What the...??! How can you write a really good OSX or Java virus?
There's no such thing as a really good virus - surely the damn point of a virus is to be really bad!!!
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Unpatched OS X Java Vulnerabilities Drawing Attention
- Thread starter MacRumors
- Start date
- Sort by reaction score
What the...??! How can you write a really good OSX or Java virus?
There's no such thing as a really good virus - surely the damn point of a virus is to be really bad!!!
It'll be a security update though, it's not really something worth a 10.5.8Sounds like we'll be having at least one more update before Snow Leopard.
Whoever they are have had nearly 9 YEARS to do it. And nothing.
Proof-of-concepts every year since 2001, and still nothing. Lots of contests and pwn-to-own geek barbecues and cookouts. "OS X vulnerable" and other sensational headlines clogging the interwebs the next day. And nothing.
All we have ever had are a couple of trojans that don't really do any damage. And these have existed from the very beginning.
So where's the beef??? Where's all the doom and gloom? Are we supposed to wait until 2012 so it can hit the fan with all the other alleged catastrophes?
it won't be long before someone writes a really good OSX or java virus.
How long is "it won't be long" . . . because we heard that 4 years ago, and something like that 2 years or so before that. We're waiting. Any time now. LOL.
Using Java Preferences in /Applications/Utilities to set "Run applets" to "In their own process" (rather than "Within the browser process") seems to keep the proof-of-concept from working.
I have no idea if such a switch is a good idea, or if it is better to simply disable Java within the browser.
Just reporting, so that the experts can comment.
Here's what the Java Console shows, by the way:
Java Plug-in 1.6.0_11
Using JRE version 1.6.0_13 Java HotSpot(TM) 64-Bit Server VM
User home directory = /Users/Louis
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
java.lang.RuntimeException: Bootstrap failure
at HelloWorldApplet.init(HelloWorldApplet.java:33)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Plugin2Manager.java:1494)
at java.lang.Thread.run(Thread.java:637)
Caused by: java.lang.NullPointerException
at HelloWorldApplet.init(HelloWorldApplet.java:29)
... 2 more
Exception: java.lang.RuntimeException: Bootstrap failure
I have no idea if such a switch is a good idea, or if it is better to simply disable Java within the browser.
Just reporting, so that the experts can comment.
Here's what the Java Console shows, by the way:
Java Plug-in 1.6.0_11
Using JRE version 1.6.0_13 Java HotSpot(TM) 64-Bit Server VM
User home directory = /Users/Louis
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
java.lang.RuntimeException: Bootstrap failure
at HelloWorldApplet.init(HelloWorldApplet.java:33)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Plugin2Manager.java:1494)
at java.lang.Thread.run(Thread.java:637)
Caused by: java.lang.NullPointerException
at HelloWorldApplet.init(HelloWorldApplet.java:29)
... 2 more
Exception: java.lang.RuntimeException: Bootstrap failure
Well Windows may have viruses, but they fix vulnerabilities far better, and quicker, than Apple does.
And Apple is full of vulnerabilities that are never addressed, although few people seem to take advantage of these vulnerabilities, except perhaps at the hacker competitions, where OS X is always the first one broken (out of Windows and Linux).
It only takes them a few seconds, too.That;s weird. I only get this message:
"Java in unavailable
The page hello world attempted to load Java content, but Java is unavailable or not installed."
Is that normal or is it just me.
Amen to that. Why does Apple release it's own Java updates? Does Sun not provide updates for OS X?
That's not surprising. Microsoft has had a lot more practice with fixing vulnerabilities. You tend to get really good at things that you have to do on a daily basis.
Well, this is how I see it.......
It's obviously been an "issue" since, what, last September?
Has there been ANY reports of a Mac being infected with a virus due to this specific issue? If there has, that sucks and Apple should fix it. But if not, Apple probably doesn't see it as a threat if no one has been affected by it, and will probably release a fix for it in Snow-Leopard. But now, this dude just let EVERYONE know the vulerability on a massive scale, so now Apple doesn't have a choice but to fix it now before people start writing viruses specifically because of it.
It's obviously been an "issue" since, what, last September?
