Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

iOS Developer Site At Core of Facebook, Apple Watering Hole Attack

Soulskill posted about a year and a half ago | from the web-of-trust dept.

Security 88

msm1267 writes "The missing link connecting the attacks against Apple, Facebook and possibly Twitter is a popular iOS mobile developers' forum called iphonedevsdk which was discovered hosting malware in an apparent watering hole attack that has likely snared victims at hundreds of organizations beyond the big three. It's not clear whether the site remains infected, but researcher Eric Romang dug into the situation and determined that the site was hosting malicious JavaScript that was redirecting visitors to another site, min.liveanalytics. That site had been hosting malware as of Jan. 15."

cancel ×

88 comments

Sorry! There are no comments related to the filter you selected.

Obligatory (3, Funny)

bigredradio (631970) | about a year and a half ago | (#42958271)

Where's your God now?

Re:Obligatory (4, Funny)

gstoddart (321705) | about a year and a half ago | (#42958311)

Where's your God now?

Smoking bong hits, laughing hysterically, and trying to figure out how else to fuck with us. ;-)

Re:Obligatory (0)

Anonymous Coward | about a year and a half ago | (#42958773)

Where's your God now?

Smoking bong hits, laughing hysterically, and trying to figure out how else to fuck with us. ;-)

Let's hope his next prank doesn't involve a big asteroid.

Re:Obligatory (2, Funny)

Anonymous Coward | about a year and a half ago | (#42959627)

Don't think of it as an asteroid impact, think of it as a polite inquiry into the progress of your space program.

Re:Obligatory (0)

Anonymous Coward | about a year and a half ago | (#42960029)

Heh... I didn't know you worshipped Eris... COOL! All Hail Eris! All Hail Discorida!

Re:Obligatory (2)

crutchy (1949900) | about a year and a half ago | (#42959021)

Where's your God now?

he died in october 2011... duh!

what rock have you been living under?

Re: Obligatory (1)

madprof (4723) | about a year and a half ago | (#42959945)

Jimmy Savile!?

LOL (0, Flamebait)

Anonymous Coward | about a year and a half ago | (#42958279)

OS X is a tinker toy OS. Its "security" is laughable. Use a real OS you retarded, hipster fanbois.

Re:LOL (1)

Anonymous Coward | about a year and a half ago | (#42958617)

OS X is a tinker toy OS.

That was deeply hurtful and insulting. Why do you hate Tinker Toys so much?

Re:LOL (4, Funny)

kthreadd (1558445) | about a year and a half ago | (#42958621)

Since the exploit was in Oracle Java I would blame Java, not the operating system which dutifully let the program run. What do you suggest that Apple should do to tidy up the security in OS X? Make it run only Apple approved binaries?

Re:LOL (0)

Anonymous Coward | about a year and a half ago | (#42958713)

Make gate keeper only run Mac App Store apps. ...and make sure that any developer that chooses to use Java or Flash is drawn and quartered.

Re:LOL (0, Insightful)

Anonymous Coward | about a year and a half ago | (#42958735)

Apple is in charge of Java on Mac. Oracle has nothing to do with it on their platform.

Re:LOL (2)

NatasRevol (731260) | about a year and a half ago | (#42958821)

Not for the last two years. They passed it back to Oracle after Oracle bought Sun.

Re:LOL (4, Informative)

_xeno_ (155264) | about a year and a half ago | (#42959409)

Not exactly.

They stopped supporting future versions of Java - namely, Java 7. They still support Java 6.

In theory, by now, Java 6 support should have been dropped and Java 6 should no longer be updated at all. However, due to problems with Java 7, and compatibility issues between Apple Java and Oracle Java on Mac OS X, Java 6 lives on and is still being updated.

The Apple update to Java 6 was delivered through Software Update by Apple as an OS update. Java 6 is still done by Apple. At some point, Apple will drop support for Java entirely and the only way to run Java on Mac OS X will be to install it from Oracle.

In fact, this should have happened already. But it hasn't, yet. The next version of Mac OS X will presumably drop support for Apple's Java entirely, but as of today, it still lives on, and patches for it still come from Apple.

