Java: The OSX and Cross-Platform Nightmare

By Roel SchouwenbergFor a few days now I’ve been asking myself the following question: Which is more important: The fact we had a 500k-strong OSX botnet fly under the radar or the culprit that enabled the malware to infect so many machines? Every time the answer is clear – Java has become an absolute focal point in the cyber threat landscape. It plays a major role in attacks against every major platform, including mobile.

By Roel Schouwenberg

Roel SchouwenbergFor a few days now I’ve been asking myself the following question: Which is more important: The fact we had a 500k-strong OSX botnet fly under the radar or the culprit that enabled the malware to infect so many machines? Every time the answer is clear – Java has become an absolute focal point in the cyber threat landscape. It plays a major role in attacks against every major platform, including mobile.

It’s quite clear that Java/Oracle has become the new Adobe. But where Adobe has been (successfully) investing heavily in techniques such as sandboxing it remains awfully quiet on Oracle’s side. It becomes even more painful when you consider that Java was the first third-party application/(browser) plug-in the bad guys really went after back in 2005. It was only after successes against Java that the criminals started going after the Adobe (and other) products.

Somehow, we’ve let Sun/Oracle get away with doing next to nothing to improve the situation for the better part of a decade. Shame on us, and shame on them.

Going back to the Mac/OSX Flashback malware – I think it’s clear nobody expected quite so many infected machines out there. With few people on OSX running security software it’s very hard to get an accurate reading for how many threats there are in the wild.
Obviously, the situation is worse than anticipated. We’re talking about an epidemic roughly the equivalent of Conficker here, when you look at the percentage of each user base infected with the specific malware. That’s just amazing.

Many people are still under the impression that you need to give up your root password to get infected with Flashback. I want to reiterate this is no longer the case. Flashback is also installed via drive-by downloads exploiting Java vulnerabilities. Java has irreparably tarnished the image of OSX as free from malware. It’s never been free of malware, but we now have a huge botnet to further damage the myth of a malware-free OSX.

It’s been some time coming. The MacDefender FakeAV and DNSChanger epidemics from last year were a turning point and a sign of things to come. Apple only patched a Java security vulnerability – which was being exploited by Flashback – last week. That’s seven weeks after the other platforms received their respective patches. Unfortunately, this is the norm rather than the exception when it comes to patches for third party code in OSX.

If anything, I hope Flashback serves as a wake-up call for Cupertino. This gap needs closing. It should be crystal clear to everyone now that OSX is a real target. While no longer including Java from OSX Lion onwards is a good move, it doesn’t solve the bigger problem.

Even if Apple closes the patch gap the cross-platform Java problem remains. Oracle really needs to step up its game. Its security team should have an easy time getting the necessary resources. After all, these days Microsoft and Adobe generally get praised for their approaches to security. So there’s really no excuse for Oracle here.

Until the day comes where Oracle visibly commits to security the best course of action is to uninstall Java. Regardless of what platform you’re on. Hopefully that will encourage Oracle to improve the overall security of its products.
If you do need Java – for instance if you’re running the Android emulator – then make sure you disable the Java plug-in for your browsers.

It would be great if the Java updater would respect the browser plug-in settings. Going through your browsers after each update to disable the newly enabled plug-in is something which is easily forgotten.

Roel Schouwenberg is a senior security researcher at Kaspersky Lab.

Suggested articles

Discussion

  • Anonymous on

    I find it interesting that you reprimand Oracle in this case when you mentioned the fact that they released an update that fixed this exploit a month and a half ago. Apple has always had their own packed JRE that they had control of the version. Oracle had a fix, Apple chose to wait to apply it. I believe that Apple missed the boat here, not Oracle. 

  • Rob on

    "That's seven weeks after the other platforms received their respective patches. Unfortunately, this is the norm rather than the exception when it comes to patches for third party code in OSX."

    Baloney, that's not the norm on OS X.

    That's probably the fastest they've put a third party patch in.


  • Anonymous on

    Most users of OSX from my experience are completely unaware that bad things can happen to their systems. They think that it's only Microsoft systems where malware can happen. Whether that's the case of the users themselves, or simply the information not being widely publicized, I don't know. Usually though, it's the user base that needs to get riled up before a company starts to fix things. In this case, it needs to be OSX users.
  • MaRodriguez on

    It seems Java and Oracle is everyone´s pet peeve there days huh?. and when will the disinformation campaign end?.

