April 4, 2012

Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems.

Distribution of 550,000 Flashback-infected Macs. Source: Dr.Web.com

The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.

The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs, most which it said were U.S. based systems (hat tip to Adrian Sanabria). Dr.Web’s post is available in its Google translated version here.

Flashback is an increasingly sophisticated malware strain that sniffs network traffic in search of user names and passwords. Early versions of it prompted Mac users to enter their password before it would run, but the most recent strains will happily infect vulnerable Mac systems without requiring a password, writes Ars Technica, among others. F-Secure has additional useful information on this Trojan attack here.

As Ars notes, although Apple stopped bundling Java by default in OS X 10.7 (Lion), it offers instructions for downloading and installing the Oracle-developed software framework when users access webpages that use it. If you need Java on your Mac only for a specific application (such as OpenOffice), you can unplug it from the browser by disabling its plugin. In Safari, this can be done by clicking Preferences, and then the Security tab (uncheck “Enable Java”). In Google Chrome, open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing. In Mozilla Firefox for Mac, click Tools, Add-ons, and disable the Java plugin(s).

I can’t stress this point strongly enough: If you don’t need Java, remove it from your system, whether you are a Mac or Windows user. If you need further convincing of my reasons for this recommendation, I’d encourage you to browse through some of my past Java-related posts.

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun. The current custodian of Java – Oracle Corp. – first issued an update to plug this flaw and others back on Feb. 17. I suppose Apple’s performance on this front has improved, but its lackadaisical (and often plain puzzling) response to patching dangerous security holes perpetuates the harmful myth that Mac users don’t need to be concerned about malware attacks.


58 thoughts on “Urgent Fix for Zero-Day Mac Java Flaw

  1. Jill

    In Safari, should we also remove the checkmark from “Enable JavaScript”?
    Please advise.

    Thanks for your help and for staying on top of these issues.

    1. BrianKrebs Post author

      Sorry. I should have anticipated this. Java and Javascript are two different things. Javascript you will need if you want to be able to use half of the Internet. I would not advise disabling Javascript across the board this way, as you will find it hard to browse the Web.

    2. sulfide

      Yes definitely disable javascript too, it would make the internets a better place if this was common practice. noscript ftw!

      1. E.M.H.

        Sarcastic comments do not help. Ones that disable fully half if not more of a user’s experience really clouds the issue.

        1. AlphaCentauri

          Noscript is a free browser add on that allows you to selectively allow scripts on a per-domain basis, either temporarily or permanently. Instead of blocking all javascript, which is impractical, you can allow it only on sites you trust, and you can make permissions permanent or session-only. It also blocks Java unless you allow it for a particular domain, so it protects you on computers where you do need Java.

          1. cvstan

            NoScript is a great idea that is nearly impossible to use. Some web pages have 50-100 scripts running. Are you really going to examine each one and guess what is dangerous and what isn’t? It’s just not possible.

            1. JCitizen

              That’s silly! All you have to do is approve the scripts you like, and ignore the rest! Once set for favorite web-sites, you never had to reset anything, unless you change your mind. 75% of the time, I never open any scripts, I simply let NoScript block them all.

              Most web pages are useful enough with absolutely no scripts allowed; or you can use Avast and hope the auto script blocker works. I’ve never had a problem with it, and I get full functionality from web sites, as long as the element or object on the page is not questionable. The few scripts that are malicious, usually become benign after a page refresh. The crooks usually don’t load their venom with every page download – it helps them hide from the web-master/administrator.

  2. d

    As you wrote: “As Ars notes, although Apple stopped bundling Java by default in OS X 10.7 (Lion)…” Hence, I didn’t bother to install it and made sure I did a “clean install” to rid myself of the Snow’s Java version as well. You have always said to remove it if we don’t need it. I always thought that was good advice.

  3. err

    Re: Dr.Web’s post is available in its Google translated version

    Actually they have their newsfeed in English too (see the language selector on the upper right corner).

    Original English version of that post: http://news.drweb.com/?i=2341&c=5&lng=en

  4. Adrian Sanabria

    Unfortunately, most people that use Macs for business must connect to SSL VPNs to access work resources, which almost always require use of a Java applet for access to some components. I’m in this boat…

  5. Josh

    I’ve said for years that the only reason Macs didn’t have more malware is because the market share wasn’t yet large enough yet for criminals to bother. I had my die-hard Mac-loving friends want to debate endlessly with me whenever I made that comment. They went on and on about how the OS is inherently more secure than Windows, etc etc. Maybe it is, maybe it isn’t, but that’s not the point.

