Apple comments on hacker attack

Apple on Tuesday admitted to being the victim of a hacker attack by the same people that went after Facebook last week. Apple said it is taking steps to help its customers, including releasing an updated Java malware removal tool.

“Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers,” Apple said in a statement the company provided to The Loop. “The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.

“Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found,” the company said.

  • J.A.V.A. = Just Another Vulnerability Announced.

    • Darren

      Wow… Another child left behind…

      • JohnDoey

        If you’re defending Java as a plugin — don’t.

        What few Java applets are still left on the Web are easily and safely replaced with an app from App Store or Mac App Store.

        WebEx and similar use Java on Mac and Windows, but they are apps on iPad and iPhone. Netflix uses Silverlight on the Mac and Windows, but is an app on iPad and iPhone. Tens of thousands of Flash presentations are available in App Store. The Mac and Windows both have system-wide remote application installers today. The vast majority of the Web runs without plug-ins via HTML5 when you view it on iPad, but that view of the Web is still hidden from the Mac and Windows for no good reason.

        Browser plug-in are an insecure context. There is no saving them.

        • Wrong. To give just one example (that directly affects me): the only electronic way to fill out a tax return in Portugal is using the Java applet on the site of the Portuguese IRS. Quite a few “build your own” car configurators of major car manufacturers in Europe use a Java applet. There’s no doubt that Java applets, like Flash, are definitely on the way out, but there are sill many cases where they are unavoidable. There is not always an alternative.

          • However, you can always go to and install it.

    • rush

      JAVA, Just Another Vector for Attack

  • Timmy

    Java and Flash… when will it end?

    • kynos65

      My guess is when performance and security aren’t the liabilities they have become.

      • JohnDoey

        Performance and security cannot be bolted onto the insecure browser plug-in architecture, same as there were modern features that could not be bolted onto Mac OS 9. Browser plug-ins are obsolete — they have already been replaced with HTML5 or App Store, Mac App Store, and Windows Store. All that is left is to kill support for them on notebooks and desktops.

        • kynos65

          I couldn’t agree more. i should have made it clear I didn’t expect those issues to change. 🙂

    • JohnDoey

      September 2013, when the next version of Mac OS X ships with zero support for browser plug-ins.

      Websites with browser plug-ins have had years to either move their plug-in to HTML5 (e.g. YouTube, Vimeo,) or move it to App Store (e.g. WebEx, Netflix.) That is why they all work on iPad.

      • Adams Immersive

        That will be a great day–but not this year. Many web sites and companies with a web presence have nowhere near the budget to make interactive content (more than video and slideshows) without Flash. Only the “big guys” can afford that… and even then, an interactive HTML5 animation, game, tutorial, product demo, whatever, will not reach a large number of people. It WILL reach iPads, but will NOT reach many traditional computer users. So they’re spending more than they would on Flash development, to reach fewer people. This will make the transition slow–for the “little guys” who make up much of the web. Right now, the only ideal way to deliver complex interactivity is to make a Flash version plus an HTML5 version, working around the limitations of each so that both versions feel complete. Compared to just making a Flash piece, the cost of that is multiplied many times over. This will improve and there is hope: HTML5 browser adoption will rise, and HTML5 rapid-development toolsets will improve. But it’s a slow process.

        • Steven Fisher

          Absolutely Apple will do this arbitrarily and at a time everyone believes is far too soon. And yet, the next day the sun will probably still rise.

          By the end of the week, there will be workarounds. And within a year, we’ll mock the people still using the workarounds.

          I don’t know if it will be this year, but I don’t think you can rule it out.

          • Nate

            The workaround will be to use Chrome, the crutch that will keep Flash going for another 10 years.

          • Steven Fisher

            I was thinking the same thing, but I feel like I’ve made enough fun of Google this week. 🙂

      • See, the problem is that Apple doesn’t have enough leverage at this point in time that not allowing Flash on Mac would force all web developers to switch. The Mac market share, while growing, is still the minority.

      • Funnily enough the Sydney Morning Herald slammed Apple for blocking Java without user permission the other week…

  • Adams Immersive

    These vulnerabilities have all been with Java on web pages, right?