Re:LOL (0)

Anonymous Coward | about a year and a half ago | (#42960175)

High! Java 6 EOL is February 2013... so that's all they wrote for Java 6... aloha

Re:LOL (1)

kthreadd (1558445) | about a year and a half ago | (#42963175)

Yet the security hole in question was related to Oracle Java, not Apple Java.

Re:LOL (-1)

the_B0fh (208483) | about a year and a half ago | (#42958863)

seriously? By the way, did you know that the British subjected the colonists to unfair taxes and that caused a war?

Re:LOL (0)

the_B0fh (208483) | about a year and a half ago | (#42961959)

wow. talk about idiot moderators. Pointing out that OP was talking about *OLD* status and not what is current is now a worth modding down eh?

Re:LOL (0)

Anonymous Coward | about a year and a half ago | (#42958867)

Um no dumbass, Oracle has been supporting Java on OS X Lion and Mountain Lion for 2 years now. Apple only supports the Java on Snow Leopard.

Re:LOL (-1)

Anonymous Coward | about a year and a half ago | (#42959361)

Apple is in charge of Java on Mac. Oracle has nothing to do with it on their platform.

BZZZZT.

Wrong. Apple is not in charge of Java on Mac, as of OS 10.7. Java does not come preloaded, and if you use an app that requires Java, it lets you know that:

1. you need to install Java to proceed.
2. Java is maintained by Oracle, and not Apple.

Thanks for playing.

Re:LOL (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42959281)

Of course this does not apply to Windows where hacks via flash, java, quicktime, etc are definitely the fault of the Windows OS, probably Bill Gates in particular, as he's the devil. That's always been the consensus on slashdot.

Re:LOL (4, Insightful)

Anonymous Coward | about a year and a half ago | (#42959335)

Since the exploit was in Oracle Java I would blame Java, not the operating system which dutifully let the program run.

Well that counts out just about every Windows exploit from being Microsoft's fault then, after all Windows was just dutifully letting the program run. Do you know nothing about security? If you can exploit a user level application to compromise the system then it is the system's fault.

Re:LOL (1)

RaceProUK (1137575) | about a year and a half ago | (#42965441)

Since the exploit was in Oracle Java I would blame Java, not the operating system which dutifully let the program run.

Well that counts out just about every Windows exploit from being Microsoft's fault then, after all Windows was just dutifully letting the program run. Do you know nothing about security? If you can exploit a user level application to compromise the system then it is the system's fault.

Not quite - it all depends where the vulnerable code is. If it's in java.dll, the fault is Oracle's. If it's in, say, user32.dll, then the fault can definitely be blamed on Microsoft.

Re:LOL (0)

Anonymous Coward | about a year and a half ago | (#42962925)

OS X is a tinker toy OS.

Thanks for posting. Slashdot needs more oxygen thieves.

Mac Users Do a Software Update (4, Informative)

BasilBrush (643681) | about a year and a half ago | (#42958287)

The fix to patch the vulnerability and remove the malware if it's there is available today. Mac users should do a software update.

Re:Mac Users Do a Software Update (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42958353)

Any user with Java on their system, regardless of OS, should do an update (or disable Java...).

Re:Mac Users Do a Software Update (1)

Anonymous Coward | about a year and a half ago | (#42958519)

Non-mac users don't go to iphonedevsdk, because you cant use an sdk to dev for an iphone on anything but a mac. Ergo, we are immune to this attack.

Re:Mac Users Do a Software Update (0)

Anonymous Coward | about a year and a half ago | (#42958763)

Plus every other platform had patches to prevent this for a few weeks now

Re:Mac Users Do a Software Update (-1)

Anonymous Coward | about a year and a half ago | (#42958361)

So Apple and Apple employees have shown themselves to be thoroughly incompetent, and the solution is... to consume more Apple?

Sure you're putting objective reason into this, BasilBrush?

Re:Mac Users Do a Software Update (1)

Anonymous Coward | about a year and a half ago | (#42958429)

So a company identifies a flaw and puts out a fix and your solution is...to abandon ship and find another manufacturer? You'll run out of viable solutions very quickly, fellow Anonymous Coward.

