
"This is the first really big attack on Macs,"
So... it was a Big Mac Attack?
Apple, Facebook and "hundreds of other companies" have had their Mac computers hacked in a sophisticated campaign mounted by an unknown adversary. Attackers were able to infect Apple, along with other businesses around the world with Mac malware delivered via a Java zero-day vulnerability, Reuters reported on Tuesday, after …
GNU/Linux is developed in the open, so it will look like they have many bugs as one can see them all. Some bug won't even be a GNU or Linux issue, they'll be integration issues for a particular distro. Also, many of these bugs will be duplicates as various distros have a bug reported to them (a new ticket) which then gets filed with upstream (might be a new ticket, might join an existing one). This is before we get into the severity of said bugs. The projects are co-operative units, not closed and secretive monoliths like Apple and MS.
MS is cagey about what bugs they have and their publicly known list is probably a subset of the true picture.
I would have expected Apple to be the same if not even more anti-open, but as you cite no sources I guess we will just have to take what you say with a very large pinch of salt.
As for anti-virus - all PCs should run anti-virus, if only to protect Windows from itself.
The total of 1800 is only referring to security vulnerabilities - not integration issues or other bugs . Like it or not, Linux distributions tend to have the highest vulnerability totals of any OSs. Even the Linux kernel alone has over 900 known vulnerabilities - about twice the total of the whole of Windows XP!
It dies (or is currently expected to) next year. It's no longer sold. That is so close to "dead" as makes no odds.
Just because idiots still usr IE6 does not make it any less dead either.
Comparing XP (developed in secret and near EOL) to the Linux kernel 3.8 (developed in public and still living) is not comparing like with like.
Yeah I poke a sharp stick at the fanbois about this on another page, but in general Macs really are more secure than Windows. Which is what makes this such a complete clusterfuck - it was an obvious hole even Windows fanbois saw it coming.
The bigger problem now is, Apple's a big company and it took them too long to find this. Given that the kernel is built on an OSS *nix core, have the hackers also been able to penetrate other *nix distributions/installs which have so far gone undetected? Given that we know neither what changes Apple made to the core nor enough details of the attack for your typical admin to check for the malware on his systems (beyond: are you running Java, which like it or not most business do) it's a bit unsettling. Gut says most of those systems are still secure (greater variety, admins tend to be more security aware, lower desktop distribution), but the brain wants proof and it can't get it.
So press headlines let Apple know big players are getting hit, then Apple says "disable Java" for a cure all fix, then Apple only decides to issue a fix AFTER they too have been affected?
Apparently security and code auditing is a burden for "IT Artists". No matter, it does explain where a large chunk of their cash pile has come from...lax security.
OFF TOPIC: Does Apple have to hire BSD/Linux guru's to fix their system? Or do they have a security team?
Er, no. They disabled older versions of the Java plug-in as there was a known exploit (however the new version of the Java plug-in wasn't yet released to java.com when they updated the blocklist meaning for a while all Java plug-ins were blocked) and they disabled this malware when they had a signature for it.
ISTR that Apple do not let a vanilla Java distribution go straight to Macs. They take the new version, wave a magic cat over it for a few weeks (or whatever it is they do) and then release their approved version, now with more fruit.
I guess someone's spotted that Macs are the target of choice for Java vulns, as they're likely to have their knickers down for rather longer than other platforms, due to this delay while the wizards of Cupertino scry their runes.
Here's an article that describes where to look on your mac to see if it's got the malware. Apparently the site that was hacked to distribute the malware was a "mobile developers website"
They're suggesting that the idea was to allow them to inject malicious code into the code being developed for mobiles, rather than trying to hack mobiles directly.
http://reviews.cnet.com/8301-13727_7-57570100-263/new-mac-malware-opens-secure-reverse-shell/
Everyone who visited the site with a vulnerable configuration got hacked... whether it was a Facebook or Apple engineer, or someone's granny who was there accidentally looking for mobility aids....
This appears to be the new thing.... we are gradually becoming crap so we make out that dangerous people are out to get us to make us appear sexy again!
All it shows is that Apple and Facebook developers need as much help as everyone else from the internet to do their jobs...
No, all old java code, possibly new stuff too although hopefully Oracle fixed it. The attack detailed here is specific to the Mac, and the Macs had a particular affinity for it since Apple hadn't updated the code. But the vulnerability itself was in Java. Once you've got the Java exploit worked out, you can engineer other attacks on other systems. Put those attacks at different locations and you get multiple feeders. Then people going 'it's just a Mac attack' or 'it's just a Windows attack' will ignore their own vulnerabilities allowing your malware to spread further. If I were a State sponsor of cyber attacks, it's certainly the route I'd go. Thankfully for the world I'm just a help desk monkey and slightly dyslexic so math and I don't get along as well as I'd like.
Apple (or Microsoft) can't really be blamed for security vulnerabilities in third-party software, Adobe Flash and Java being egregious culprits.
That's why I disable Flash and Java in my primary browser (Chrome) and only have them enabled on my secondary browser (Safari) that I use to visit sites that absolutely require either, and then only under duress (normally I will just ditch a site that requires Flash or Java, or won't work with cookies disabled, as that is not acceptable in the 21st century). I also make sure the bug-ridden Adobe Reader never makes it onto my computers.
The best approach would be for browsers to run all plugins in a virtualized sandbox where they cannot do any harm, but the engineering effort to do something like this would be daunting, essentially duplicating the functionality of VMware, and non-portable to boot.
They don't make it easy though.