    The point is that it’s not about which OS is more secure. Anything that’s been programmed by humans can be broken by humans. Some systems are harder to crack than others, but they will be broken. And if there’s money to be made in it then they’ll be broken even faster.

    Don’t take this as a trolling comment or an anti-Mac statement. I think Macs are great, and I have no interest in arguing about which of the many OSes out there is better (in reality they all have their pluses and minuses). I’ve personally never seen the need to spend $2,000+ for features I can get for free with Linux, but I understand most people aren’t power users and Mac does have its appeal for them. I currently use Linux a lot and I like how I don’t have to worry about malware on it right now, but mark my words: If Ubuntu or any other Linux distro starts seeing a significant market share with desktop users then you’ll start seeing malware for it.

    1. Adrian Sanabria

      The bottom line with security on any Operating System is that they are only as secure as the software running on them. The operating system could make security better by giving less control to 3rd party software, but that hurts progress in the long run.

      1. Mark

        How about security habits of users. What % of users do you think are totally clueless when it comes to security of their computer, 80 – 90%.

        1. TJ

          Yes, and what percentage of OS and computer manufactures do a good job educating their customers about the inherent security threats that exist while using their systems?

          1. uzzi

            True! … and how many percent of the “550,000 Flashback-infected Macs” will Apple inform and desinfect?

            1. Josh

              Every one that asks.

              The good thing about Apple is there is a dedicated group of people who are willing to help fix problems like these.

          2. E.M.H.

            As somebody who works in the IT field, I can say that they all do, but they’re rather irrelevant as far as the end user is concerned. Once end users buy their systems, the people they’re in the closest contact with are their ISPs (if they’re using their systems at home) or their local IT support personnel (if at work). The manufacturers of both the hardware and the OS don’t get thought of until there’s a warranty issue or upgrade involved.

            This isn’t to say that the hardware and OS manufacturers have zero impact. Rather, it’s to say that due to the way computers are used/deployed and how users operate, it’s not really worth it to worry about which manufacturer is the best at it. As long as they’re close, the really profound difference is made by the local support, whether it’s their work based IT department, or their ISP or local support companies/consultants at home (if they’re dealing with a non-warranty issue that manufacturers/resllers won’t touch). Or in short, it’s the local support that counts. And worrying about *THAT* is far more productive than obsessing over which manufacturer is better at the security process.

      2. Nic

        Yes and no. In the case of OpenBSD for example, the operating system is able to prevent many holes in third-party software from being exploitable. So while a 3rd-party software package may be exploitable on Linux, chances are good that it won’t be on OpenBSD. When compiled from the same exact source code!

        Here’s a bulleted list of technologies used in OpenBSD. Look up equivalents (if they exist) for your system and investigate how to implement them. Where they exist for Windows or Linux, they’re usually not on by default.

        http://www.openbsd.org/security.html

    2. XP84

      Josh, you were safely in the non-trolling territory until you started spouting the “$2,000+ for features I can get for free with Linux” nonsense.

      Mac OS X costs $30. Not $2000. Linux doesn’t give you a free computer. It requires hardware to run. Such as the $600 Mac Mini or the ~$500 sort-of-almost-equivalent Dell or HP. Trying to pretend there’s some multi-thousand-dollar barrier to entry to Mac-land is willful, trollful lying.

      Does Apple have a bargain-basement laptop like Dell and HP do? No, so if you must have the cheapest thing possible, Apple’s not an option for you. For anyone else, a Mac is a perfectly sensible choice.

      It’s not the Bugatti of computers—ostentatious and lacking any obvious real-life benefits in daily driving. It’s WAY more like the Honda of computers. When there is a price difference of a few percent, it’s generally due to the fact that PCs are usually spec’d with bigger hard drives and more RAM standard (the two easiest things for enthusiasts to upgrade anyway) but slower CPUs and skimping on a lot of things (no multitouch trackpad, poorer quality screen/keyboard/mouse/power adapter). Can you beat a Honda in price by buying, say, a Mitsubishi? Sure. Will you have a better car at the same price? Doubtful.