Re:Mac Users Do a Software Update (-1)

Anonymous Coward | about a year and a half ago | (#42958569)

How many straws before your camel's back is broken, AC?

Re:Mac Users Do a Software Update (1)

RaceProUK (1137575) | about a year and a half ago | (#42965447)

So a company identifies a flaw and puts out a fix and your solution is...to abandon ship and find another manufacturer? You'll run out of viable solutions very quickly, fellow Anonymous Coward.

Obligatory car analogy - it's like buying a Chevy because your Ford's got a flat tyre.

Re:Mac Users Do a Software Update (-1)

Anonymous Coward | about a year and a half ago | (#42958483)

Yes. He loves to have crApple bend him over and fuck his ass until it bleeds.

Re:Mac Users Do a Software Update (5, Informative)

_xeno_ (155264) | about a year and a half ago | (#42958729)

The fix to patch the vulnerability and remove the malware if it's there is available today.

The keyword there is "today." The actual Java patch was available earlier, it's just Apple only bothered patching their version of Java until - well, after they got bitten by the vulnerability, apparently. Apple had been content to just say "applets are no longer supported" and leave it at that.

Re:Mac Users Do a Software Update (1)

the_B0fh (208483) | about a year and a half ago | (#42958885)

http://support.apple.com/kb/HT5573

This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a webpage, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.

You do realize that Apple has handed over Java support on OSX back to Oracle, right?

Re:Mac Users Do a Software Update (1)

_xeno_ (155264) | about a year and a half ago | (#42959045)

You do realize that Apple has handed over Java support on OSX back to Oracle, right?

For Java 7, yes, Apple doesn't support that. For Java 6, they still do. The Apple version of Java still exists, was vulnerable to the Java 0-day, and missed the patches that fixed it that were first released a couple of weeks ago. Their fix was instead to just disable applets entirely, which is great unless your IT department requires an applet to use their wi-fi network. (Seriously.)

And, yes, there are still some Mac OS X apps that require Apple's version of Java, because it's not completely compatible with Oracle's version of Java.

However, it turns out that Java itself was updated today, and that Apple's Java patch includes today's Oracle patch, so it may turn out that the flaw being exploited wasn't patched at all until today. (The article claims it was exploiting a flaw that was patched at the start of the month - a patch that never made it to Apple's version of Java.)

Quick recap: Apple is not supporting Java 7. They are still supporting Java 6, which is still living on because not all Mac OS X Java apps support Java 7.

Re:Mac Users Do a Software Update (1)

Plumpaquatsch (2701653) | about a year and a half ago | (#42961071)

You do realize that Apple has handed over Java support on OSX back to Oracle, right?

For Java 7, yes, Apple doesn't support that. For Java 6, they still do. The Apple version of Java still exists, was vulnerable to the Java 0-day, and missed the patches that fixed it that were first released a couple of weeks ago.

Now that's odd, are you claiming that the 0-day works in Apple's Java 6 despite only working under Java 7? http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0431 [nist.gov]

Re:Mac Users Do a Software Update (1)

Plumpaquatsch (2701653) | about a year and a half ago | (#42960899)

The fix to patch the vulnerability and remove the malware if it's there is available today.

The keyword there is "today." The actual Java patch was available earlier, it's just Apple only bothered patching their version of Java until - well, after they got bitten by the vulnerability, apparently. Apple had been content to just say "applets are no longer supported" and leave it at that.

RTFA. Seriously. There was a patch - but it didn't fully fix the hole. Not to mention that "Apple's version of Java" wasn't affected, only Java 7.

Most comments below... (2, Insightful)

coinreturn (617535) | about a year and a half ago | (#42958313)

will be nothing but hate.

Re:Most comments below... (1)

eksith (2776419) | about a year and a half ago | (#42958797)

A lot of comments above are already full of hate :/ And I don't get why they blame Apple for this when clearly Oracle is at fault for letting Java stagnate this much.

When Cisco took over Linksys we ended up with lackluster hardware. No big deal. But when Oracle let their bought product stagnate, the damage is a lot more severe if only due to its sheer ubiquity and dependence.

