/Extensions. To check, you will need to use a third-party directory search tool such as Devon Software's free "EasyFind", which physically walks the entire directory structure including system-level and hidden files for search items.

    Apple have released -- two months after the vulnerability was patched in all other JRE distributions -- a Critical Security Update for all users of Mac OS X 10.6 Snow Leopard and Mac OS X 10.7 Lion. Check your Software Update now.
    Last edited by Brains; 4th April 2012 at 07:48 AM.

  2. #2

    Join Date
    Dec 2007
    Location
    Bundaberg
    Posts
    137

    Default

    Thankee Brains ; downloaded and installed .

  3. #3

    Join Date
    May 2008
    Location
    Melb
    Posts
    236

    Default

    Thanks for the info.

  4. #4
    Scythe's Avatar Scythe is offline Mac Plus user

    Join Date
    Oct 2008
    Location
    Melbourne
    Posts
    12

    Default

    Thanks for the info,

    Using software update (as usual) I installed the update 'Java for OS X 2012-001' but immediately software update then wants to install 'Java for OS X 2012-002'.

    What gives? No mention of this second update on Apple support site... I'm suspicious and have not installed 'Java for OS X 2012-002'.

    ---------- Post added at 12:37 PM ---------- Previous post was at 12:01 PM ----------

    Just found a discussion on this 2nd Java update over at Whirlpool and one poster found: "The -002 update takes the (Lion) version from 1.6.0_31-b04-413 to -414 so some changes have obviously been made." This version number is found in the Java Preferences utility (should be in your Utility folder).

    I went ahead and installed the 2nd update and no obvious problems so far. The version number on the JavaVM reported by System Information under Frameworks is '14.2.1'. Hopefully Apple will update their support site and knowledge base soon.

  5. #5

    Join Date
    Jan 2010
    Posts
    36

    Default

    Instructions on how to check if your Mac has been infected:

    How to Check for the Flashback Trojan in Mac OS X

  6. #6

    Join Date
    Mar 2010
    Location
    Hills District, Sydney
    Posts
    916

    Default

    Quote Originally Posted by Brains View Post
    Apple have released -- two months after the vulnerability was patched in all other JRE distributions
    This is disappointing - two months after everyone else?
    Cheers
    Mick

  7. #7
    soulman's Avatar soulman is offline Electric Sheep

    Join Date
    Apr 2004
    Location
    NE Vic
    Posts
    2,240

    Default

    Quote Originally Posted by Scythe View Post
    I went ahead and installed the 2nd update and no obvious problems so far. The version number on the JavaVM reported by System Information under Frameworks is '14.2.1'. Hopefully Apple will update their support site and knowledge base soon.
    The second update is Lion only and not too different. This email was posted to the Java-dev mailing list by an Apple employee:
    Java developers,

    Today we re-shipped our Java 1.6.0_31 for OS X Lion today to address a critical issue we found in Xcode and the Application Loader tool. This new "Java for OS X 2012-002" package is effectively identical to "Java for OS X 2012-001", with the exception of a few symlinks and version numbers.

    For the sake of expediency, we have re-rolled the automatic update as our standard full combo updater, with the hope that most users have not yet been presented with 2012-001. We considered creating a delta update for users who already installed 001, but that would have made the process of getting these fixes to you take longer.

    We apologize for the inconvenience, and would like to offer our thanks to the developers who caught this issue and reported it to us as quickly as they did. This issue only impacts Lion users, so Snow Leopard users have nothing to reinstall.

    Over the next few days, we will catch up with producing updated release notes, tech notes, and developer packages with the revised 002 version numbers.

  8. #8
    Biallystock is offline Banned

    Join Date
    Apr 2011
    Posts
    829

    Default

    Install Little Snitch.

    It offered protection against this particular trojan and it is a good idea to keep an eye out for unauthorised external links.

    Apple deserves to get its hand smacked for being so slow to fix what was a major breach of security. It is symptomatic of their current attitude to users. Can't be bothered working on something if there isn't a buck to be made, taking their users for granted and presuming they are too stupid to notice. The latter is unfortunately pretty much the case, judging on what I have seen in the Apple Stores and on Apple's support forums lately.

  9. #9
    soulman's Avatar soulman is offline Electric Sheep

    Join Date
    Apr 2004
    Location
    NE Vic
    Posts
    2,240

    Default

    There is a comprehensive article about it here & below is an AppleScript for checking whether you're infected or not.

    Select everything in the "Code" box, copy it and then paste it into an AppleScript Editor (in your Utilities folder) document. It just runs the commands listed in this F-Secure article & tells you if there is any infection:
    Code:
    property removalInstructionsURL : "http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml"
    property notFoundString : "does not exist"
    property goToWebButton : "Go to Web Site"
    
    property authorString : "Check for Flashback by Richard Morton 2012" -- distribute freely, give credit
    
    set {insLibFound, safariInfected, firefoxInfected} to {true, true, true} -- initialise some variables
    
    try --  check the system
    	do shell script "defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES"
    on error errMsg number errNum
    	if errMsg contains notFoundString then set insLibFound to false
    end try
    
    try --  check Safari
    	do shell script "defaults read /Applications/Safari.app/Contents/Info LSEnvironment"
    on error errMsg number errNum
    	if errMsg contains notFoundString then set safariInfected to false
    end try
    
    try --  check Firefox
    	do shell script "defaults read /Applications/Firefox.app/Contents/Info LSEnvironment"
    on error errMsg number errNum
    	if errMsg contains notFoundString then set firefoxInfected to false
    end try
    
    if insLibFound or safariInfected or firefoxInfected then -- sucks to be you
    	set userChoice to button returned of (display dialog "Your Mac appears to be infected with the Flashback trojan." & return & return & "F-Secure have instructions for removing it.  Click \"" & goToWebButton & "\" to read them now." buttons {goToWebButton, "Not Now"} default button 2 with icon 0)
    	if userChoice is goToWebButton then open location removalInstructionsURL
    else
    	display dialog "Your Mac does not appear to be infected with the Flashback trojan." & return & return & "Make sure you have the latest security updates installed - select \"Software Update…\" from the Apple Menu - and consider disabling Java." buttons {"OK"} default button 1 with icon 1
    end if

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •