suntimes
COARSE 
Weather Updates

Apple hacked, and Java is the weak spot

Updated: February 19, 2013 5:31PM



If any of you is driving a vintage Ford Pinto, you should go out and get a Java bumper sticker for it. Few people will get the joke, but those who do will have such a good laugh there in the parking lot that they might slip a buck or two under your windshield wiper.

Yes. It’s official. Just as the Pinto is inextricably linked to getting covered with gasoline and burning to death in a minor collision, so does the public link the Java browser plugin with systems getting hacked. High-profile systems. Apple was just the latest victim to make the national news. In a statement Tuesday, the company reported that a “small number of systems” used Apple were infected with malware that exploits a previously unknown hole in Java security. These Macs were infected after their owners visited a website for software developers. Apple says that they’ve found no evidence that any data left Apple due to the malware, and they’ve already released a software update that patches the vulnerability. Apple users: Select “Software Update” under the Apple menu and then click on the “Updates” button to find and install it.

Ars Technica identifies the origin of the malware that infected Apple employee computers as an iPhone developer forum. That would explain why this same malware has also been attributed to the infection of employee machines at Facebook (as disclosed by that company last week). Developers working for any number of prominent tech companies use that forum. The natural conclusion is that the creator of the malware compromised the forum’s server in hopes of bagging big prizes. He or she would be checking the reports sent in by infected computers, and then targeting for further exploits and espionage any that seemed to be in Very Interesting places. Like Apple, or Facebook, or…?

It’s a little bit ironic that Apple would join an increasing number of high-profile Java-related infections, given how aggressive the company has been in discouraging its customers from using it. Apple stopped supporting Java directly with the release of Mac OS Lion two years ago, choosing to allow Oracle (the owner of the Java platform) to produce — and more importantly, maintain and secure — the plugin. Last year, Apple stopped preinstalling the plugin on Macs. Then, they gave it a further thumbs-down by causing Macs to reject Java applets that try to auto-run, and to disable the plugin entirely if the user doesn’t authorize the execution of any Java applets within a limited range of time.

And more than once in the past few months, Apple has also found reason to disable certain versions of the plugin remotely, by placing its identifying signature on an OS-wide blacklist that’s updated daily.

Early reports suggested that Apple’s breach was the work of the same Chinese espionage ring that had compromised the New York Times and other outlets. That’s possible, but little is known about this malware beyond Apple’s two-paragraph boilerplate statement.

Java’s a problem...a huge one. It doesn’t take a coordinated state-sponsored spy ring to create a mountain of breaches that seem to happen at the same time. Soon after a new method of attack is perfected, tools that simplify the process are developed and the exploit becomes accessible to people who lack the uncommon expertise of those who discovered the flaw and saw its potential. It’s like how counterfeiting became a much larger problem for the Treasury Department with the widespread availability of high-quality color scanners and printers. So I wouldn’t necessarily worry that we’re in Chapter 3 of a Tom Clancy novel.

You also shouldn’t worry about the JavaScript technology that runs on your browser. They’re completely different technologies. The weaknesses of JavaScript have been exploited by bad guys in the past, of course...but JavaScript has nowhere near the level of intimacy with your OS and provides far fewer opportunities for malware. JavaScript is a mail slot in your front door. The Java plugin is a screen door. One that your big dumb dog has run straight through.

The bad guys — I try hard not to use the word “hackers” to describe these people, because doing so lumps good people in with the bad — are going nuts for these latest exploits because they’re just so damned effective. It’s gotten so out of hand that the Department of Homeland Security has recommended that all users disable the Java plugin from their browsers.

While most websites rely on JavaScript, few of them require Java. Unless your company or your school runs complicated apps through browsers (such as remote access and conferencing tools) you can live a long, healthy life without it. Information on disabling Java can be found on the official Java site: http://www.java.com/en/download/help/disable_browser.xml. To uninstall the plugin completely from a Windows PC, follow these instructions instead: http://www.java.com/en/download/uninstall.jsp. On the Mac, use these: http://www.java.com/en/download/help/mac_uninstall_java.xml.

The gag with the Pinto is a good one, and I strongly encourage you to download the official Java logo and print up a few stickers for this and other purposes of comedy. Yes, doing so will put you in violation of Oracle’s third-party usage license and identity guidelines for its logos. But honestly, what you’re doing to Oracle is by no means as damaging as what Java is doing to the international community of Mac and PC users. I wouldn’t sweat it.



© 2014 Sun-Times Media, LLC. All rights reserved. This material may not be copied or distributed without permission. For more information about reprints and permissions, visit www.suntimesreprints.com. To order a reprint of this article, click here.