# Java Security Update for Mac OS X



## Eeyore (Jul 16, 2009)

Apple released a security update this afternoon to patch several holes that are found in Java. The update is to prevent a drive-by malware from automatically installing on Mac computers. More information can be found here:

http://www.msnbc.msn.com/id/46933224/ns/technology_and_science-security/#.T3tozI5qOqQ

http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/

If you are still using Snow Leopard (as I am), I would strongly recommend you apply this patch. For those on OS X Lion, Java is not normally installed but a quick check on your Apple update will verify if the patch is needed. Ipad users need not worry since this new malware does not affect the iOS operating system.

For the technically challenged, To update, click on the Apple logo on the far Upper Left of your screen. Scroll down to "Software Update" and your computer will begin it's scan. The scan results will say something like Security Update for Java 7--Mac OSX 10.6.7 if you have Java installed on your computer. If nothing shows up, then Java is not on your computer.

Note: This current variant of the malware of Flashback.K will first ask you to install, and if you decline or attempt to exit, will automatically install by a second route (through the holes in Java) without any prompting on your part. The malware is termed "Flashback" because it will pop-up with a message that you need to install an update to Adobe Flash. This is part of the Blackhole Rat (Remote Access Trojans) malware upgrade I had discussed back in June on this forum.

All the Best.


----------



## Chad Winters (Oct 28, 2008)

I'm a little worried about my wife's macbook.  She's not as careful as I am about not clicking on those type of popups.  What is the best way to check if it's been installed?


----------



## Eeyore (Jul 16, 2009)

Chad Winters said:


> I'm a little worried about my wife's macbook. She's not as careful as I am about not clicking on those type of popups. What is the best way to check if it's been installed?


Chad, Scroll down to the section that says additional details...

http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml

I have Sophos Anti-virus for Mac installed on my MacBook Pro since last June. A colleague uses it on her MacBook Pro since it first came out. She specializes in software encryption/decryption analysis with the Feds. I haven't detected anything on my Mac with Sophos yet but it has detected some PC malware from emails that friends have sent me. So far, I haven't had any run problems. It just quietly works in the background and uses hardly any resources. Best of all, it's free and updates every day with new malware signatures. As usual, I do not work for Sophos nor do I have any affiliation with them. It's just something I loaded on to my computer. Sophos does have the Flashback.K variant on their signature files in their software.

All the Best.


----------



## vistawriter (Dec 14, 2011)

Thanks for the update on this. Wondered why I had the software update icon showing in the dock and just assumed it was something less important. Once I saw this, I went straight to the software update and took care of it.


----------



## Eeyore (Jul 16, 2009)

Update: There has been a second Java Security Update that was released by Apple last night. This update is only for OS X Lion. Snow Leopard does not have a second update. The Russian anti-virus company Dr. Web has reported that over 600,000 Macs worldwide have been infected with the Flashback malware, with over 300,000 in the United States. This has now been confirmed by the security firm Kaspersky. (BTW, various estimates on the number of Macs still in use worldwide are between 100 million and 115 million. This includes the old Macs still running OS X Tiger and Leopard.)

Up until now trying to determine if your Mac has been infected has been fairly complicated, requiring the user to get into the Terminal command and type (or cut and paste) sets of instructions. The Russian company Dr. Web has been monitoring the malware's command and control websites (IP's) for the past week and now has a pretty good idea which individual's Mac is sending information to the rogue site.

http://www.usatoday.com/tech/products/story/2012-04-06/pegoraro-secure-mac-flashback-trojan/54087366/1

Five paragraphs down in the USAToday story is the Dr. Web's link to cut and paste your Mac computer's Hardware UUID number (Universally Unique Identifier.) There are easy instructions on how to do this in the link. If the Flashback malware has affected your computer, it will have contacted the command and control website and have broadcast to it your individual UUID number. I have just tried it and my Macbook Pro is clean. *Do not bother to sign-up for their anti-virus.

Disabling your Java (not Javascript, which is a totally different program that is needed) within your browser is also a good idea and the USAToday article has easy instructions on how to do this for Safari, Firefox, and Chrome.

With the current Apple Java Security Updates, the number of new malware infections have dropped off considerably, and hopefully Apple will have a malware removal Security update released soon.

This will be my last post on this thread.*


----------



## skyblue (Dec 23, 2009)

Eeyore said:


> Update: There has been a second Java Security Update that was released by Apple last night. This update is only for OS X Lion. Snow Leopard does not have a second update. The Russian anti-virus company Dr. Web has reported that over 600,000 Macs worldwide have been infected with the Flashback malware, with over 300,000 in the United States. This has now been confirmed by the security firm Kaspersky. (BTW, various estimates on the number of Macs still in use worldwide are between 100 million and 115 million. This includes the old Macs still running OS X Tiger and Leopard.)
> 
> Up until now trying to determine if your Mac has been infected has been fairly complicated, requiring the user to get into the Terminal command and type (or cut and paste) sets of instructions. The Russian company Dr. Web has been monitoring the malware's command and control websites (IP's) for the past week and now has a pretty good idea which individual's Mac is sending information to the rogue site.
> 
> ...


