Slashdot Mirror
Mac OS X Users Vulnerable To Major Java Flaw
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.
"I have the attention span of a strobe lit goldfish, please get to the point quickly!"
'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,'
And the Java critics said total platform independence was impossible!
Is it independent of the chipset as well, or does it only apply to x86?
I'm going to get modded down as flamebait here, but lets face it, unless it pretties up the OS, Apple will ignore it. Security hasn't exactly been their strong point
My mac downloaded a new java patch just tonight.
Is it patched?
the summary seems to imply that this exploit is viable on "all the platforms, all the architectures and all the browsers" so why specify Mac OSX? It's not special and if an exploit is universal, it seems the title and summary should make this clear, rather than Focussing on OSX. Even a quick look through the linked articles fails to find much about OSX, is the OP just a mac user who finds it astonishing that his perfect OS could be vulnerable?
In case you don't have OS X but want to pass on the instructions to relatives, etc:
In Safari (version 4 beta):
Safari->Preferences->Security->Web Content: Enable Java (uncheck)
In Firefox (3.5 beta, probably the rest):
Firefox->Preferences->Content->Enable Java (uncheck)
I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...
Very well...
I choose this one...
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.
So essentially... All Apple users who have left JAVA enabled, and all -other- users who have not yet patched their JAVA installations. Yes, that does include Microsoft Windows, flavor-of-the-month Linux, etc. users who decided to disable auto-updating - if any - of their JAVA installation.
I'd really like to know if this was/is a flaw in the structure/design of the JVM or just happened to be some kind of pitfall every major JVM-implementor fell into.
The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?
Although written in pure Java, the exploit is OS-specific and therefore not cross platform. Since the Java community disapproves of non-cross-platform code, no real Java programmer would ever actually write code like that, and so there really is nothing to worry about :-)
Actually Java SE is not Java ME
The (untrue) assumption that many people seem to hold that Macs are just invulnerable to anything bad happening has finally spread to Apple itself, and they're the last to patch this exploit. Since a lot of Mac advertising used to be based on "Macs don't get Viruses" you'd think they'd have been the first to patch this to maintain their reputation.
Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.
You can advertise in this sig from as little as £99.99 a month!
In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file.
I've also posted a demonstration of the vulnerability at http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html
http://plausible.coop
The whipped cream mochafroppatopping might not be 100% organic? That's simply scandalous!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
For the record, those running Firefox as their default browser, with NoScript installed, won't be affected* unless they *choose* to execute an unknown, untrusted binary within the browser.
*At least the sample exploit at the top of the thread didn't execute for me, YMMV
Some days it's just not worth
chewing through my restraints.
after meeting some Mac newbies I am think I can already see the iceberg. Two are friends, one of which called me out of the blue to tell me that he just bought his first Mac (an iMac actually). Well needless to say I get calls from both since I am the "mac expert" (Read: I had one longer than them).
The simplest way to say it, they are more than happy to key in their password for anything that asks, even if they don't know what they are doing. After all, they are on a Mac, they don't have virus protection because it doesn't need it, so how is something bad going to get on the system. These are not normally dense people, well maybe they are proving me wrong.
So I figure that someone out there will rely on this type of stupidity to get key loggers, bots, and the like, on Macs. The number of people out there who buy one because they think it makes them cool or smart cannot be underestimated.
I do know one of these two did ditch firefox because they didn't like clicking the ad-block button to allow some sites. So it is just a matter of time.
(and no, I do not run a AV or worry about it on either of my Macs)
* Winners compare their achievements to their goals, losers compare theirs to that of others.
So it can arbitrarily execute java code in a browser. Well hold on, arn't browser VMs rather crippled anyway in their functionality? And thats after you take into account it'll only have the priviledges of whichever user launched the browser in the first place. So what exactly could you do with this exploit? Steal some cookies, bring up some annoying windows? Or is this about it being able to escape the sandbox? I don't really get it.
No one uses client side applets.
If they (Apple) would like to fix it, they had fix it time ago. They have a lot of money and all the developers a company can just dream The problem is there is not anymore love affair between Apple and Java. It's finished. Game over. Stop. It was not fixed because it's ok to be in that way ... yes.