Re:Most comments below... (0)

Anonymous Coward | about a year and a half ago | (#42959365)

But of course you DO get why Windows gets the blame when it gets hacked via java, flash, whatever. Mac users are sad. When a story like this comes out about Windows it's : "Windows sucks, it insecure!". Then when an identical story comes out about MacOS it's : "It's not MacOS's fault". Wow.

Re:Most comments below... (0)

Anonymous Coward | about a year and a half ago | (#42962951)

Windows exploits which DIDN'T involve Java number in the 10's of 1,000's. Wow to you too.

Re:Most comments below... (0)

Anonymous Coward | about a year and a half ago | (#42962965)

Mac users are sad? I've only seen them sad when they had to use Windows.

Re:Most comments below... (1)

exomondo (1725132) | about a year and a half ago | (#42959413)

I don't get why they blame Apple for this when clearly Oracle is at fault for letting Java stagnate this much.

The reason is because this flaw exists in Apple's implementation of Java 6 - which is still required by many people as not all apps work on Oracle's Java 7 (which was patched for this vulnerability some time ago).

Re:Most comments below... (1)

RaceProUK (1137575) | about a year and a half ago | (#42965453)

I don't get why they blame Apple for this when clearly Oracle is at fault for letting Java stagnate this much.

The reason is because this flaw exists in Apple's implementation of Java 6 - which is still required by many people as not all apps work on Oracle's Java 7 (which was patched for this vulnerability some time ago).

Funny - there's no mention of Java 6 here [nist.gov] , only Java 7.

Re:Most comments below... (1)

exomondo (1725132) | about a year and a half ago | (#42972285)

Funny - there's no mention of Java 6 here [nist.gov] , only Java 7.

Why are you only looking at one vulnerability?
As reported by Ars Technica, the 15th February, Facebook was victim of a watering hole attack, involving a “popular mobile developer Web forum“. The attack was using a Java 0day that has been urgently patched, in Oracle Java CPU of first February, by version 7 update 11 and version 6 update 39. http://eromang.zataz.com/2013/02/20/facebook-apple-twitter-watering-hole-attack-additional-informations/ [zataz.com]

Re:Most comments below... (1)

RaceProUK (1137575) | about a year and a half ago | (#42972331)

It's the only vuln linked to as far as I can see.

Re:Most comments below... (1)

exomondo (1725132) | about a year and a half ago | (#42972511)

It's the only vuln linked to as far as I can see.

The article just mentions that there was an exploit added to the Cool Exploit Kit that exploits that specific vulnerability, it doesn't make any suggestion that was the one used or that the Cool Exploit Kit was used, it could have been any of the many 0-day exploits patched very recently.

Re:Most comments below... (0)

Anonymous Coward | about a year and a half ago | (#42959209)

Slashdot users love to tell people how miserable and pathetic they are.

malware (5, Interesting)

Mr.123 (661787) | about a year and a half ago | (#42958317)

The site in question has been hosting malware on and off for over a year now. They were flagged at least half a dozen times by google over the past year for hosting malware. The site then went down for weeks while overhauling the entire forum software and then bam, this happens. Unfortunately some very good discussions happen on the site and I just can't quit using it.

Re:malware (1)

edxwelch (600979) | about a year and a half ago | (#42959381)

It used to be a great site for App Store marketing tips, but since has gone downhill some what

Re:malware (0)

Anonymous Coward | about a year and a half ago | (#42961129)

Any other suggested sites? I happened to start reading iphonedevsdk just a couple of days, after I realized my app needs some sort of publicity but I didn't know what's worthwhile.

Okay.... this is a new one. (2)

mark-t (151149) | about a year and a half ago | (#42958345)

What the heck is a "watering hole attack"?

Re:Okay.... this is a new one. (1, Troll)

smooth wombat (796938) | about a year and a half ago | (#42958413)

People come to you.

Animals need to go to a watering hole to get their water, iOS folks need to go to this site to get their software.

Re:Okay.... this is a new one. (1)

Anonymous Coward | about a year and a half ago | (#42958471)

Quote : "iOS folks need to go to this site to get their software."

Ehhhhh....no.

