Mac Virus Is Actually Oracle Java Security Hole
Multiple readers asked The VAR Guy today if he had suffered from a “new” Mac OS X virus. Let’s slow down, folks. The alleged Mac virus reports spreading across the web have little to do with Apple and Mac OS X, and a lot to do with a small security hole in Java — which is owned by Oracle. And by the way, there’s a simple security fix.
Hey, The VAR Guy isn’t pointing fingers here. On the desktop, The VAR Guy runs Mac OS X, Windows and Ubuntu. He’s a cross-platform type of guy. On the server, The VAR Guy uses Oracle Financials for his expense reports. All is well in The VAR Guy’s small but powerful IT world.
Danger Ahead?
But then the emails started — mostly from Mac folks who were worried about security, and from Windows folks who wanted to say Mac OS X is suffering from a big, painful virus outbreak.
Time for a reality check: The mainstream media keeps reporting that more than 600,000 Mac OS X computers have been infected with a virus this week. That’s only “sort of” true. The issue was with Java, controlled by Oracle. As AllThingsD reported:
“Apple has issued a fix to Mac OS X that closes the hole in Java, and you can protect yourself by running Software Update from within your machine’s System Preferences. Today would be a good day to do that if you haven’t already. Once you’ve done this you’re no longer vulnerable to the attack.”
Problem solved. Crisis averted. Blogging continues here for The VAR Guy.
Holistic Security
For VARs and channel partners, this “Mac” security incident offers a prime opportunity to discuss holistic security with your customers.
Get beyond the Mac and Windows security chatter. Focus on total information protection, corporate compliance and other discussions that don’t get bogged down in anti-virus cost-per-desktop calculations.
Whoa whoa whoa. This isn’t accurate at all. The vulnerability for obtaining the malware is through Java files, but it infects the Mac os. You don’t need to be running Java for it to function as a part of the botnet. No windows malware is contracted by windows os either. Malware of this type rides into machines through security loopholes left open by operating system developers using a third party program.
The botnet comes during execution of a Java file but installs code to the Mac os. The computer then functions remotely. You can uninstall Java after contracting.it, and it will still function, thus is is a Mac os vulnerability, not Java. This is especially true because Java was patched in February when the vulnerability was discovered, but apple refuses to allow third party updates from oracle. This means it became apple’s job to push the.update and they didn’t.
You can pretend Mac is still untouchable, but they aren’t. They just never had the market share for hackers to target them. But don’t lie to your readers, they need to be aware the risk exists with any machine with an internet connection or files being transported via disc or drive to them.
[…] 550000 MacsWPTVVirus hits half a million Macs: How to protect yourself against malwareFox NewsMac Virus Is Actually Oracle Java Security HoleThe VAR GuyNew York Times (blog)nbsp;-ABC News (blog)all 517 news […]
Nathan,
The VAR Guy didn’t say the Mac is untouchable. Of course, users should implement the patch.
-TVG
I apologize, I extrapolated your comment and combined it with apple marketing. Remember those commercials where “the Mac” was fine while the old white PC had a virus? It was technically true, but not because Mac was more secure. Just because there were less of them.
I just feel that people pretending Macs are safe from malware aren’t helping the company at all.
Nathan,
Noneed to apologize. The VAR Guy welcomes constructive criticism. -TVG
quote::but not because Mac was more secure. Just because there were less of them. ::quote
Actually that bit isn’t true. Security by obscurity has always been a fallacy, what ever operating system one is discussing.
yeah, but heres where apple needs to take accountability: on other platforms, Oracle DOES take responsibility for patching.
Apple chose to enforce ALL updates through their own update process on OSX.
Well, Mac is secure when you think of viruses from the mid-90s, as those require the user to download and install a file. That is what hit windows 95 and XP so hard. But since then malware and trojans have overtaken traditional viruses, and do not always require the same user initiated actions.
IF a hacker wants to go after Macs, they can do so just as easily as going after a windows based PC. The problem is, trojans and malware rely on concentration and numbers to spread, and with Apple traditionally at around 6% of the market, there wasn’t the critical mass to spread them, and the effort wasn’t worthwhile.