      1. george

        @XP84,

        While some of the things you wrote make sense, it is plain wrong to state that Mac OS X costs 30$. If that was the case, Apple would have no issue in selling it to people who do not own Apple hardware. They are selling Lion only through Mac App Store and Apple shut down some businesses intending to sell Mac Clones.

        1. Not George

          Um george – it does cost $30… it is just that Apple chooses to only sell to Apple computer owners so that they don’t have to program for every single variant in hardware that one can buy. This also makes the OS less of a bloated wreck.

          1. JCitizen

            Yeah – it cost $30 dollars until Apple decides to drop support; which happens too early for many folks! They they are forced to scrabble for older software on Ebay for many many dollars more!

            I never suggest to anyone that using Tor for older Mac OS versions or updates is a good idea.

  6. michael johnston

    Thanks for the interesting post, Mr Krebs.
    I’ve unchecked Enable JAVA.
    Following that I went into my MAC OSX Library and found JAVA, but cannot find information about uninstalling.
    How do I check if I JAVA is actually installed and running, please, and what is the process from there for uninstalling.
    Cheers,
    Michael

    1. uzzi

      “Apple Computer supplies their own version of Java. […] If you have problems with downloading, installing or using Java on Mac, please contact Apple Computer Technical Support.” Source: ORACLE/faq/java_mac.xml :´-(

      Maybe Google can help – search for:
      “un/deinstall java mac os”

    2. uzzi


      1.Check for Java Installation: sudo /usr/libexec/java_home -xml (an output with two JVM dictionaries confirms that Java is installed)
      2.Run uninstaller: sudo /usr/libexec/java_home –uninstall
      3.Remove JVM installation location: sudo rm -rf /System/Library/Java
      4.Run command from step 1 again (an output starting with “Unable to find any JVMs matching version” confirms that Java is no longer installed

      Source:
      http://superuser.com/questions/315854/removing-java-from-os-x-lion/372152#372152

      1. buzz

        That sudo advice will not help many Mac users, who operate their computers as user accounts and not administrator accounts.

        The Terminal will simply return that the user is not in the sudoers file and that “this incident will be reported.”

        Log into the Mac with an administrator account to run sudo commands in the Terminal. With the Mac OS “fast user switching”, it is not necessary to logout of the user account in order to login as an administrator.

      2. bob

        There’s a reason that site’s called superuser.com and it’s not just about permissions. Check instruction 3 very carefully for typos.

    3. d

      Michael

      As Brian noted, since the release of Lion, Apple no longer installs Java on its computers. Since you didn’t say whether you are using Lion or Snow Leopard, I can’t be sure, but if you go up to the Apple icon on the left-hand side of the Menu, try clicking on “Software Update.” If it doesn’t pull it down for you, you don’t have Java on your system.

      Please note: I don’t have Java installed on my system. I bought this computer with Snow Leopard installed, upgraded to Lion, and then did a clean install to rid myself of the unneeded parts of Snow Leopard. While I can safely say I don’t have Java on my system, I do see a Java folder in the system Library, but it’s only 48 bytes. I don’t believe that is the whole program.

      Furthermore, I don’t believe you can’t safely uninstall Java if you are operating with Snow.

  7. D B Carroll

    Please note that, if you previously disabled Java in all your browsers, if you then update to a new Java version, that new version will install itself and (possibly) enable itself in your browsers. In the Windows world this happens silently for Internet Explorer and Seamonkey while Firefox prompts for one of the two plug-ins when restarted. (The other seemed to be turned on automatically in Firefox last time I updated… ?)

    I suspect something similar happens in Mac — can anybody confirm?

    Anyway, after the Java update one may need to re-disable its browser plugin(s).

  8. WPH

    Hello, I de-installed Java using Uzzi’s suggestion. Easy. Thanks. But now my Photoshop won’t startup. Would I need to re-install it, Java, or is there something straightforward I’m missing?

    Thanks for your help.

    1. JCitizen

      That’s what I told my brother; I suspected he would have to keep Java for Photo Shop Elements, but I wasn’t sure. At least he’s on notice there is a flaw and needs to update.