You know that guy doesn't have middle misure.
Steve thinks Java is dead on the desktop and my opinion is ... he is right.
Java is outperformed on the desktop side by C# (windows) and Objective-C (Mac) the others doe$n't count.
On the Web development side Apple is investing on Ruby.
Java is just Enterprise and enterprise is a no-market for Apple.
Apple is going to support any day less and less Java on Mac OS X.
If you really want Java, switch platform (and don't go Windows because the war between MS and Oracle it's just starting) ,and if you are a Ruby developer the way to go is Mac.
Java is Oracle, and running Java you do a favor to Sun-Oracle.
Apple and Microsoft will become a bit nasty about it.
It's all about surviving in the future. It's not a joke and no, doing what the customers say is not always the right thing to do. In my opinion Steve is right about it.
Steve Jobs, JavaOne Keynote 2000:
WWDC 2006
Steve Jobs, January 2007 (iPhone related):
2008/05/01
As we know from that one Mac vs. PC commercial, Macs don't get viruses. And if something is invulnerable to viruses, it has no flaws of any kind. Implying that Macs have a Java flaw implies they can get infected, correct? Which means they can get viruses, which obviously cannot be true, if that Mac Genius, Megan commercial is correct.
CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.
http://www.cert.org/tech_tips/securing_browser
There are fixes for every other platform apart from OSX, so yeah, it's solely an OSX vulnerability at the moment.
If I understand it correctly, all Java implementations have this flaw, so why write that it is a "MacOS vulnerability" and not "Java vulnerability"?
Because by now, all others are fixed, and the vulnerability remains only in Apple's Mac-specific version of Java.
So Apple fixed some things back in February, but I can't tell if they fixed them all.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
So MacOS X users, please disable Java in your web browser.
Others: make sure you have updated Java and still disable it in your web browser: it's a huge attack surface and it suffers from many other security vulnerabilities.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Seems unfair to me to single out the Mac, especially in a topic headline call-out. The rest of the story clearly states that the issue effects every platform running Java. Just more hate, I guess.
Speaking of liking only one version of the JVM, I worked for a CLEC (a small phone company) that had to interface with the RBOC (The Phone Company - SBC/AT&T) via a Java applicaton for provisioning phone numbers and the like. The application ran on a specific version of Java 1.4.2 (like j2re_1.4.2_01 or something), and the JVM had to patched by SBC software so that the application would run. The name escapes me... Oddly enough, I think LENS (Bell South's Java interface application) used the exact same version of the JVM. And this was before there was even talk of them merging.
Apple took more than a year after Sun patched it to patch an exploited buffer overflow in the JVM. They'll take forever to fix this too.
Maybe i am the one that's confused on this, Apple always promotes no viruses, but they do have vulnerability's. Now am i wrong by thinking a vulnerability is just a whole in their code for potential viruses? How come according to their commercials they have no virus, yet apples website sells anti-virus software. If they don't have problems how come there is special apple repair centers. I don't know maybe im missing something here. Especially seeing as im pro PC. Apples remarks just dont make sense to me.
"Apple" just seems to be an excuse for people to look at webpages they shouldnt be looking at in the first place. And feeling safe about not getting a virus.
I use windows vista and XP media center. Do not have issues, PC runs fast for what i want it to do. I don't have an Anti-virus and i don't have problems either.
You mean to tell me that little dude with the big nose and bowl haircut on the Mac commercial mislead me... and poor Megan chose the wrong guy? Oh no.
Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update.
That's nice and all, but what about someone like me who only has access to a Mac at work? There's a site our company uses that doesn't play nice with Firefox, so we're forced to use Safari for that site.
I use FF for everything but that site. Unfortunately, most people in my department are too stubborn to switch from Safari being the Apple luddites they are, so they use it for all of their browsing needs.
I would love to disable this, but my school uses something called Blackboard: http://blackboard.com/ which a lot of it is based off Java (uploaders, etc) and I use it quite often. I'm out of school in a day, so I guess I'll turn it off them, but I hope Apple fixes this before I have to go back to school then.
If Microsoft didn't write crappy code, this kind of thing just wouldn't happen!
