Previous 1 2 Next 22 Replies Latest reply: Jun 7, 2012 5:59 PM by thomas_r.
thomas_r. Level 7 Level 7 (30,460 points)

There is an active malware outbreak right now that uses Java vulnerabilities to install itself without user interaction!  All Mac users need to ensure Java is up-to-date IMMEDIATELY!  For more information, see:

 

Flashback infections becoming widespread

 

(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)

  • WZZZ Level 6 Level 6 (12,755 points)

    It looks like updating Java is not enough: this person was infected, even though the most recent Java was installed. In this case, security update 2012-001 was not promptly installed, and it appears the update along with the Java _29 are both needed to prevent  infection. If those are present, then they resort to a social engineering trick, using a fake Apple certificate.

     

    http://blog.intego.com/new-flashback-trojan-horse-variant-uses-novel-delivery-me thod-to-infect-macs/

  • thomas_r. Level 7 Level 7 (30,460 points)

    According to Intego, the vulnerabilities are fixed by the Java update.  Security update 2012-001 should not have anything to do with this.  My guess would be that that poster was infected before he realized it, and before installing that Java update.

  • joblard Level 1 Level 1 (0 points)

    The vulnerabilities are fixed but not the third fake certificate attack.

    http://blog.intego.com/new-flashback-trojan-horse-variant-uses-novel-delivery-me thod-to-infect-macs/

  • thomas_r. Level 7 Level 7 (30,460 points)

    True, and that's not something to sneeze at, but it's the invisible, behind-the-scenes installation that concerns me most.

  • WZZZ Level 6 Level 6 (12,755 points)

    In addition to updating Java, I would advise keeping Java disabled in the browser>Preferences. I always run like this anyway, since Java is known as a malware vector. (The NoScript extension for Firefox will keep all plug-ins disabled.) Very few sites need Java applets. I can go for years without needing Java in the browser. Who knows what they might try next.

  • thomas_r. Level 7 Level 7 (30,460 points)

    I agree.  I recommend that on my malware guide, and don't even have Java installed myself.

  • seventy one Level 6 Level 6 (11,395 points)

    Hello WZZZ,

     

    This discussion suddenly went dippy ... couldn't get a response from reply button then up comes the message of an Apple update.   I switched from Safari to Firefox and its now working.

     

    Re Java.   For Safari, are you suggesting we run the browser after unchecking both 'enable Java' and 'enable Javascript'?

     

    And for Firefox?  For those who don't use noscript?

  • WZZZ Level 6 Level 6 (12,755 points)

    Just go into the Preferences in whatever browser and uncheck Java. I'm sorry for the rapid answer, but I'm running out right now. You don't need NoScript to disable Java.

     

    Oh wait, in Firefox, it's inTools> Add-ons>Plugins.

  • ds store Level 7 Level 7 (30,315 points)

    Java turned off in Firefox/Safari preferences, haven't used Java in years.

     

    Firefox + NoScript, Ghostery, Ad Block Plus, HTTPS Everywhere, WOT (web of trust saved me a few times!) Certificate Patrol.

     

    Check the status of plug-ins routinely here (all browsers checked)

     

    https://www.mozilla.org/en-US/plugincheck/

  • ds store Level 7 Level 7 (30,315 points)

    seventy one wrote:

     

    Re Java.   For Safari, are you suggesting we run the browser after unchecking both 'enable Java' and 'enable Javascript'?

     

     

    Turn off Java in Safari/Firefox preferences, it's been highly insecure for a long time and rarely used.

     

    If you ever have a need for it and trust the site, then turn it on and reload the page.

     

     

    Turn Javascript on, it's used quite often on many websites and in Safari there isn't a easy way to turn it on/off on a per site basis like what NoScript does for Firefox.

     

     

    seventy one wrote:


    And for Firefox?  For those who don't use noscript?

     

    Same for Firefox, turn off Java in the Add-ons > Plug-ins. Turn on Javascript.

     

    If you want additional protection against script based browser exploits (the one's you have turned on, like Javascript, Flash, Silverlight etc) on a per site/trust basis, then install NoScript (Firefox only) and drag a Temporaily allow all button to Firefox's Toolbar area.  (view > toolbars . customize)

     

    http://noscript.net/

  • seventy one Level 6 Level 6 (11,395 points)

    Big Thank you, ds store (and WZZZ).  I'll look again at NoScript.   I half remember having some problems with that one a few months ago ... but it was probably my fault!

  • ds store Level 7 Level 7 (30,315 points)

    NoScript is quite powerful and thus complicated, but usually most all people need to know is to drag a Temp button to the toolbar to allow scripts to run if they need it.

     

    If the website tries any other funny business, Noscript will step in and inform you.

     

    It's the best "web cop" software on the Internet, adding Web of Trust (WOT) is another great asset.

  • thomas_r. Level 7 Level 7 (30,460 points)

    For Safari, are you suggesting we run the browser after unchecking both 'enable Java' and 'enable Javascript'?

     

    Just to add to what has already been said, it's worth reminding those who may not know that Java and JavaScript are completely separate entities.  A vulnerability in Java does not apply to JavaScript.

     

    You definitely want Java updated, and unless you have a compelling need for it, I agree with everyone else that it should be turned off in your browser.  If you're running Lion, and don't yet have Java installed, don't install it unless you need it for some specific purpose.  I have chosen, for example, to delete NeoOffice, which I seldom used, rather than install Java so that I could keep it.

     

    As to JavaScript, note that that is far more secure.  Not that it isn't used for nefarious purposes - it's generally behind all the "drive-by downloads" and whatnot.  But it can't install anything on your machine, it can only be used by social exploits to try to trick you into installing something.  Disabling it globally will ruin functionality on many legit web sites.  So you probably want to keep that on.  Using NoScript in Firefox is certainly an option if you use Firefox, but having that kind of control over JavaScript is not such a compelling need that you should switch over to Firefox if you prefer Safari.

  • seventy one Level 6 Level 6 (11,395 points)

    Thank you Thomas (and ds, once again).

Previous 1 2 Next