CRITICAL Java Updates: Mac OS X 10.6 Update 7 and 10.7 Update 2012-002 (formerly 001)

--
[Updated 2012-04-06:
For users of Mac OS X 10.7, Java update 2012-002 has been released today to correct an error in the .DMG installation file for 2012-001. The 2012-001 installer has been withdrawn. I interpret this to mean that the flaw in 001 was critical. Therefore, please install Java for OS X 2012-002 IMMEDIATELY! It has been reported that over 600,000 (not a typo) Macs are now infected with the Flashback Trojan horse / botnet malware! This is unprecedented in Mac history. This Java update kills off a Drive-By method of Mac infection by the Flashback malware.]

If you haven't already installed the latest Java update for Mac OS X 10.6 Snow Leopard and 10.7 Lion, INSTALL IT NOW. No excuses. The best method of installation in this case is via Software Update, available under the Apple menu. There is currently a problem with the direct download version for 10.7 whereby it FAILs the fsck check the OS runs during DMG file verification. See details below.

This particular update is CRITICAL because there is an active exploit against the older version of Java that results in Drive-By infection of Mac machines without requiring the user to provide a password. This is unheard of on Macs. It is specifically a Java problem, NOT a Mac OS X problem. Don't blame Apple. Blame the lazy crapcoders at ORACLE.

Windows users have had this particular Java update for MONTHS. Supposedly Apple and Oracle have an arrangement whereby Oracle are now writing Mac updates for Java. But that arrangement is FAILing.

Earlier today I posted reviews of this update at both VersionTracker/CNET and MacUpdate. I have provided a somewhat redundant summary below which with details about how to turn OFF Java, which I highly recommend, as well as some rant action.

8 8 8 8 8 8 8 8 8 8 8 8

Good: This CRUCIAL Java update patches an active exploit against Macs. Better a late update than never. Java is occasionally useful.

Bad: Java is now one of the most INSECURE Internet technologies. If you don't use Java, TURN IT OFF! Oracle and Apple are NOT providing Mac Java updates in a timely manner. This Java update for Mac provides an update that Windows users have had for months. For over a week, there has been an active malware exploit against Mac users with the unpatched version of Java.

It is terrific that Apple jumped on this exploit so quickly. However, Apple users MUST be provided with Java patches at the same time as Windows users. Delaying Java patches for Mac users is NOT acceptable.

I have verified that the direct download file of the 10.7 version of Java for OS X 2012-001,  FAILs the Mac OS X fsck check during file verification. This is evident in the Console. This is BAD. If you used this downloaded installer, IMMEDIATELY update to the Java for OS X 2012-002 installer!

The BEST way to install this update is from Software Update. You will find it under your Mac's Apple menu. This installation works perfectly.


Now For My Rant:

Java has become a BANE of the Internet. I have turned it OFF. I am sick of the recent Java exploits against Mac users. I don't deal with it. I suggest you turn Java OFF as well, unless you use it regularly.

HOW TO TURN OFF JAVA: 

If you use multiple web browsers (I use six) then the best and simplest way to turn Java OFF is via the Java Preferences app found in your Mac's Utilities folder. Follow these steps:

1) Open the Java Preferences app.

2) Under the 'General' tab, check OFF "Enable applet plug-in and Web Start applications". (Mac OS X 10.6 users: Instead uncheck the plugins for Java SE 6 in the box inside the window).

3) Quit the Java Preferences app.

4) VERIFY IT'S OFF: Open the Java Preferences app, again. Verify that the "Enable..." checkbox remains OFF. If you find it on again, check the damned thing OFF again. Quit Java Preferences. Verify AGAIN as required.

I add this VERIFY step because I personally have seen this checkbox turn on again. If you want to be extra-special certain the box doesn't turn on again, you can go down to the box under the 'General' tab and turn OFF both 64 and 32-bit "Java SE 6", then turn off "Enable". That definitely does the trick.

My #2 Rant: 

SHAME ON ORACLE. That company has RUINED OpenOffice. The LibreOffice branch is now off and running and far superior, leaving the source OpenOffice project irrelevant. Oracle has been just as obtuse with Java, which is now a DETRIMENT to the Internet.

Maybe Java will be made open source, at long last. That would help. Perhaps great developers like those on the LibreOffice team will grab it and make Java seriously great. Until then, BEWARE OF JAVA. I fully expect more Java exploit malware to come. (o_0) 


Now I go all sentimental: 

Remember when Java was supposed to be 100% secure, never able to access your computer directly, entirely safe in its sandboxed little Just-In-Time runtime machine? Remember 'write once, run anywhere'? Remember 'secure memory management'? Fun times in Fantasy Land. 
:-P

Smartphone Bank App Security Problems

--
The benefit of Apple having a closed App Store is their scrutiny of all applications submitted. This has helped maintain a superior security record for the iPhone versus any Android phone. However, a big hole in Apple's vetting system has become evident whereby all smartphone users have been put in danger by poorly designed and coded banking applications. Thank you to the SANS Institute for bringing this issue to my attention on in SANS NewsBites Vol. 12 Num. 89:

--Security Flaws in Smartphone Banking Apps (November 5, 2010)
Researchers have found that several banking applications for Android and iPhone contain security flaws that store account information in plaintext. Attackers could potentially steal sensitive data by luring users to maliciously crafted websites designed to find the information. Of the seven applications inspected in the study, just one, from the Vanguard Group, did not store information in plaintext. The institutions were notified of the problems and reportedly have taken steps to fix the flaws.
http://www.wired.com/threatlevel/2010/11/bank-apps-for-phones/
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=228200291
[Editor's Note (Pescatore): The Android phone world seems to be trying to compete with the iPhone by saying "Droid does anything - no restrictive App Store." The reality is that the Apple iPhone could actually compete by making the bar a bit higher for iPhone apps, to make sure that the apps don't do silly things like storing account info or passwords in the clear on the phone. I think users are very comfortable with "only" having 20 Tetris games to choose from if they know that none of the 20 are going to send their information to identity thieves.]