Has there been ANY reports of a Mac being infected with a virus due to this specific issue? If there has, that sucks and Apple should fix it. But if not, Apple probably doesn't see it as a threat if no one has been affected by it, and will probably release a fix for it in Snow-Leopard. But now, this dude just let EVERYONE know the vulerability on a massive scale, so now Apple doesn't have a choice but to fix it now before people start writing viruses specifically because of it.
One of the main problems is that Apple insists on creating its own JVM, Sun isn't allowed to create Java for the mac, so you have to wait around for Apple to update it and it is always horribly behind schedule compared to Sun.
Everybody has fixed this problem long ago, except for Apple, they really don't take security seriously enough, no matter what the fanboys say.
Everybody has fixed this problem long ago, except for Apple, they really don't take security seriously enough, no matter what the fanboys say.
At least the guy waited--he didn't release the proof-of-concept seeking fame or attention, he wants the bug fixed!
I keep Java disabled, but you really shouldn't have to.
Bold added to show where I disagree: a flaw should be fixed BEFORE it's exploited, not after. (And viruses/malware aren't the only way to do harm--a single hacker targeting one specific victim can also make use of flaws like this.)
I keep Java disabled, but you really shouldn't have to.
Bold added to show where I disagree: a flaw should be fixed BEFORE it's exploited, not after. (And viruses/malware aren't the only way to do harm--a single hacker targeting one specific victim can also make use of flaws like this.)
Don't know about you, but if Apple is aware of vulnerabilities and they aren't patching them because they aren't exploited... I don't know if I feel that safe on OSX anymore, 'cause one day that is going to bite them in the ass. Oh, and by extension, us too I guess.
Are we supposed to be impressed that clueless Microsoft is fixing and patching vulnerabilities so quickly . . . . when upwards of 150,000 pieces of viurses and malware and lord knows what else are active and in existence for Windows, and ONLY Windows, because of their own negligence??
Are we supposed to be impressed that MS is scrambling left and right, all of a sudden making security a top priority, when they have neglected it for so many years??? Microsoft is repsonsible for an absolutely galactic amount of data loss, corruption, and infection over the years. In 2001, already the Internet Age, when being online was a daily reality, they released Windows XP with five open ports. Way to go.
MS is being run by retards, and when there is a change of guard, such as Gates leaving and Ballmer taking the helm, the company is simply being run a by a new group of retards. I have no idea how or why that happens. It boggles the mind. Finally . . . after all these years, MS gives a damn about securty. Really friggin' impressive that they finally woke up and did something about their mistakes!!
When will they compensate us for all the lost data? For the time and energy spent having to put up with the effects of their negligent practices?? Never. Just wait until you can shell out for the NEXT VERSION of Windows, which promises to fix everything. Then rinse and repeat this line every year. Seems to work like a charm.
Are we supposed to be impressed that MS is scrambling left and right, all of a sudden making security a top priority, when they have neglected it for so many years??? Microsoft is repsonsible for an absolutely galactic amount of data loss, corruption, and infection over the years. In 2001, already the Internet Age, when being online was a daily reality, they released Windows XP with five open ports. Way to go.
MS is being run by retards, and when there is a change of guard, such as Gates leaving and Ballmer taking the helm, the company is simply being run a by a new group of retards. I have no idea how or why that happens. It boggles the mind. Finally . . . after all these years, MS gives a damn about securty. Really friggin' impressive that they finally woke up and did something about their mistakes!!
When will they compensate us for all the lost data? For the time and energy spent having to put up with the effects of their negligent practices?? Never. Just wait until you can shell out for the NEXT VERSION of Windows, which promises to fix everything. Then rinse and repeat this line every year. Seems to work like a charm.
Well...try to bring that to some programmers
QFT
But OTOH I have to say that this also is a real problem for developers. I tried a Mac OS based veterinary accounting app and found it useless. Though I directly contacted the programmers, they were not able to rewrite the app as to that it still relies on stuff written into the system-wide Library folder. It just wouldn't run in user mode, but only in admin mode.
Nevertheless the same applies to the windows counterpart software so basically I'm screwed. Just running BootCamp (as the Windows counterparts are much more convenient) and have the webs locked out (sic!). There is no other way to be secure
When will developers learn to create user-based libraries for their apps? I mean, it can't be that hard, can it?