Apple computers are now 12% of the market, and PCs have a 95% coverage with antivirus software, so Apple looks more attractive as a target.
In addition, Apple has advertised their safety from malware and viruses, using it as marketing to set itself apart from PCs. While Apple products aren’t as afflicted as windows based ones, the incidents are on the rise. It will continue to be true as they pick up market share. And Apple needs to drop the “invincible” aspect of their marketting, admit they are susceptible, and provide protection, JUST like microsoft did with Vista and 7. Otherwise they are burying their head in the sand.
Disclaimers: I use Macs and PCs with Windows and Linux. I also have no particular desire to see Oracle succeed, let alone be publicly observed defending it, but…
The point of failure is within the Java code; however, the reason the recent outbreak is being labeled as a Mac issue really is Apple’s fault. Most users do not compile Java on their workstations, they install binaries that are approved for OS X. Apple requires all Java binaries to be distributed through their delivery system, which was several weeks behind the announcement of the malware’s existence. Oracle published updates to resolve the vulnerability, but Apple chose not to release them right away. Apple also has a policy of failing to acknowledge the existence of issues that affect their systems. As much as I like my Apple products, you cannot excuse that type of negligence.
@Nathan, it’s not right to say people can go after Macs just as easily as they can Windows. OS X is *way* more secure that Windows.
I say this as neither a Windows or OS X user. I think Apple are as much a vile company as Microsoft and am very amused by the fact they are so controlling about everything being a big part in this security breach. However, let’s face facts: one problem with OS X compared the never ending stream of vulnerabilities in Windows-world and one that could easily have been avoided were Apple not such control freaks, well, it’s not time for the Redmond apologists to crow.
This c**p about OS X not having been attacked because of fewer users needs to be stamped out too.
Quite literally the protection that apple has over windows is that you are prompted whenever the system installs a file. A stupid user if either product is susceptible to this method. The reason it never took off on the Mac is the numbers issue. It is absolutely a fact that market share is largely the reason apple has been safe.
Apple has never really addressed the security of its operating system. There is a gateway that makes it harder to sneak files onto a Mac, but they don’t have as deep of a security system as windows systems. This is due entirely to the very public infections windows PC’s had in the 90s. Microsoft has added protections to their systems to limit the traditional types of attack. There is now a 95% success rate on prevention of attacks. When your install base is 600 million though, that leaves a large chunk of folks who can still encounter issues.
Apple always smoke.screens these issues because their excellent marketing pretends they aren’t susceptible, then news like this comes out and people are surprised. 1 in 100 Macs have this virus, which is huge. We haven’t seen a full one percent of windows machines infected with the same virus since the early 90s. Every hacking and malware expert admits that Macs are safer than windows PC’s because there are fewer than them, and also states that they are just as easy to crack.
The VAR Guy is just checking in and reading all of the comments. Healthy debate. Generally speaking, The VAR Guy doesn’t get wrapped up in the Mac vs Windows security debate because our resident blogger always recommends more of a holistic approach to IT security. Regardless of underlying platform, everything needs to be protected…
-TVG
Unix is an inherently better designed OS than Windows. It really is that simple. If hackers could have got at it they would have. There are a LOT of Windows and Linux machines out there and they just don’t have problems like Windows does. You only have to connect a Windows machine to the Internet without doing anything and it gets infected,
A 95% success rate when you have anti-virus slowing down your machine to a virtual halt. Still lets 5% through. One virus on machines that dion’t run anti-virus software. No comparison. 🙂
“No windows malware is contracted by windows os either.”
That’s not correct (about Windows or OS X potentially). At one time, a lot of Windows malware was taking advantage of Windows security holes. Windows security has improved a lot in recent years, so third party security holes and Trojans are much more common on Windows now, but it’s still possible that a security hole could come to light and be taken advantage of.
“You can uninstall Java after contracting.it, and it will still function, thus is is a Mac os vulnerability, not Java.”
