Yesterday Apple admitted to being the victim of a hacker attack by the same people that went after Twitter, and Facebook weeks before. The attack was carried out using a malicious Java applet hosted on a popular OS developer website, iPhoneDevSDK. Apple said it is taking steps to help its customers affected by the exploit, including releasing an updated Java malware removal tool.1
Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found.
Because the vulnerability used was not protected against either by Apple’s patches or common anti-virus software, it was able to infect the machines that had visited the site. It’s not clear what triggered the infection, though this is a prime example of how the vectors of infection are changing. Rather than targeting individuals via links in emails, the hackers here targeted a location that would be visited by developers across various companies, as long as they had an interest in iOS. This is commonly called a “watering hole” attack.
I refuse to install middleware that would make my machine vulnerable to the kind of “watering hole” attacks Apple experienced yesterday. That includes internet plug-ins such as Adobe Flash, Adobe Shockwave, Oracle Java, Microsoft Silverlight, and the Unity Web Player. It also includes compatibility layer software such as Adobe Air, Wine, Cider, X11, and Rosetta. Not only does this software look out of place on my Mac, but it introduces security vulnerabilities that would otherwise be patched by Apple Software Updates, or blocked by security countermeasures like user access controls. By running only native code, and being careful about which apps I install, I can protect my machine in a way no antivirus software, or a firewall never could.2
Do your best to resist middleware, but if you have to install it to do your job, be responsible for keeping your software up to date. Turn off middleware in the browser when it is not in use, and always be careful about which websites you visit.
Sooner or later we all get bit by malware, but installing middleware is like putting your finger in the turtle’s mouth.3 A convenience that may not be worth the bite.
It is nice to see Apple going out of its way once again to protect user’s from a third-party plugin. ↩
Antivirus software can only protect your Mac from threats after they have already been discovered, and is a waste of time for careful users who consider where they are clicking. ↩