Hopefully this'll get patched soon, now that it's being widely acknowledged. But it did serve as a good reminder for me to turn off Java.
I think it's more important that Mac users learn to stop running as an admin by default! There's no good reason for doing that, since OS X makes it brainless (and transparent) to invoke an admin username/password when necessary. If you're not running as an admin, the worst an exploit like this could do is hose stuff in your own account. That's still very bad; but it's less likely to allow installation of something like a keylogger, trojan or spyware without your knowledge. Besides, you all have current backups don't you?
QFT
But OTOH I have to say that this also is a real problem for developers. I tried a Mac OS based veterinary accounting app and found it useless. Though I directly contacted the programmers, they were not able to rewrite the app as to that it still relies on stuff written into the system-wide Library folder. It just wouldn't run in user mode, but only in admin mode.
Nevertheless the same applies to the windows counterpart software so basically I'm screwed. Just running BootCamp (as the Windows counterparts are much more convenient) and have the webs locked out (sic!). There is no other way to be secure
When will developers learn to create user-based libraries for their apps? I mean, it can't be that hard, can it?
You have no idea how Vista even remotely operates do you?
Also (I'm sure Apple do the same) if you read the Windows license agreement they cover themselves in the event of pretty much everything. Heck they're actually not required to release a single security update.
As for the original topic, this does just go to show how blasé Apple is with security. Just because there is a low-risk issue shouldn't mean they take so much time with it.
Taking this attitude with security cost Microsoft badly. It will EVENTUALLY cost Apple badly if they continue down this path...
Also (I'm sure Apple do the same) if you read the Windows license agreement they cover themselves in the event of pretty much everything. Heck they're actually not required to release a single security update.
As for the original topic, this does just go to show how blasé Apple is with security. Just because there is a low-risk issue shouldn't mean they take so much time with it.
Taking this attitude with security cost Microsoft badly. It will EVENTUALLY cost Apple badly if they continue down this path...
After 8 years of waiting, it's gonna happen any day now, right?
It actually already has!
I got one about ~3 weeks back and it has been d8mn near impossible to remove because of the lack of good viral software.
I ended up doing the old Windoze style... clean sweep and selective restoration of data.
If things really pick up for viruses on the mac its gonna suck big time!
Sorry if that may sound rude, but you have been living under a rock, eh?
Check this out!
I know it's a trojan in pirated software, but the botnet is active, as there are hundreds of people not in the know. Just because the group is not as big as on the Windows side doesn't mean they don't do any harm.
We are on to rough times, and if Apple doesn't fix this stuff in a timely manner, I'm very shocked.
There actually are "great" viruses for the mac... the problem is in spreading them.
Most of these are spread via "shady content" and unfortunately for virus writers most mac users are not the slim shady type...
Eventually that'll change as the college population has approach 50% mac penetration...
I agree that OS/X is harder target for Malware then Windows, because OS/X is a better OS.
But I am of the opinion that malware is so prevalent not because Windows is an easier target, but because it's a much-much bigger target (still).
If I'm a l33t h4x0r out to harm folks, and have to choose between OS's to target then I'll choose the most used one.
Wow, just wow. It seems like you have a lot of pent up hate towards MS. I like my Mac and all, but I wouldn't go as far as to say all that stuff about Windows. I've been using Windows since '95 and it's gotten a lot better over the years. XP was great and Vista's not too bad either. I've yet to experience any crashes or serious problems on Vista that wasn't my fault (overclocking and all).
I, for one, am impressed that MS makes the effort to address vulnerabilities and such in a timely fashion. It's not really fair to blame it soley on their negligence. Windows is a popular OS and as such, it's makes a great target for malware and virus authors. To say that they're run by retards is pretty naive and stuck up in my opinion but to each his own. I own and love both.
Name one.
Then they aren't viruses, which spread on their own. You're probably thinking of trojans.
Ah, the ol' "security through obscurity" myth rears its ugly head again. If they only target the most used one, why were there viruses for Mac OS prior to OS X, when there was less users?
I just checked s/w update and got a Java software update for OS X
I knew Apple wouldn't let us down.
Haters can kiss my a....pple
Crying shame it take 6+ months to fix a major security flaw.