Wait...Apple? Sun? How can that be?
I'm not sure who has a bee in their bonnet, but these down mods are absolutely ridiculous.
Also, just because a patch has been released doesn't mean everyone has updated to it... especially home users.
Apple don't need to fix the vulnerability. *Everyone* knows that you don't get viruses or malware on Macs!
try the 'say' invoking applet by Landon Fuller:
http://is.gd/BpBp. That scared the crap out of me... what if it had invoked 'rm -rf ~'?
You would restore from your Time Machine backup, or the off site clone that you created with Carbon Copy Cloner or SuperDuper! (or rsync).
Backing up OS X is dead simple (it's mostly POSIX-compliant underneath); there's no reason not to do it.
You gotta expect that when you hang out near a vol -- Oh, 'scuse me, it's Java flaw, not lava flow. My bad.
rj
I'd like to disable Java but I work at a school district where...
- Our Internet filter keeps you authenticated with a popup that embeds a Java applet
- Our Internet filter admin interface is Java
- Our wireless network login uses a Java applet to authenticate your username and password
- Our student record database runs on Oracle with a Java interface
Basically if I disabled Java I could only access one or two superfluous file servers on the LAN, and only using an Ethernet cable. Not gonna happen, unfortunately.
[X] TOLD
Unfortunately, the only patches for user stupidity are illegal. If you get caught.
OS-X has a pretty good balance between honestly trying to protect the user from doing stupid things and implementing a Vista-esque approach (i.e. so draconian that users find a way to turn it off entirely). You get asked for a password whenever something needs root equivalence.
But that's not going to help people who will do anything to see the dancing squirrels...
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
...unless you're needing to attach to a Citrix desktop, where you need Java, Active X, or a client installation. And given the love for Microsoft by most Mac users... it's either Java (dynamic), or the (somewhat plodding) installed Citrix client.
46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
What makes me laugh is that the Mac fanbois are so determined to never hear a bad word about their chosen God^H^H^HOperating System, that they immediately turn the whole discussion thread on it's head and say "well MS invented ActiveX, and it's the suckzorz".
Would you mind linking to that post I must have missed it maybe because it doesn't exist or has been modded down so far.
However, one of JAVA's great selling points was "it's secure because it runs in a sandbox". And over the years we've discovered the sandbox has not one, but several big fucking holes in the bottom.
JVMs have never been well implemented to actually provide the security features originally conceived. Security never became a priority largely because Java has never been a very big hole compared to all the others in modern OS's.
And now, because every other vendor has patched, and OSX is waiting presumably to fleece their users for another $150 with the next version before patching...
Please learn what you're talking about. Apple has a very good record of backporting security fixes for free. When they get around to fixing this hole I'm sure they will include it in a security update for the last three or four versions of OS X, like they always do, regardless of if you pay for Leopard.
And of course "we don't need antiviruses, because we run Macs".
If you've found in the wild propagating viruses for the Mac that would make antivirus software useful, please post it. It's a much bigger story than this one.
(Expecting to get modded into oblivion with this one, but what the hell, my karma can handle it).
Rightfully, you will be modded down for posting inflammatory nonsense like this. Seriously, there is plenty of space for valid criticism of Apple here. Why do ignorant twats like yourself have to go off with your uninformed rants and strawman attacks? It's just sad you have to make crap up instead of sticking to the facts and providing a rational and well deserved criticism of Apple's failure to fully patch and publish clear documentation on their lackluster Java support and lack of attention to security on the project.
But the Mac guy on the TV ads told me only PC's ever have security flaws!
Tools -> Preferences
Now, under the tab "Content", pick "Content" in the list on the left. You'll see options to disable plug-ins, java, and multiple other things.
The problem is that Java had security issues, but they were not ones that were focused on by malware writers until recently. There were other exploits that were easier to find and use to add more members to a botnet. However, this has changed with Vista and Windows 7. Vista has a lot of under the hood security features (ASLR is just one), and because the attack surface of an average Windows machine is getting smaller, the black hats are moving outwards from the OS to Web based plugins which can get their software running at least with user access, perhaps as Administrator or LocalSystem if someone has XP, or has UAC disabled.