Disable Java in chrome
Click the little iching symbol on the toolbar - well the three horizontal lines that means 'heaven' or settings
The select settings
Then click the show advanced settings link
Then click the content settings button (hint this is the one that is a heading not a link)
Then scroll down to plug-ins in the popup window
The click the disable individual plugins link (we are back to links now)
Then find Java and click disable
To quote Douglas Adams .... Have you ever thought of going into advertising ?
Well it would be a tad embarrassing if MS had to admit they'd been hacked too. As that would be tantamount* to admitting they do their developing on Macs...
I wonder if MS will now send a nice present to Oracle. Perhaps a new yacht for Larry, with a pirate flag with an apple impaled on the top of the pole.
This post has been deleted by its author
Mac, Linux etc - anything based on Unix is just utter horsetripe compared to the years of honing Microsoft have done on developing a secure modern kernel. Windows 8 is the pinnacle of that, and those of us who run it are deeply happy and safe in the knowledge that there are no threats out there that can touch us.
Windows 8 employs a sophisticated AEFU layer (Anti-Ellison-F**K-Up - sorry Larry it's under your watch now) which sniffs out JVM holes and blocks them by injecting incredibly elegant java classes which intercept miscreants and route the badness into the ether via JNI. *Only* the geniuses at Microsoft can write code like that.
He means Windows 8 can't run Java. Or, rather, Internet Explorer 10 in Windows Store mode doesn't run browser plug-ins, except for the Adobe Flash plug-in. Zero-days and all.
Java, Flash, and many other protocols that run in a web browser or handle downloaded files and also have access to the desktop system are potential holes in your computer security colander, I mean cordon. No, I was right with colander. But it's also true of documents for Microsoft Orifice. That's why those tools have to be patched as well. And it's true of WebGPUsr whatever that's called. Giving the Internet access to your graphics hardware is awfully unwise.
If these things need to be done, then they should be done for selected highly trusted web sites only. Or for no web sites. You can run Java and Flash as separate desktop applications with useful results.
Linux has security flaws
OS-X has security flaws
Windows has security flaws
Unless an operating system kernal is locked/controlled to such an extent that the user cannot run or perform any task not explictly defined by the original development then there will still be flaws, and even then I wouldn't garuantee it would be 100% secure from any future attacks
And that's the point, it's all a balance between security and functionality. Mainframes are more secure because the only tasks allowed have been pre-defined. Personal computers are designed to let users have as much functionality/flexibility as possible.
I've often seen the comment that OSX would get more viruses (virii?) when it was more mainstream. And it still isn't really, although I believe their US laptop sales are pretty high now. But don't they now have a huge number of developers using Macs? I saw a picture taken at a Ruby on Rails conference, and there was a room completely full of Macbooks and only one lonely Dell.
I guess that's still not mainstream enough if you're trying to sell Viagra. But if you're after information, or playing the long-game and want to infect websites/programs rather than individual PCs to push your Viagra, then maybe that makes OSX mainstream now.
Not nice PR for Apple though. I wonder how good their security response will turn out to be?
I'd agree with you, that you see a lot of devs with MBPs, but unless you are developing for iOS (which I admit a fair number will be), you don't necessarily need to run Mac OSx. I've spoken to a fair few who only buy the MBP for the hardware and then run Win or whatever on it.
.. for Apple OSX users.
Nobody would have cared about an attack on Windows machines because that's, well, you eventually grow numb to that and just accept that every Tuesday you lose 20% of your network bandwidth on patches, and every day's bootup is accompanied by anti-virus updates because there are SO many..
It is, however, incorrect to state that 's the fault of MS and Adobe that there are problems - you run what you run because it has function or value. I don't have the Microsoft problem because I don't use it, and when I use Adobe Air it's only for BBC iPlayer, but java can be an issue. I have disabled it, but some sites I use don't really work without so I have to enable it there.
Oh, and I *do* have anti-virus. I don't buy statements from people who are clueless about how IT security works (i.e. marketing noobs), I like *facts*. So far, 2 years in, I have not seen malware on this box other than in spam messages I didn't delete before the scan was started - and they were Windows threats.
I use OSX because it's more efficient for the way *I* work, and it's a commercial grade desktop that is much easier to secure than Windows - but not because it IS secure. I haven't come across an OS that is - even the Linux boxes I run need to be controlled and kept up to date to stay safe, and even then I kill services I don't use until such time that I need them.
...It is, however, incorrect to state that 's the fault of MS and Adobe that there are problems - you run what you run because it has function or value...
...or, in the case of most corporations, because it's what they've foisted on you, because nobody was ever fired for recommending Microsoft.
Sorry to the folks saying Windows was designed much better -
up until XP Service pack 3 - the AT command by default gave all added scheduled tasks full system privileges regardless of the limitations of the current user.
Eg - "at 14:56 /interactive cmd" would add a scheduled task to execute at 2:56pm that would run a command prompt. then once the command prompt runs, ctrl+lt+del and kill explorer.exe. Type explorer and hit enter into the dos prompt and voila - you are now running as the system account which gives you full access to every part of the system - with more privileges than even the local administrator.
...as I'm still stuck with late-model PowerPC machines here.
Still, I don't recall even installing Java Runtime at all, and have Java switched off in Firefox most of the time. I spend a total of ten minutes, tops, at a sitting in Facebook (I'm hardly on as it is) with absolutely zero apps, so I should be in pretty good shape.
Also, assuming there are 1800ish vulns in OSX (show me your sources or take a hike), Windows still holds a pretty substantial edge in desktop share, not to mention that fact that, iirc, Windows still comes out of the box with its security set to "hack me, backdoor me, trojan me, zombify me, pwn me".