  9. Christian

    Are there already some informations about the botnet master addresses or the network behavior of the trojan?
    We dont use Apple ourself, but many freelancers have macbooks and i cant check on them.

  10. Guy Pace

    Thanks for the usual excellent analysis, Brian.

    The whole identify, report, patch, release cycle for keeping Windows systems functional over the last ten-twelve years still nets us an estimated 350,000,000 compromised systems and the number isn’t getting any smaller.

    I agree that Apple’s attitude isn’t optimal, but what we ultimately depend on in this whole process is the end user. Users must comply in a timely manner for the process to be effective.

    Unfortunately, to get users to comply, we must be able to communicate the need for prompt participation. We compete with overwhelming sources of misinformation and marketing hype and users, in confusion and frustration, end up just going down the path of least resistance.

    Somehow, we need to construct a reliable, uncompromised method of communication to end uses that cannot be diluted by marketing and other sources.

    As for Java, this has turned into a love-hate thing. Companies are migrating old systems to new platforms and are using Java. To work remotely, we must have Java installed. To keep secure, we must remove Java. This is just not a good situation.

    I’m thinking the Java vendor may need to be held more accountable for the pervasive platform stability and security?

    Wish we had a silver bullet.

    1. E.M.H.

      Guy Pace is right. Regardless of whether a given manufacturer’s attitude is lackadaisical or not, the end user of the given computer holds the final responsibility for its security. Whether they like it or not, it unfortunately falls to them as the ones who, in the end, operates their systems for their own use. Because of that, it’s up to them to reach out to the appropriate professionals (either their workplace’s support structure, or whoever they can lean on – Geek Squad, cable internet/DSL/FIOS tech support, etc.) to get the info they need to operate securely.

      This is not to say that computer manufacturers or OS developers have no role. On the contrary, they do have a role in providing a good base level, plus the tools to improve from there. At the same time, there’s as much need to get the user security conscious as there is for the manufacturing/developing end to close the holes. This current Java vulnerability is not a good thing, not by any means, but at the same time I wouldn’t expect an average user to know they should suspect Java of all things, to be the one thing on their computer they should be concerned about. It’s so blasted common, after all, that users will simply take it for granted and not think about it. But regardless, the point is that for every technical or code vulnerability that’s identified and being put to use in the wild, there’s probably a dozen user practices that are every bit as exploitable. Think simple usernames and guessable passwords being used across both insecure (IMDB, for example) and secure (i.e. their bank, their credit cards, etc.) sites around the ‘net. Or a failure to patch (or worse yet, a belief that a security update can “screw up their computer”, therefore they’ll hold off on applying it). Or, if we want to get more technical, leaving unnecessary services running, opening up a home firewall’s router to too much… things like that.

      I’m the first to admit that an average user can not fix a Java code vulnerability by themselves. Nor should they be expected to. So there is indeed a very important role for developers and the like to be security conscious. But my ultimate point is that the end users themselves also have to take up some of the burden as the cost of operating their equipment. They can’t develop the Java patch, for instance, but if they’re not using it, they can disable/uninstall Java. If they are using it, they can make blasted well sure they are patched. They can run behind router firewalls and the like that make incoming compromise attempts difficult to succeed. And so on.

      Mere ownership gives the end user responsibility for security. No, it’s not fair to them, but it doesn’t change the fact it’s their responsibility. We in the IT field can help with recommendations, best practices, good code development, security conscious infrastructures for them to connect to, and so on, but in the end, they have to run securely themselves. You can build the safest road possible with few ditches, huge run-offs, wide and smooth lanes with little to upset a car, but if the end user doesn’t do his/her part and drives recklessly, it’s unavoidable that it’s their fault for wrecking.

      1. uzzi

        Sry, but in terms of consumer protection and product liability you may be wrong (and I’m happy at least some vendors started to take this serious. Although microsoft and others still have to learn that they’re also responsible for their pirated software and insufficient usability).

        @Guy Pace:
        I doubt your “estimated 350,000,000 compromised systems”. Seems someone just added suspicious dynamic IPs of all time? (If we do not care about multiple infections and cleaned up machines by simply adding up estimated no. of bots that are just about 60+ millions…?
        http://en.wikipedia.org/wiki/Botnet#Historical_list_of_botnets)

  11. Brian

    My recent update to Firefox 11.0 (on XP) disabled Java (1.6.26) – the reason was stated to be security/stability related. I need Java for LibreOffice.