Re:Okay.... this is a new one. (1)

Anonymous Coward | about a year and a half ago | (#42958487)

People come to you.

Animals need to go to a watering hole to get their water, iOS folks need to go to this site to get their software.

Not really. It's more of a 'candy store' attack. It's a popular, but not necessary. site.

Re:Okay.... this is a new one. (1)

mark-t (151149) | about a year and a half ago | (#42958491)

The only place iOS folks really need to go for their software is to Apple's online developer portal.

I've been developing for iOS for 2 years now, and had not ever heard of this particular web forum prior to this article.

Re:Okay.... this is a new one. (0)

the_B0fh (208483) | about a year and a half ago | (#42958897)

Come now, stop feeding the trolls.

Re:Okay.... this is a new one. (1)

BitZtream (692029) | about a year and a half ago | (#42962787)

Really? Were developing with a rule against using a search engine? They turn up in plenty of my search results for various iOS dev related things.

They were one of 'the first' iOS dev sites, earlier enough that I'd venture to say they were probably there before apple's iOS SDK existed but my memory may be a bit off, that was 5 years ago.
Not knowing about this site indicates you live in a virtual box.

Re:Okay.... this is a new one. (0)

Anonymous Coward | about a year and a half ago | (#42958597)

the site in question is just a developer forum, it's not an official Apple site, end users will never go to it.

Re:Okay.... this is a new one. (0)

Anonymous Coward | about a year and a half ago | (#42959139)

Why parent is modded "TROLL"?

Re:Okay.... this is a new one. (1)

flimflammer (956759) | about a year and a half ago | (#42961969)

It may not be entirely accurate, but what retarded mods are flagging this Troll?

Re:Okay.... this is a new one. (-1)

Anonymous Coward | about a year and a half ago | (#42958419)

It's when you buttfuck a man with diarrhoea, of course.

Apple users, etc.

Re:Okay.... this is a new one. (5, Informative)

ThisIsSaei (2397758) | about a year and a half ago | (#42958433)

It's where you target a page used by multiple targets. Here a mobile developers forum was hit, that forum was not the real target but the people who use it frquently were. "Poisoning the watering hole" if you will.

Re:Okay.... this is a new one. (5, Funny)

Anonymous Coward | about a year and a half ago | (#42958501)

What the heck is a "watering hole attack"?

It's where troopers metaphorically attack a swagman by a billabong (the 'watering hole') causing him to leap to his death and subsequently haunt the area. I won't go into detail on how this applies in relation to computer security, but I'm sure you get the gist of it.

Re:Okay.... this is a new one. (1)

Sebastopol (189276) | about a year and a half ago | (#42960591)

best reply of 2013 so far.

Re:Okay.... this is a new one. (0)

Anonymous Coward | about a year and a half ago | (#42961119)

If you use 802.11, wear iron armor made from stove parts?

Re:Okay.... this is a new one. (0)

Anonymous Coward | about a year and a half ago | (#42961741)

but I'm sure you get the ghost of it.

Fixed That For YoooOooOoOOOO

Re:Okay.... this is a new one. (5, Informative)

rb12345 (1170423) | about a year and a half ago | (#42958535)

Traditionally, you had "spear phishing" attacks which had attackers sending malware or phishing emails directly to their targets. This is relatively easy to spot and filter. The "watering hole" attacks work by compromising a trusted third-party site used by the targets. For example, if your attacker know you read Slashdot or use some specialised forum site, they could attempt to compromise those sites and use them to host exploits as part of the normal pages (infected banner ads or modified page content).

Re:Okay.... this is a new one. (0)

Anonymous Coward | about a year and a half ago | (#42958817)

What the heck is a "watering hole attack"?

In the words of Mona Lisa Vito, "Imagine you're a deer. You're prancing along, you get thirsty, you spot a little brook, you put your little deer lips down to the cool clear water... BAM! A fuckin bullet rips off part of your head! Your brains are laying on the ground in little bloody pieces!"

Re:Okay.... this is a new one. (1)

MadKeithV (102058) | about a year and a half ago | (#42959427)

What the heck is a "watering hole attack"?

