Tuesday, April 24, 2012

Flashback Malware and Java : FYI Notes

I just posted an FYI set of notes over at MacDaily news to help sort out some misinformation regarding what has been occurring thanks to the Russian malware rats who write the Flashback series of malware. It may be helpful here as well.

The worst previous Mac malware infection was due to Trojan.OSX.iServices.A-C. It was a Trojan horse that was infiltrated into Warez versions of a few different Mac apps available at Torrent websites. The result was a botnet estimated to contain 10,000 Macs. That was in early 2009.

The worst estimate for the Flashback botnet (created by an estimated 19 different versions of the Flashback malware) was about 600,000 Macs. That is larger than the iServices botnet by a factor of 60.
All of the Mac malware previous to the recent few Java versions of Flashback, have been Trojan horses with infections preventable by basic safe user practices. The people who infected themselves are generally considered either to be Mac newbies or to be ‘LUSERS’ who would figure out a way to become infected if not for their account administrators.
The recent versions of Flashback have been unique in the history of Mac OS X malware because they were drive-by infections from websites that required no user interaction. The cause of this problem was two-fold:
1) Oracle don’t give a rat’s about Java and have allowed it to become the #1 source of third party security vulnerabilities for Mac users. Oracle don’t care.
2) Apple’s experiment with having Oracle provide timely updates of Java for Mac OS X has FAILed. Oracle don’t care.
My personal recommendations:
A) Don’t install Java onto Mac OS X 10.7. Most people never need it.
B) If you do install Java onto 10.7, or you run a previous version of Mac OS X, TURN JAVA OFF. This can be done in the Java Preferences app in your Utilities folder. Only turn it on again for critical uses, then turn it OFF when you’re done.
IOW: Java now sucks. Avoid Java as much as possible. 
Java is now even more dangerous than JavaScript, aka LiveScript, aka ECMAScript, aka JScript (by Microsoft), aka ActionScript (by Adobe). It is now even more dangerous than the real Adobe Flash Player plugins.
Hopefully this Java catastrophe has woken Apple up to being preemptive about Java security holes and their danger to Mac Java users. Oracle don’t care.
Ideally, Oracle will at long last allow Java to become an open source project. However, I don't see that happening in the near term as Oracle will be reaping some major bucks off Google for having ripped off Java technology for their Android OS. Oh well.

No comments:

Post a Comment