    As Firefox can disable Java it raised the question in my mind – if the generaltiy of internet users do not require Java (NB. I am excluding java script from the question) can Mozilla permanently disable it leaving those who require Java in Firefox to install it themselves?
    I am assuming that those who require Java within Firefox are doing specialised work and, almost by definition, they will have the skill to do the install themselves.

    Brian

    1. Dustin

      I’m actually pretty sure you don’t need java for libreoffice. It tries to install it, but mostly works fine without it. (As I recall, something there still needs it, but it’s not something I use, so I’ve forgotten what it is.)

      1. Brian

        Dustin

        Base, the LibreOffice database, requires it and I use it regularly

        Brian

  12. Brian McNett

    I was able to confirm both the source of the bot-net size figure and their method for counting bot-net members. One should note that 550-600K is not a range of values, but two distinct samples taken several days apart, and arose through a twitter exchange between Mikko Hypponen of F-Secure, and Ivan Sorokin of Dr. Web.

    https://twitter.com/#!/mikko/status/187846653326278656

  13. Alex Horan

    The security industry has known for years Apple’s claims to attack immunity is a fairy tale. The fact that Mac sales have been increasing while those of PC manufactures have only been steady tells me this is the beginning of attacks against Mac devices. I’ve written a blog post with my take on Apple’s new pro-anti-virus stance – and why defensive tactics like AV won’t work – here: http://blog.coresecurity.com/2012/04/05/apple-is-not-immune-to-hacks/

  14. Eric Christenson

    We can niggle on the details (and thanks for that, Brian) or whine about responsibility. However, as a computer programmer, I (and I don’t think security expert Mr Krebs can either) be completely or even reasonably sure my computers aren’t doing something they should not. This is in spite of having the latest patches, some of which DO break things, running up-to-date antivirus, and keeping backups.

    All of this, like the photoelectric effect and the ultraviolet catastrophe of physics in 1900, points to the existence of a fundamental problem requiring fundamental changes.

    Minix is moving in the right direction with it’s non-priveleged drivers. Android is moving in the right direction with applications that aren’t allowed access to the file system and its sandboxing.

    What is needed is for me, as a user, to be able to conveniently, reliably, and absolutely control the code I run, giving each bit of it no more trust than required to do the job I think it is supposed to be doing, and the ability to prove it did what it said it did whenever possible.

    Without that fundamental step, we will remain in the virus/worm/trojan quagmire permanently. (“And furthermore, it is my opinion that Carthage must be destroyed”)

  15. John

    [Windows] In IE9, I just did “Disable Java Plug-in” in the “Manage ad-Ons” area.

  16. PlanetaryGear

    Can I just say how much I love that Java has finally reached it’s “write once, deploy everywhere” marketing speak in the form of cross platform viruses?

  17. Reader

    For those of us who think of our computers as appliances, what does Java actually do, and what will I NOT be able to do if I remove or disable it? (I have Mac and Windows machines.) Are there other programs that will do what Java does with fewer problems?

    1. David

      Java is a programming languge. You need to have the Java Runtime installed if you want to run programs written in Java.

      There’s information about which common applications use Java in this article:
      http://www.zdnet.com/blog/bott/how-big-a-security-risk-is-java-can-you-really-quit-using-it/4749?tag=mantle_skin;content

      If you don’t run anything there, you can probably uninstall Java without any adverse effect apart from occassionally encountering a website that won’t work.

  18. rufwork

    Pretty sure Apple’s tried to give the baby back to Oracle qua Sun. If you check Apple’s java-dev mailing list, I’m pretty sure you’ll find that Apple’s essentially killing in-house support as soon as Oracle can take the baby back, partly because of the second-rate experience Apple Java users had been getting at times, but also because of the company’s move away from Java in general (OS X server used to have a good deal of Java config apps, and WebObjects (now dead), iirc, was also Java, as examples).

    That would help explain “its lackadaisical (and often plain puzzling) response”: Apple’s essentially doing Oracle a favor. Why shouldn’t Oracle provide a VM like it does on Windows, without officially involving Apple? That’s where we’re headed.

Comments are closed.