    Standalone Java apps have remained safe? And a web site running Java on the back end (rather than in the user’s browser) is also safe to use?

    I haven’t needed Java (different from JavaScript) on a web page in years.

    • JohnDoey

      This is not about the language, it is about the virtual machine that runs Java and about the insecure browser plug-in system that enables the virtual machine to get out of control.

      • Adams Immersive

        Right. Recent headlines have tended to oversimplify. (Making people think some entirely other thing is happening. Like thinking Apple blocked the use of Java apps on Macs, which never happened.)

  • kgelner

    What is the URL of the removal tool? Also I am getting really pissed off that not one story is giving us the name of the site that hosted the malware. I can’t think of any iOS development site I use that even uses Java, so I’d really like to know what it was.

    • jimothyGator

      The removal tool hasn’t been released yet.

      As for which site hosted the malware, it’s probably more than one. Some sites may purposely host the malware (malicious sites), which others may have been hacked to host the malware without their knowledge or will (compromised sites).

  • Stacy

    I sometimes play Minecraft with my kids, so that’s the only Java application that I use. Is this a vulnerability, or just Java in the browser?

    • jimothyGator

      On the one hand, Java outside the browser is more vulnerable than Java in the browser, because the former runs without a “sandbox”: it can do pretty much anything a native application can, so a trojan application (say, a fake Minecraft app your kids download) could cause problems.

      On the other hand, Java in the browser can perform “drive by attacks”: you visit a malicious web site with a Java applet, and, without knowing and action beyond visiting the web site, have a trojan installed. In the first case (outside the browser), you (or your kids) took action by installing a trojan application. In the second case (inside the browser), you did nothing more than visit a malicious or compromised site.

      • Tetsuo

        Java applications outside the browser are as (if not more) secure than any other app you download from the Internet and install in your machine, made in C/C++/Objective-C.

        If you are comparing it with apps downloaded from the Mac App Store, it’s still the same. Cyberduck is written in Java, is downloaded from the Mac App Store, and runs in the OS X sandbox.

        Java is not insecure per se. The possibility of running code downloaded automatically from random sites is what makes it more risky. If you disable the browser plugin, it will be more secure than most languages. It is a managed runtime, so it’s secured agains pointer-related flaws, so common in C/C++.

        The problem is, many sites (primarily banking sites) require the Java plugin. So, many users just must have it installed and active (I do).

        At the same time, Flash brings the same risks, since it also runs code downloaded from random sites, but nobody cares. Double standards, I suppose.

    • JohnDoey

      There are apps for that. Disable Java in your browser and get an app from Mac App Store or App Store to regain security.

      • Fred Kragen

        Wait, they were talking about Minecraft. There’s no “app for that” – it just is! (Java, unfortunately.)

        • Don’t play it. Problem solved. I live without browser plugins and get along just fine.

    • TobyS95

      That is the only reason I have Java on my Mac and really hated to install it, but you Also, the Minecraft app isn’t signed. The Minecraft devs need to get with the program and think about end user security more.

  • JohnDoey

    We need Apple to kill all browser plug-ins in the next iteration of Mac OS. Websites will simply start serving the Mac the same pure HTML5 pages that they currently serve the iPad. Because those pages are already on the Web, this change would happen overnight. In fact, if Apple announces this at WWDC, then by September when the next Mac OS ships, the HTML5 pages will already be available.

    • What rubbish. There are sill countless sites that depend on either Java applets or Flash (and which have no iOS alternative) – see my other comment to your post above.

  • Anybody which developer web site was used to spread the attack?

  • The only thing I need the java-plugin for is the security solution of my online bank. Thank you, bankers, you screwed that up as well.

    • Nate

      I remember when banks used to require the use of an ActiveX control (and IE) in order to “ensure security”.

      • This is still very much the case in foreign countries, especially in S. Korea. IE still has an absolute majority of browser share there because EVERYTHING requires ActiveX.

        • jonathanjk

          I can’t say I’ve needed active X with my Standard Chartered account here in Hong Kong.