I'm not quite sure, I was half expecting a Hurd of GNUs in a drinking frenzy.

without clicking on the link (0)

Anonymous Coward | about a year and a half ago | (#42958417)

What's the full host name(s) of the infected sites so we can block it hosts files + dns entries?

Re:without clicking on the link (5, Funny)

houstonbofh (602064) | about a year and a half ago | (#42958489)

If you block *.com you should get a lot of it.

Re:without clicking on the link (0)

Anonymous Coward | about a year and a half ago | (#42958605)

I will summon APK for you. I'm sure it's already in his hosts file.

Re:without clicking on the link (0)

Anonymous Coward | about a year and a half ago | (#42959631)

The best posts of his are the ones where he tries not to act like a dick, but in the end can't help himself and ends up spending all this time writing some 5 page post that nobody reads. 3 APK!

Re:without clicking on the link (0)

Anonymous Coward | about a year and a half ago | (#42960983)

Gawd anything but that. His posts make my eyes bleed.

Time to learn. (2)

ThisIsSaei (2397758) | about a year and a half ago | (#42958475)

This is a good reminder that with web-security you're only as secure as the weakest link. A new exploit pushed from a popular dev site on a trusted platform like Java is going to hit you hard and you can't avoid it directly. The real story here is how quickly / properly people responded, and how well defensive infastructure and policy stopped the intrusion. There's months and months of good security analytical reading right here. We can also compare company to company as it hit more than one.

Lots of sites like this out there... (0)

Anonymous Coward | about a year and a half ago | (#42958679)

Still mostly attack Windows. But Android and iOS phones are a juicy target, especally with people starting to use them as rich media devices. There's no prompt to allow anything, just click on the link and you're pwnd.
 

Re:Time to learn. (0)

Anonymous Coward | about a year and a half ago | (#42958733)

And Facebook, Apple and Oracle are all weakest links! GTFO

Re:Time to learn. (1)

amicusNYCL (1538833) | about a year and a half ago | (#42958901)

a trusted platform like Java

Sorry, what? Several things come to mind when I think about Java, "trusted" is not one of those things. Java is a textbook example of a single piece of the platform (the browser plugins) giving the entire thing a bad name, even if it's not justified. Anyone who still browses around the general internet with a browser that has the Java plugins enabled is either unaware of what the Java plugin is, or stupid. If you're a Java developer, have one browser with your plugins enabled that you use only to develop your own software. Your general-purpose browser should not have those things enabled, in fact all plugins should be click-to-start in your general browser. I have development and general use browsers and my applications don't even involve plugins, it makes sense for more reasons than just security.

you can't avoid it directly

Yeah you can, you really can. I visited the forum that was infected just to see what they were saying about it (interestingly, their announcement did not include anything about Java). I wasn't worried about visiting the forum because of how my browser is set up, it's not going to get infected even if they're trying to infect me. You really can avoid it, and it's not even hard to do. In this case, the forum was compromised because the attacker got credentials for an admin account and used it to modify the template to include his Javascript (or so claims the poster on the forum making the announcement [iphonedevsdk.com] ). The users can't do anything about accounts getting compromised, but they sure as hell can avoid having a giant bullseye painted on their browser.

Re:Time to learn. (1)

ThisIsSaei (2397758) | about a year and a half ago | (#42959311)

I have a completely secure computer for you, it's called a rock.

Yes, running a no-script browser is techincally safer, but it's also technically useless as you're missing out on the content provided by those scripted services. Do you manually type in captcha hashes? Do you ignore all video posted anywhere? You'll never run a single script, ever? A browser is inherently insecure as it's entire purpose is to download and render remote scripts.

It's very ignorant to insist that you're bullet-proof, or to insist that it's a Java only (or even worse a "browser plugin") issue. Java is not uniquely bad, it's just the latest target. The correct approach to security is mitigation of threat, not summary denial of vulnerability.

Re:Time to learn. (1)

amicusNYCL (1538833) | about a year and a half ago | (#42960927)

Yes, running a no-script browser is techincally safer, but it's also technically useless as you're missing out on the content provided by those scripted services. Do you manually type in captcha hashes? Do you ignore all video posted anywhere? You'll never run a single script, ever?