*

Thank you, Eeyore!*


----------



## chilady1 (Jun 9, 2009)

Eeyore said:


> I have Sophos Anti-virus for Mac installed on my MacBook Pro since last June. A colleague uses it on her MacBook Pro since it first came out. She specializes in software encryption/decryption analysis with the Feds. I haven't detected anything on my Mac with Sophos yet but it has detected some PC malware from emails that friends have sent me. So far, I haven't had any run problems. It just quietly works in the background and uses hardly any resources. Best of all, it's free and updates every day with new malware signatures. As usual, I do not work for Sophos nor do I have any affiliation with them. It's just something I loaded on to my computer. Sophos does have the Flashback.K variant on their signature files in their software


THANK YOU SO MUCH! I think I might have been under a false impression that Macs are not "affected" by malware and other viruses. Having just switched to a MacBook, I am clearly not as familiar with the anti-virus software protection as I was with PCs, so this posting was extremely timely. I checked out Sophos and I like the protection it offers. I can't thank you enough for this valuable information. Downloading as we speak.


----------



## Eeyore (Jul 16, 2009)

This morning (5-15-2012) Apple released a security update to include users of OSX Leopard (the older precursor to OSX Snow Leopard and Lion. If you are a Snow Leopard or Lion user, you won't see this update.)

http://www.informationweek.com/news/security/app-security/240000397

It has the same Flashback malware detection and removal system that current OSX users have and will also disable Java if it is not being used.

In further news, OSX 10.8 Mountain Lion is slated for release this summer, possibly in mid-July. Developer Preview 3 was sent out two weeks ago for further testing. On May 16th, the Pre-release version of Mountain Lion was available for download to current Developers.

All the Best.


----------



## Carrien (Jan 30, 2011)

Hello, i just read up on Sophos and it seems great but when I tried to download it says Safari can't open....any suggestions...I fear the freezing on my iPad may be malware related.
Thanks so much


----------



## Eeyore (Jul 16, 2009)

Carrien said:


> Hello, i just read up on Sophos and it seems great but when I tried to download it says Safari can't open....any suggestions...I fear the freezing on my iPad may be malware related.
> Thanks so much


Carrien-- Sophos Antivirus is designed for the OSX which runs Apple's Mac computers. The iPad uses iOS, so Sophos Antivirus won't be able to run on it. If you did not jailbreak your iPad, you may have some other problem that is not related to malware. I saw you tried the suggestion that Betsy posted in another thread to reset your iPad. The iPad 1 has a limited amount of onboard RAM memory, and with the new iOS updates (5.1.1), very little is available for running some of the more complicated apps. The iPad 2 and 3 have much more RAM memory and isn't seeing some of the problems our older machines are running into. I have also run into freezes with my iPad 1 on my Accuweather app and France24 news app. I never had that problem in the past. The iPad 1 has 256 MB of RAM available. The iPad 2 has 512 MB of RAM and a much faster dual core processor. The iPad 3 has a quad core processor and I don't know how much RAM available.

You might want to take your iPad to an Apple store or Apple authorized repair center and have them check your iPad out for you. There is always a possibility something isn't running 100% on your iPad 1.

All the Best!


----------



## Carrien (Jan 30, 2011)

Thanks Eeyore!  Now that makes sense.....I'll look for an apple store near us and maybe have this one checked up to see what is going on, stinks cause we use it so much
It's nearly cause for a new one! LOL
Have a great day and thank you again
Carrie


----------



## yogini2 (Oct 27, 2008)

I can't access my bodybugg account to download my calorie burn because I don't have the latest Jave whatever, but my computer says I don't have any updates.  I downloaded the java stuff in April.  So, what do you think?  I have Mac version 10.5.8.  Any thoughts?


----------



## Eeyore (Jul 16, 2009)

Yogini2-- I assume you mean Mac Version 10.6.8 which is the most recent.


The last Apple security update automatically disables Java by default on the Macs. You have to go back into your computer to re-enable it. For Firefox it's left click Firefox tab->preferences->general->manage add-ons. Just scroll down to Java Plugin 2 and click to re-enable it.

For Safari it's left click Safari tab->Preference->Security tab->then check the box next to "enable Java".

I don't know what it is for Chrome since I don't use it.

All the Best!


----------



## yogini2 (Oct 27, 2008)

I have 10.5.8.  Never upgraded to the next level, whatever they are calling it, but it worked!!  I enabled Java and now have my bodybugg stats back.  Thank you, eeyore!!