Dear Apple,

Please vet submitted Apps more thoroughly for security flaws. Much appreciated!

Dear Google,

'Anything goes' does not trump application security.
--

Update: Secunia Half Year Report 2010 & QuickTime Hell

--
In a previous article, entitled "Desperate Propaganda..." I had a rant-fest regarding a PC World FUD-fest regarding Apple security. The author, Preston Gralla, managed to spew out this line of deceit:

:-Q****** "The security company Secunia reports that Apple products have more vulnerabilities than those of any other company."

This was clearly taken as a hit at all Apple products. What was missing was any reference to the context of the source Secunia report, which you can read HERE. I knew better, having been an avid Secunia reader since 2005. In fact, the only Apple products noted in the report were QuickTime and iTunes on Microsoft Windows. Secunia didn't cover any other Apple products.

When I read through the entire Secunia Report I found nothing of relevance to Mac OS X except the fact that the Apple apps discussed are prone to the same problems on Mac OS X as well as Windows.

QuickTime Hell

In previous articles I've covered the major problems with QuickTime, the biggest culprit of Apple security holes. It is used in iTunes, thus making iTunes just as vulnerable. In summary, QuickTime stumbles over malicious ECMAScript (aka 'JavaScript') and coding errors that allow malicious buffer overflows.

Supposedly Apple has been overhauling QuickTime. The first peak at it has been QuickTime Player X. But as far as any user can tell, the QuickTime X project is stalled at version 1.0.0. What we have on Snow Leopard is entirely inadequate, incomplete and buggy. Serious QuickTime users are required to also install QuickTime version 7, the current version of which is 7.6.6.

Hopefully Apple will get back to work on revising QuickTime now that iOS 4 has been completed and released.
--

Firefox Add-On Security Alert! Mozilla Sniffer, CoolPreviews, Master Filer

--
Graham Cluley at Sophos.com has provided a great article at his blog about BAD Add-Ons for Firefox. The most recent is nasty spyware, another is infected with a spyware Trojan horse, and the last has a potentially dangerous security hole that could lead to PWNing your machine:

Mozilla pulls password-sniffing Firefox add-on

All of these Firefox Add-Ons have been blocked from distribution by Mozilla. But if you happen to have them laying around or have installed them: Kill them.

Mozilla Sniffer: It has been available since June 6, 2010. It spies on Internet passwords you enter in Firefox and sends them to nefarious fiends.

Master Filer: The infected version has been available since earlier in 2010. It is infected with the LdPinch Trojan horse, which also steals your Internet passwords and sends them to nefarious fiends.

CoolPreviews: Versions 1.0 through 3.0.1 have a demonstrated security vulnerability that could allow run malicious code on your computer. (Sounds like a typical buffer overflow problem). Proof-of-concept code has been created that demonstrates how to perform the hack. Therefore, it is critical to update to the latest version of CoolPreviews.

There have been other BAD Add-Ons as well, all of which Mozilla have blocked from distribution.

As a side note:

This same sort of problem has been plaguing the Android community whereby anyone can post anything as an application, including crapware and malware. As with Mozilla, Google have no formal system for approving or filtering bad software apart from reports from users. Therefore, it is likely that a number of people are going to be victims of BAD software before it is removed from distribution.

To be honest, this lack of formal software scrutiny system is what we are all used to in the general computer community. The best workarounds have been the use of websites like MacUpdate, VersionTracker, TuCows, MajorGeeks, etc., where either the site managers or other users have tried and rated the software.

For better or worse, Apple now use a formal scrutiny system at their App Store for the iPhone, iPod Touch and iPad. If you download a CrapApp onto your iOS device, you can point fingers at Apple for messing up. Microsoft have had a copycat scrutiny system for their Zune thing app store and plan the same thing for their Windows Phone 7ista OS thingies. Meanwhile, for all other devices, it is that mean old adage: Caveat emptor, IOW Downloader Beware.
--

Java is DANGER! Apple is SLOW POKE!

--
One of my favorite jabs at the anti-Mac security FUD mongers is to point out that their FUD attack party, ongoing since it was started by Symantec way back in August 2005, has happily prodded Apple to get serious about Mac OS X security updates. I then extend them a hearty handshake and gleefully, maniacally, laugh.

However, Mac security mavens point out that Apple is still a slow poke. Damned right! There are a couple short articles over at Intego about an ongoing security hole in the current implementation of Java in Mac OS X:
-> Apple Hasn�t Updated Java to Protect Mac Users from Critical Vulnerabilities
-> Intego Security Memo: Java Vulnerability

To defenders of the faith, such as myself, this is annoying. First off, we get to be poked by the FUD mongers with the 'see, I told you' routine. Second off, I am so sick of the corrosion that has happened to the great and shiny image in the sky of Java being this ultra-safe, can't break into your computer, can't hurt you, technology. Yeah, and Sun is now no more. Justice is served. But we're stuck with the mess as a web standard.
*rolling eyes*
--