    No, it´s not a wise idea to disable the Java plug-in, because that´d affect the ability to run JAVA WEB START, possibly one of the neatest features of Java that allows launching full desktop apps with a click of the mouse.

    lots of useful software use it, I can name Mu-Commander,JDiskReport, Petrus Blogger, OpenWonderland, OmegaT translation tool, and many, many others.

  • Anonymous on

    Apple only supports the last two operating systems in circulation, is on a annual release cycle now. So much for the legendary Mac security.
  • Geon on

    Automatic cloud scanning for all Apple devices ? Would appreciate comments on pros & cons.
  • Anonymous on

    Major issue it that Apple has keep quite about it when they should be providing their customer on how to remove it or provide an update that fixes it.

  • Khürt Williams on

    Perhaps this is why Apple has chosen to remove legacy technologies like Flash from OS X Lion and future version of OS X, just as Microsoft has done with Windows 7.  Perhaps Java will be removed from Mountain Lion.

    If it's user installed software then the user is the one making the risk/benefit decision. Not Apple.

  • Anonymous on

    Java was removed from Lion and became an optional download.

  • Anonymous on

    Apple is always the same, too blind to believe they are vulnerable , and too arrogant to do anything about.  Pride always comes bfore a fall. When an apple hits the ground from a large height, it usually disintegrates and dies.

  • Jan on

    I can see it now: "Unbreakable Java" - exactly the same as it was, but now unbreakable. "Unbreakable Java is the strongest Java ever." Sounds like it would have quite a kick.
  • James Lewis on

    How does the situation change with OpenJDK?

     

  • AntiBullshit on

    Bullshit.

  • OpenJDK on

    This is exactly the reason why Apple donated their extensions to OpenJDK and let Oracle deals with all the releases in the future, so that Java on every operating systems gets the same update at the same time.

  • Randy Grein on

    Let's see - this was easy to remediate and Apple appears to have a fix for the future (direct java install from Oracle). And of course it's the first major, widespread problem, so of course Apple (and apple users) decided to expend less effort than Microsoft and windows users on patch/scan/fear of infection. For the haters out there, how exactly does that spell doom for Apple? How is Apple evil for spending less time obsessing about security when, up til recently it hasn't been a problem?

    It took Microsoft 10 years to get the security concept and bake it in. Apple had some of it from the beginning of OSX, but of course now that FINALLY we have real world exploits they need to step up their game and get updates (and news) out faster. Still, with good, free AV software available (Sophos, ClamAV, others) and others for a modest price there is no need to panic just yet.

     

  • Diamond187 on

    While the article was written with significant apple bias, the problem here does not neccessarily lie with Oracle, but with Apple.

    - The fix was available for weeks and Apple didnt release it.  This is standard practice often months after critical releases.

    - Mac users by in large do not utilize any AV or antimalware solutions. Small % of computers on the net, but insanely easy targets.

    - Mac users have been directly advertised to that Mac's don't get malware, so many are oblivious to the fact this has always been a myth.

    The simple fact is that Apple chose to build OSX from a *nix framework and therefore got the combined security of said framework.  They really haven't done anything since then as the framework is inherently strong for most applications.

    Microsoft, on the other hand, started with no security mindset in place and learned a hard lesson.  Now their code is worlds better than what is coming out of most companies as it is created with a secure development cycle and with security in mind throughout.

    This isn't meant to say one is better than the other at all, but Apple 'lucked into' security with the OS X base and hasn't learned the hard lesson MS did yet.  As they get more market share, taunt malware writers with ads saying they aren't capable of malware, and most importantly have a culture that doesn't work with security researchers or admit their system has flaws as well, things will not change.

    Apple has always had a great following of VERY loyal supporters.  Until Apple comes out and tells their customers that they need antivirus, most mac users will brush off any botnets, infestations, or otherwise as 'what happens to other people'.  We need Apple to recognize their place in this ecosystem and put the needs of their customers above the needs of their marketing department.

  • Anonymous on

    I work at a research university in socal and we have had hundreds of victims of this trojan. However we have had people take their woes to the Apple Store only to be told they have no problems because Macs don't get viruses! I went to their website and it said it there too! I knew the fanbois put that out there, but i didn't realize Apple themselves were spreading this lie. Even when they weren't being victimized, it wasn't because of anything Apple was doing (other than failing to gain significant market share), but apathy from the hacker community. Apple is a much more successful computing company now, and with success comes the hard knocks of dealing with brilliant criminals.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.