----------



## Mike D. aka jmiked (Oct 28, 2008)

Eeyore said:


> Yogini2-- I assume you mean Mac Version 10.6.8 which is the most recent.


I'm using 10.7.4. I think that's the most recent.

Mike


----------



## Eeyore (Jul 16, 2009)

jmiked said:


> I'm using 10.7.4. I think that's the most recent.
> 
> Mike


You are right Mike. I am still using Snow Leopard, lol. I keep forgetting about OSX Leopard and Lion.

All the Best.


----------



## mistyd107 (May 22, 2009)

stupid ? but what is java used for?


----------



## Eeyore (Jul 16, 2009)

Sorry Mistyd107, but I was on vacation for a few days camping. No internet, LOL!

If someone is proficient in Java programming, they can jump in and correct me here.  

Java is an older programming language that is used to run web based sites. It is a self inclusive fully contained program, meaning it can run by itself using applets (small applications) and can run independent of whatever browsing operating system that is trying to view it. So a person using Apple's OSX can see the website the exact same way as a Windows Operating system user or Linux user. The programmer first writes the Java program, then uses a different computer program to turn it into machine language, or what is called text code. The computer's website then runs the text code which allows us, the user, to see whatever it is, such as Yogini's bodybugg website.

The downside of Java is an outside programmer can make use of flaws built within Java to design bad applets (small applications) to run inside of the larger program. That is what the newer versions of the malware Flashback were designed to do. You visit the seemingly harmless website, the applet runs, and then downloads its payload to your computer, without the visitor having to do anything. This is what's called drive-by infections, which are/were common to Windows but never seen before by Apple users. Even "trusted" websites, such as your favorite blogger that you visit every week, can be infected if the original Java program was poorly written by the owner or contracting programmer.

Most websites now use Javascript, which is a distant cousin to the original Java. It is much easier to write a program for because it is text based, and uses existing HTML commands. And yes, Javacsript is also vulnerable to hacking. There are known problems such as buffer overflows, cross site request forgeries, and cross site scripting hacks. Fixes to web browsers are implemented all the time to patch these potential problems. So far, this affects Windows users but we will be seeing more such problems for OSX in the future.

All the best.


----------



## mistyd107 (May 22, 2009)

Eeyore said:


> Sorry Mistyd107, but I was on vacation for a few days camping. No internet, LOL!
> 
> If someone is proficient in Java programming, they can jump in and correct me here.
> 
> ...


No problem, Everyone is entitled to a vacation. Hope it was a nice one. Thanks for the explanation. I do appreciate it!!!!!


----------



## Eeyore (Jul 16, 2009)

New Update: 6-13-2012

Apple has released a new security update concerning Java late last night (6-12-2012) for OSX Snow Leopard and OSX Lion. This patch closes 14 security flaws that Oracle (the company that puts out Java) found and sent out to Windows users yesterday. Apple has now passed on the updates to OSX Users. *Note: This update is not for iPad users.*

To update, click on the Apple logo in the top left of your computer screen and scroll down down to "Software Update". Your computer will then perform the necessary patch. This patch will automatically disable Java again.

If you need to re-enable Java for certain types of programs that you run, you can do so in your browser.

For Firefox version 12 it's left click Firefox tab->preferences->general->manage add-ons. Just scroll down to Java Plugin 2 and click to re-enable it. For Firefox version 13 scroll down to the lego block marked "Java Applet Plug-in 13.8.0" and right click on it to re-enable.

For Safari it's left click Safari tab->Preference->Security tab->then check the box next to "enable Java".

All the Best.


----------



## Eeyore (Jul 16, 2009)

Updated: 8-01-2012

Integos and Sophos have reported a new piece of Apple malware that has appeared in the website used by security companies to share malware samples for analysis. The malware has been named OSX/Crisis/Morcut.A and is currently being analyzed. It is a drive-by type malware, meaning it installs itself without requiring permission from the computer owner. Installation is via activation through Adobe Flashplayer. It works only in OSX 10.6 and 10.7 [Snow Leopard and Lion], and does not yet work in the new Mountain Lion release.

When executed, it drops kernel driver components (rootkit )to hide itself from virus scans and sets up from 14 to 17 files that are randomly named. A backdoor to the computer is opened and calls an IP address every 5 minutes for further instructions. The malware coding has command-and-control components, data stealing coding (such as key logging and screen captures) and more. Traces to the IP address reveals it is owned by Linode LLP, which is a virtual hosting company located in New Jersey.

It is still too early to tell how prevalent this malware is in the wild (the normal on-line computer community). The malware threat is currently considered low risk by the security companies until more information and analysis is done.

I will update this thread if information changes.


----------