Where did you get that from? The interface of the major application I work on is over 1.5MB of Javascript. I don't disable Javascript. I disable plugins from automatically starting plugin content. This has nothing to do with scripting. I'm talking about Java, not Javascript. Hopefully you know the difference, if you don't then don't bother to reply to things like this. As for video specifically, if I come across a Flash video on a news site or whatever that they embedded in a way where click-to-start doesn't work for that site (such as CNN), then I just copy and paste the URL into my development browser which otherwise never browses the general internet.

Java is not uniquely bad, it's just the latest target.

Whether or not Oracle's Java browser plugin is uniquely bad is in fact a matter of debate.

The correct approach to security is mitigation of threat, not summary denial of vulnerability.

I'm not sure what you're saying there, "mitigation of threat" and "denial of vulnerability" sound like the exact same thing. I am mitigating the threat by denying even the operation of the vulnerable Java plugins from automatically starting and executing whatever code a site is attempting to feed to them.

no different than /. (0)

Anonymous Coward | about a year and a half ago | (#42958907)

uh? what? /. hasn't been hacked? Or they just haven't admitted?!? Where am I? Where's my monkey?

that makes sense (0)

slashmydots (2189826) | about a year and a half ago | (#42960465)

Apple devs wouldn't know security if it bit them in the iPhone so this is less than surprising. Then you use a browser exploit that targets macs, which is (debatably) easier to make and tada. I'm going to take a wild guess that Facebook's devs aren't too bright either, based solely on their coding and design work aka the Facebook website.

Those darn Chinese! (1)

chad_r (79875) | about a year and a half ago | (#42960583)

Ah, the weakly supported claims that China is at an all-out "cyberwar" now become clearer. The Chinese army must have created the site min.liveanalytics.org. Then they deviously drew in visitors from a popular site, including some from major US corporations. For any machine that was vulnerable, China has thusly "hacked" the corporations owning those machines. Hackers get cred, the news media gets to scream that the sky is falling, and the US government gets to increase funding for the "war on cyberterror". It's win-win-win!

As to your next question, no I do not know the owner of min.liveanalytics.org to prove it is owned by the PLA. However I follow the same standards as the news media, security companies, and most slashdot posters; i.e., that it "seems reasonable" and "who can doubt that they are behind it." Who, indeed!

Re:Those darn Chinese! (0)

Anonymous Coward | about a year and a half ago | (#42962649)

Does anyone really need proof at all to say that (country X) is actively hacking (country Y)? Unless I had some compelling evidence that they weren't, I would assume they were. To give any nation the benefit of any doubt with regards to spying (which is what nation-state-sponsored hacking has been, so far) is to be absurdly naive.

Unless they were close allies (eg. US and Britain) and even then, I would wonder.

Real issue is admin-rights for Java on OS X... (0)

Anonymous Coward | about a year and a half ago | (#42965511)

Curious to know how the iphone dev thinngy site got hacked btw...

But basically the issue comes down to this: you MUST be root (i.e. give the root password) to install Java on OS X (on Windows too btw) hence even if Java is *supposed* to be correctly sandboxed you simply cannot be sure. All that is needed is a tiny Java exploit and BOOM: full root access to OS X.

On Linux, contrarily to Windows or OS X, you do NOT need to be admin/root to install Java. However most people --totally and utterly stupidly-- do still install Java on Linux using apt-get or rpm. Frak no: use the .tar.gz. This is easy to do.

Now the other issue (and probably the most important one) is that people do not realize how gigantic of an attack vector the browser is, on any platform. You should settle for a safer way to browse: use a separate user account only for browsing (and of course without Java installed). Ideally use a throwaway VM (like a KVM VM) to surf.

I fully expect way more important Windows and way more important OS X attacks in the future and gigantic number of devs getting owned and owned and owned.

Meanwhile people surfing from VMs shall be quite safer.

There's an update (1)

Plumpaquatsch (2701653) | about a year and a half ago | (#42969915)

There's an update to the first article - looks like almost the same attack (via the same JavaScript inclusion, using a different exploit of course) was active on Fedoraforum.org last July.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?