There is an active malware outbreak right now that uses Java vulnerabilities to install itself without user interaction! All Mac users need to ensure Java is up-to-date IMMEDIATELY! For more information, see:
Flashback infections becoming widespread
(Note that my pages contain links to other pages that promote my services, and this should not be taken as an endorsement of my services by Apple.)
It looks like updating Java is not enough: this person was infected, even though the most recent Java was installed. In this case, security update 2012-001 was not promptly installed, and it appears the update along with the Java _29 are both needed to prevent infection. If those are present, then they resort to a social engineering trick, using a fake Apple certificate.
According to Intego, the vulnerabilities are fixed by the Java update. Security update 2012-001 should not have anything to do with this. My guess would be that that poster was infected before he realized it, and before installing that Java update.
The vulnerabilities are fixed but not the third fake certificate attack.
True, and that's not something to sneeze at, but it's the invisible, behind-the-scenes installation that concerns me most.
In addition to updating Java, I would advise keeping Java disabled in the browser>Preferences. I always run like this anyway, since Java is known as a malware vector. (The NoScript extension for Firefox will keep all plug-ins disabled.) Very few sites need Java applets. I can go for years without needing Java in the browser. Who knows what they might try next.
I agree. I recommend that on my malware guide, and don't even have Java installed myself.
Hello WZZZ,
This discussion suddenly went dippy ... couldn't get a response from reply button then up comes the message of an Apple update. I switched from Safari to Firefox and its now working.
Re Java. For Safari, are you suggesting we run the browser after unchecking both 'enable Java' and 'enable Javascript'?
And for Firefox? For those who don't use noscript?
Just go into the Preferences in whatever browser and uncheck Java. I'm sorry for the rapid answer, but I'm running out right now. You don't need NoScript to disable Java.
Oh wait, in Firefox, it's inTools> Add-ons>Plugins.
Java turned off in Firefox/Safari preferences, haven't used Java in years.
Firefox + NoScript, Ghostery, Ad Block Plus, HTTPS Everywhere, WOT (web of trust saved me a few times!) Certificate Patrol.
Check the status of plug-ins routinely here (all browsers checked)
seventy one wrote:
Re Java. For Safari, are you suggesting we run the browser after unchecking both 'enable Java' and 'enable Javascript'?
Turn off Java in Safari/Firefox preferences, it's been highly insecure for a long time and rarely used.
If you ever have a need for it and trust the site, then turn it on and reload the page.
Turn Javascript on, it's used quite often on many websites and in Safari there isn't a easy way to turn it on/off on a per site basis like what NoScript does for Firefox.
seventy one wrote:
And for Firefox? For those who don't use noscript?
Same for Firefox, turn off Java in the Add-ons > Plug-ins. Turn on Javascript.
If you want additional protection against script based browser exploits (the one's you have turned on, like Javascript, Flash, Silverlight etc) on a per site/trust basis, then install NoScript (Firefox only) and drag a Temporaily allow all button to Firefox's Toolbar area. (view > toolbars . customize)
Big Thank you, ds store (and WZZZ). I'll look again at NoScript. I half remember having some problems with that one a few months ago ... but it was probably my fault!
NoScript is quite powerful and thus complicated, but usually most all people need to know is to drag a Temp button to the toolbar to allow scripts to run if they need it.
If the website tries any other funny business, Noscript will step in and inform you.
It's the best "web cop" software on the Internet, adding Web of Trust (WOT) is another great asset.
For Safari, are you suggesting we run the browser after unchecking both 'enable Java' and 'enable Javascript'?
Just to add to what has already been said, it's worth reminding those who may not know that Java and JavaScript are completely separate entities. A vulnerability in Java does not apply to JavaScript.
You definitely want Java updated, and unless you have a compelling need for it, I agree with everyone else that it should be turned off in your browser. If you're running Lion, and don't yet have Java installed, don't install it unless you need it for some specific purpose. I have chosen, for example, to delete NeoOffice, which I seldom used, rather than install Java so that I could keep it.
As to JavaScript, note that that is far more secure. Not that it isn't used for nefarious purposes - it's generally behind all the "drive-by downloads" and whatnot. But it can't install anything on your machine, it can only be used by social exploits to try to trick you into installing something. Disabling it globally will ruin functionality on many legit web sites. So you probably want to keep that on. Using NoScript in Firefox is certainly an option if you use Firefox, but having that kind of control over JavaScript is not such a compelling need that you should switch over to Firefox if you prefer Safari.
Thank you Thomas (and ds, once again).
Just a note, Firefox + NoScript prevented the MacDefender trojan which relied upon popping up a JavaScript window that appeared to be from OS X.
However Safari users were severely affected as there is no easy per-site control of Javascript as NoScript is for Firefox only. Still waiting for such a Safari Extension to appear though.
So there is a definite argument for using Firefox + NoScript, however if your smart enough to install Firefox + NoScript, you likely smart enough not to be tricked into clicking a fake Javascript OS X window in Safari.
If it wasn't for all the other features NoScript protects against, I would just say just be a bit more aware using Safari and use either.
Apple has the benefit, like Microsoft with IE, of that's the browser installed on the machine so it's likely most will use that regardless.
It's those who have graduated to more like poweruser/geek status that may consider using alternate browsers for their certain benefits, added security or features.
In some IT departments, they have everyone using Firefox (or Chrome) regardless of platform (Linux, OS X or Windows) as to make assistance and standardization uniform.
URGENT: Ensure Java is up-to-date!
