I told you to remove java and flash from your macs! (1 Viewer)

[Ken Chan]

On Lion, Java does not silently auto-install, it will prompt you if you launch it from the shell. It does not auto-install at all from within Safari; you get "Missing Plug-In" as usual.

So as long as you go to known sites your pretty safe.

By some measure of "pretty" safe. The problem is that your known sites can get hacked and malware gets inserted. Of course, your known sites can also store your credentials in an insecure way. Plenty of ways to get burned. You can also reduce your chances of getting in an auto accident by never leaving your house....

 

[dmiller68]

I agree as an owner of a website and Architect for a major on-line brokerage there are a million ways to have your computer infected or identity compromised. I was trying to not get into a battle about how safe MAC's are as there are people with very strong opinions here. I have been down this path a few times.

Originally Posted by Ken Chan /t/319852/i-told-you-to-remove-java-and-flash-from-your-macs#post_3915174
On Lion, Java does not silently auto-install, it will prompt you if you launch it from the shell. It does not auto-install at all from within Safari; you get "Missing Plug-In" as usual.
By some measure of "pretty" safe. The problem is that your known sites can get hacked and malware gets inserted. Of course, your known sites can also store your credentials in an insecure way. Plenty of ways to get burned. You can also reduce your chances of getting in an auto accident by never leaving your house....

 

[DaveF]

My issue -- and why I don't care who's fault it really is -- is it erodes the easiness of a Mac.

I bought in 2007 and I didn't worry about this. There simply wasn't any in-the-wild threats to worry about. Even the first iteration of this malware in 2010(?) vectored through pirated iWork software.

But this development of drive-by malware, simply view a website and your computer is infected, it brings back bad memories of the bad old days of Windows 95, where simply viewing an email or visiting a bad website and your computer was compromised.

I'm not wringing my hands in active worry, but this is a watershed for OS X systems in my view. I now have to think about viruses and trojans on my Mac. I have to actively think about the installation of bog-standard stuff from major companies. I'm not abandoning my Mac for this (and definitely not my wife). This doesn't change my daily home use, though I'll have to pay better attention to virus news and think more carefully about AV software on our machines. It nibbles a bit at my enthusiasm for the brand.

Nothing like finding out OS X 10.9 will be codenamed "Jar Jar", but still, not a pleasing development

 

[mattCR]

Originally Posted by Ken Chan /t/319852/i-told-you-to-remove-java-and-flash-from-your-macs#post_3915174
On Lion, Java does not silently auto-install, it will prompt you if you launch it from the shell. It does not auto-install at all from within Safari; you get "Missing Plug-In" as usual.
By some measure of "pretty" safe. The problem is that your known sites can get hacked and malware gets inserted. Of course, your known sites can also store your credentials in an insecure way. Plenty of ways to get burned. You can also reduce your chances of getting in an auto accident by never leaving your house....

Ken, I agree.. I think that's why I kept saying "on 10.6" (IE, NOT Lion). Prior to Lion, it did Auto install, and in fact, the installables were present on discs up until 2011. So, that's a big difference. But you can't assume all Mac users are on 10.7. Hell, you've still got a lot of people on Non-Intel Macs, believe it or not

 

[DaveF]

http://www.marco.org/2012/04/10/flashback-trojan

Quoting Marco Arment (whom I find agreeable in reviews, but half of you don't

I’ve already had a few normal people (non-geeks) ask me about Flashback. It’s huge. It has significantly damaged the Mac’s reputation among consumers of being a safe, malware-free platform.

Apple has always been embarrassingly slow to issue patches for known vulnerabilities. This one’s inexcusable. It’s time for Apple to make significant personnel and policy changes around software security.

 

[Sam Posten]

As noted in that discussion page, Apple is working on a (presumably) easy to use removal tool:
http://www.loopinsight.com/2012/04/10/apple-developing-flashback-malware-removal-tool/

 

[Michael_K_Sr]

And it has arrived...
New Java update from Apple removes Flashback malware

 

[Sam Posten]

Another possible major rutroh, too early to tell:
http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
Good and bad news:
http://www.macrumors.com/2012/08/28/newly-discovered-java-7-security-vulnerability-poses-risks-to-macs/

Update: CNET noted earlier today that most Mac users are not currently susceptible to the issue, as Java 7 is not installed by default on Macs. The current version of Java installed on Mac remains Java 6 for the time being, so users would have to have manually updated to Java 7 in order for their systems to be vulnerable.

 

[Sam Posten]

Derp. http://arstechnica.com/security/2013/01/critical-java-zero-day-bug-is-being-massively-exploited-in-the-wild/

 

[DaveF]

I'm back to using both flash and java. I was forced to admit the web isn't usable on the desktop without flash (and switching to Chrome for flash use is impractical). And I had to have java for the harmony one software. Sigh.

 

[Ken Chan]

You can still have Java installed for "desktop" applications. The important thing is to disable the Java plugin in your browser(s), which enables the drive-by malware. Recent versions of OS X disable it automatically, and re-disable it if you haven't used it in a week or two.

 

[KeithAP]

Oracle has updated Java.
-Keith

 

[Sam Posten]

Easier to just kill it with fire.

 

[Sam Posten]

Despicable, http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/

 

[Ted Todorov]

Originally Posted by Sam Posten
Despicable,
http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/

It should be said that these "wonderful bonuses" are PC (Windows) only -- I guess Mac users are less likely to fall for such crap.
Speaking of Flash removal -- I never really consciously removed it -- other than not installing it on my 2011 Mac Mini in the first place, but as my other Macs' Flash version got out of date, and Safari/OS X started blocking it, I realized I really didn't need it -- indeed I now had a terrific ad blocker -- so I never updated, and have been Flash free for over a year now. So no missed...

 

[Sam Posten]

This one affects Mac users too. http://arstechnica.com/security/2013/02/adobe-issues-emergency-flash-update-for-attacks-on-windows-mac-users/

 

[DaveF]

Yep. Need to update. Would be happy to,see flash die. But web still isn't usable without it.

 

[Sam Posten]

So how do you get past that? You will forever be making excuses for it. You must be the change you want to see in the world. -Ghandi

 

[DaveF]

I tried the Chrome backup idea, but having to launch Chrome, manually copy and paste the web address from Safari to Chrome, and reload a page of interest is too cumbersome. And I'm still using Flash, just in a more secure manner. Me being unable to get stuff done online does nothing to help the web and only wastes my time. So, Flash and Java it is.

 

[Sam Posten]

Use Open with!