Yes, you can uninstall Java after contractign it. No, it is not a Mac OS X vulnerability. That does not follow. You can make an argument that the Java plugin should be sandboxed somehow, but lack of a security feature is not the same thing as an actual vulnerability. Without the Java vulnerability (which existed in Java for every platform) the malware contraction would not have taken place.
“This is especially true because Java was patched in February when the vulnerability was discovered, but apple refuses to allow third party updates from oracle. This means it became apple’s job to push the.update and they didn’t.”
Aha. This is perfectly correct, and Apple did drop the ball when it came to keeping up with Java security patches, which most Windows and Linux systems had already been patched against. Apple’s fault that it was still open, yes. Vulnerability in the operating system itself, no.
“Well, Mac is secure when you think of viruses from the mid-90s, as those require the user to download and install a file. That is what hit windows 95 and XP so hard.”
That is the definition of a Trojan. No operating system is safe from Trojans as long as the system administrator is willing to install them.
What hit Windows 95 so hard was that it had no security features of any kind and all sorts of vulnerabilities. What hit XP so hard was that, though the NT operating system model introduced system security to Windows, XP still ended up with several key vulnerabilities that allowed it to be infected by worms. You didn’t have to do anything at all except have a live, unfirewalled Internet connection (you didn’t even need to open a browser) to get infected.
“But since then malware and trojans have overtaken traditional viruses, and do not always require the same user initiated actions.”
You are much more likely now to need a user initiated action to get infected than before, especially with Windows, which really had to catch up in security to Unix based and Unix like operating systems a lot.
“Apple computers are now 12% of the market, and PCs have a 95% coverage with antivirus software, so Apple looks more attractive as a target.”
Antivirus software is nearly worthless. Windows has improved a lot in security, so now marketshare really is a lot of what makes it attractive. That didn’t used to be the case. Really any operating system that is mainstream enough to attract users who are naive about security is an attractive target because users are the biggest security hole in most modern operating systems. It’s true that campaigns based on the idea that you don’t have to worry about getting malware are not good because they promote being naive about security to a lot of users who don’t know the difference between protected from the Internet and impervious to administrative stupidity (no operating system is).
The new biggest vulnerability vector, besides tricking the user/administrator into installing malware themselves (which is always the biggest) is third party plugin vulnerabilities similar to this one with Java (although as was mentioned, this wasn’t entirely “third party” since Apple didn’t keep up with patches).
Some of your arguments are right, some are not. Some are exactly what I said.
Essentially, Windows vista and 7 are fairly secure and the way a computer with those operating systems may be impacted would be through user initiated installs of malicious software. This is largely the same as a Mac.
This trojan used third party software to bypass the gateway Mac has against getting these files on the system (prompts and notifications when anything installs) but once it has made it past this gateway (by hiding in java) there are not really any defensive mechanisms.
Mac systems have always operated with a wall against viruses and trojans. It was extremely hard to get onto a system undetected. However, people have been finding these holes using third party software, and once on the system, there is absolutely nothing intrinsic about apple software for defense against this. As I said, you can uninstall Java, but if you already have the trojan, you will remain infected. It used java as a path to get into the Mac OS, it does not install the trojan in Java files. So it is a vulnerability that exists in Mac against files installed by third party software.
A windows based PC or one with Antivirus would scan for the file and notify you that you have a malicious connection to a command and control server. Your mac would not.
Windows has more people trying to get in and far more successful viruses and trojans, but they have also added more tools to address these.
Apple has their head buried in the marketting sand of invulnerability, and it is going to come back to bite them in the ass.
Three companies stand out as being the most lax about security, they are Apple, Oracle and Google in that order. Why is that?
This is not the first time that Oracle has lagged way behind on Java updates but if Apple wants to learn a lesson, it could be the last.
http://www.computerworlduk.com/news/security/3352176/apple-oracle-google-lead-major-vendors-with-software-vulnerabilities-in-q1-security-report-says/
This did not solve my problems at all. What do I need to do to get rid of this virus.????? Every time I need to use Java I get it again.
Ask Apple, but they will likely deny the problem as they’ve demonstrated in the past.
This sounds no good – because I need if for using the bank.
Okay, I would boot a Linux Live CD to do the banking then. It has got to be much safer.