My 11/07/10 Missoulian column
Last week, I covered a new variant of the Koobface malware that affects Macs and OS X. The infection vector is through Java, a language that runs programs both in your Web browser and on your computer.
Java exploits are fairly new for OS X, but not for Windows, where Java applets are the leading malware vector according to a leading security expert (and Microsoft itself), http://krebsonsecurity.com/2010/10/microsoft-a-tidal-wave-of-java-exploitation/
You’ve probably seen the icon that represents Java – the steaming coffee cup with encircling arrows and the URL Java.com – that appears when a Java applet loads in your Web browser.
But not all Java applets are bad news or have security problems, of course. Java is a legitimate language in wide usage around the Internet for animations in Web browsers and for building programs for computers that don’t interact with the web at all.
Many websites use Java to display information and graphics. For instance, the National Weather Service uses Java to present weather imagery.
But because of the ease of programming with Java and the amount of access it has to browsers and users’ computers, Java is now seeing a huge increase of use by malware authors. And one of the reasons Java is being exploited now for OS X is that it’s a cross platform language: one program can be written for both Windows and OS X.
As I wrote last week, it’s important to remember that you can’t get Mac Koobface very easily. First, you have to go to a website or click on an e-mailed link that leads to the site that has the malware. And then you have to click to let Koobface install itself. Under OS X, Java-based applets must get your permission to run. And if you deny permission to an applet, you’re safe.
And you should always deny permissions to an Applet that claims to be from Apple but doesn’t have a legitimate security certificate, like in the image to the right.
So if you’re on Facebook or you get an e-mailed link, and you get advisory that says an applet is requesting access to your computer, be very wary. It’s that simple. If you click “Deny,” you’re safe.
But for Windows, you have to be more careful to begin with, as Windows Koobface can infect your PC without you doing anything.
But you can disable Java applets in your browser under both Macs and Windows by turning Java off. This will prevent the malware from being able to work in Windows or asking to install itself on a Mac. (But turning Java off will stop all Java applets from working, including legitimate ones.)
For Safari, go to Safari Preferences/Security tab and untick “Enable Java.” For Firefox, see https://support.mozilla.org/en-US/kb/how-to-turn-off-java-applets For Internet Explorer, see https://support.microsoft.com/en-us/kb/154036
Realize that Java is not the same language as Javascript, which you will also notice in those preference panels. Javascript is a language that runs solely in your Web browser; Java can run in your browser and also a full program.
So if you choose to turn off Java in your browser, don’t also turn off Javascript, which many websites require to function. (Javascript can also be a security problem, but in different ways).
And in Windows, if you know you don’t use Java for anything, you can simply uninstall Java. See http://www.java.com/en/download/help/uninstall_java.xml
This week in Mac Q & A: Password Protection for a Mac