Apple's Java sabotage is bad IT business

Apple's Java sabotage is bad IT business

Apple's handling of the Java vulnerability provides a textbook example of what not to do in a production environment

In case you weren't paying attention, last week Apple decided to disable all but the most recent Java browser plug-ins on just about every Macintosh everywhere, without telling anyone. The Java vulnerability that led to the decision is very real. It was coupled, though, with the assumption that its customers -- forgive me, its licensees -- lack the judgment necessary to make this decision for themselves.

To be fair, many of Apple's consumer licensees probably lack the expertise needed to make an informed decision. For many, that's why they bought Macs instead of some form of Windows PC in the first place.

But its enterprise licensees? That's a different matter altogether.

Continue Reading: Apple's Java sabotage is bad IT business

Why fixing the Java flaw will take so long

"By now you've heard about the latest, very serious problem with Oracle's Java runtime. You may also have heard that it could take a very long time to fix. Here's why: The flaw uncovered by security researchers last week devolves not to one issue, but to a series of issues, one knocking into the other like dominoes. Oracle has fixed one of the dominos with a patch, but there are likely to be other ways to tip over the entire row.

Emergency response
The vulnerability patched by Oracle resides in a version of Java 7 designed to extend Web browsers. The defect made it possible for a malicious Java applet on a Web page to execute arbitrary code on the underlying computer.

While this sort of defect would usually be kept secret until a fix was available, it was disclosed last week because malicious crackers had already found the defect and were exploiting it as part of a dirty-tricks toolkit used by scammers and other thieves, giving Oracle zero days to fix the code. As more researchers evaluated this "zero-day exploit," it became clear it was exceptionally serious.

With terrific speed, Oracle's engineers created a fix for the problem over the weekend andreleased it Monday. Yet security researchers weren't impressed. Why was that? I asked Oracle to brief me, but I was refused and simply referred to a blog posting on the subject, which offered little explanation.

Instead I turned to the open source community for help. Java 7 is actually based on an open source project called OpenJDK, and Oracle had also released patches for that. I was able to quickly find explanations of both the defect and the fix."

Read the full article at http://www.infoworld.com: Why fixing the Java flaw will take so long

Oracle Knew About Currently Exploited Java Vulnerabilities for Months, Researcher Says

Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations. Read More Click here

 Oracle’s emergency Java patch opens the door to more vulnerabilities After an exploit in the latest Java 7 framework was discovered, Oracle (ORCL) responded with an emergency patch to fix the problem. Read More Click here

 Internet Explorer Zero-Day Flaw Exploited by Same Java Gang Attackers are exploiting a new security vulnerability in Internet Explorer and security experts are recommending users stop using IE until the flaw is patched. Read More Click here

CRIME update, massive JAVA exploit, Samsung's remote wipe issue, Your questions, and more.

Researcher digs up another zero-day Java bug

Computerworld - A security researcher known for finding Java bugs has uncovered a new critical zero-day vulnerability in all currently-supported versions of the popular Oracle software.

The bug, which was publicly reported on the Full Disclosure security mailing list Tuesday by Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, can be leveraged to hijack a machine equipped with Java, letting attackers install malware on the system.

Windows PCs and Macs are equally at risk if their users have installed Java, or in the case of OS X, are running 10.6, aka Snow Leopard, or earlier. Snow Leopard was the last edition where Apple bundled Java with the operating system.

All currently-support versions of Java, including Java 5, Java 6 and Java 7, contain the bug.

Read more about a researcher digs up another zero-day Java bug

Russian Security Experts Analyze Backdoor.Flashback.39

Backdoor.Flashback.39, the piece of malware designed to target computers running Mac OS X, caused a lot of headaches for Mac users, especially because one of the Java vulnerabilities it exploited remained unpatched by Apple.

Security experts have found that even after Apple patched the flaw, the cybercriminals behind the operation didn't seem to be discouraged.

Researchers from Russian security firm Doctor Web analyzed the malicious element and determined that the infection begins when users are redirected to shady sites from compromised domains.

A piece of JavaScript code, placed on websites such as godofwar3.rr.nu, ironmanvideo.rr.nu, killaoftime.rr.nu, or gangstasparadise.rr.nu, loads the Java applet that contains the exploit.

The exploit then saves an executable onto the infected Mac machine. This executable file connects to a remote server from which it downloads and executes the final payload.

Continue Reading

Mac OS X Boonana Trojan Horse trojan.osx.boonana.a

"SecureMac has discovered a new trojan horse in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The trojan is currently appearing as a link in messages on social networking sites with the subject "Is this you in this video?"

When a user clicks the infected link, the trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the trojan horse hijacks user accounts to spread itself further via spam messages. Users have reported the trojan is spreading through e-mail as well as social media sites."

Continue reading the SecureMac Security Bulletin

FYI: Sophos has announced the world's first free business-strength anti-virus program for Macs. The Mac anti-virus product (used by big companies around the world) available for free download to home consumers.

Tidbits from around the Internet

Time Magazine online has said that the Invention of the year is the iPhone. While I don't personally have an iPhone yet I want one! I have used Windows Mobile, BlackBerry, Palm phones and they just don't stack up to the iPhone. I have yet to meet a person who owns and iPhone say they hate it.

Heros actress Hayden Panettiere recently was in Japan attempting in vain to save some dolphins  children should not click on this link (WARNING GRAPHIC). If you have a moment swing by her my-space page and well I learn something new every day as it looks like she can sing too!

Oh my gosh there is a new virus for OS X, NOT! There have been a plethora of articles on the Internet today all talking about security problems with OS X and a new virus. Nothing has changed and OS X 10.5 is still one of the most secure operating systems in the world not matter how much others might not like it. However nothing will save you on any OS if you download a program and double click it. So no there is no OS X virus but there is a trojan that can be found if visit porn sites. Even if that were to change remember as of today there are no Macintosh viruses and there is virtually no malware that is targeting Leopard and one new Trojan does not change this fact. So if it makes you sleep better to buy anti-virus software (there is a free option too) for our Mac then by all means do so. But its not required as in the Windows word. While we are at it here is short list of how to avoid a virus on your computer:

1) Don't go to porn sites!

2) Don't go to sites that offer pirate (stolen) software or music!

3) Turn on your computers FireWall software.

3) If you purchased anti-virus software don't be cheap pay for your updates. Outdated software is useless.

AppleInsider has written a very informative article not only covering the early origins of Apple Developer tools but all the new features of the Apple Developer tools for Leopard. Some have complained that Leopard does not have the most current Java 6, but really most corporations as still a version behind so it's really much ado about nothing.