Essentially what JVMs need is a second layer of protection, where anything that escapes doesn't get the access of the user its running under. This means (to use a random analogy) not just line the sandbox with thick metal plating so stuff doesn't escape, but have a camera watching watch what things are doing in the sandbox to catch exploits proactively. The best way to do this is to take a hypervisor like approach to JVMs. This means isolating the process that does the Java machine in a low privilege mode if on Windows like how IE is done on Vista and newer, or an OS created jail on BSD variants, so if the worst does happen and a process does escape the sandbox, the damage can do will be very limited. However, the more isolation, the less performance, and Java got a bad rep for poor performance initially, although this was mitigated by JIT environments and other improvements.
Of course, this won't help things if a signed java application (as opposed to an applet) is malicious, but installing a Java application that is intended not to be in a sandbox falls under the umbrella of watching where one gets executables from, and making sure signatures (either the Java signed files, or PGP/gpg sigs) are valid.
I guess some lobby at Apple OS division is partying because of people turning off java in browsers or trying to remove it from OS X (which I suggest to switchers: don't. Impossible to restore).
Isn't it the reason we don't have Java 6 for PPC (32bit doesn't matter on PPC_64) or Java developers use OS X as "If it works here, it will work anywhere" platform?. Apple's treatment to Java and especially PPC really tells me a lot about how to take them serious in Workstation scenarios.
BTW, if one can trick system that JAVA_HOME is some place else (which should be /dev/null ?) with some script, the entire Java (including) will be disabled/brokenn naturally. I mean, just a guess. I can't find it in BASH btw, when you type "set" and press enter, nothing resembling Java appears. Another .plist to hack with plutil ?
A company which makes it impossible (don't ask me, ask Sun) to code/ship a OS X replacement of it with full support to their GUI framework (quartz) declines to fix a public flaw in a framework.
Read the story as it, minus Java or replace Java with PERL. it will be easier to figure who is at fault and who to flame if you really want to.
I am almost sure that idiot or team of idiots declines to ship Java 6 to PPC or ignoring a major security flaw are really happy when you flame Java instead of them. About the impossibility of coding/packaging OS X native, multi CPU Java? Not so sure about it but it seems to be the case. Or... Sun is happy that their Framework and the users of their Framework is conspired by Apple and they enjoy putting up competitions to their born dead fantasies like Java FX instead? It seems the second is true since I don't think MS really shared Windows internals with them to code one of the best performing/compatible JRE on Windows.
Sun, clean up this mess. Or Oracle: Fire the geniuses relying to Apple to fix Java. Whatever...
Using JVM for corporate practices is so lame? Java is _really_ multiplatform if coded right. Even huge desktop apps like Vuze having dozens of functions can run unmodified on any platform/cpu which has nothing to do with each other.
If you hate the use of binary/virtual code in Web apps, your target should be one slow moving, infested by large corps and ideological fanatics organisation who doesn't give them the standards they need. Did they sit with a large corporation one day, e.g. IBM and asked them "Why do you use IE 6/ActiveX/JVM for this?" pointing to some Terminal? Did they listen to their answer and implement the functionality needed by such large corporations?
For example, we flame CmdrTaco and /. coders for not following their standards and having amazing count of w3c of errors but we never ask them or investigate why they have to break standards. Could it be because standards doesn't practically give functionality what they AND advertisers need?
Or... Their current work is finding a way to replace embedded Flash for videos which has (sadly) became de-facto, impossible to replace standard until they thought about it. They somehow gained support of a true mobile giant, Nokia but went into huge fight with them for some codec/political issue. Now there is another issue with Apple who is way too paranoid about their stuff being stolen by another company (MSFT) and without speaking to them, they wrote open letter or something. That is the one thing you shouldn't do to Apple. As result, what do people actually packaging/encoding videos do? Well, I got a h264 pro encoder and pro flash packager in my shopping list.
Mac OS X Users Vulnerable To Major Lava Flow
What the hell does operating system choice have to do with vulnerability to very high temperatures?
I tried apt-get remove volcano, but there was no such package. It appears I'm screwed too :(
Funny, I thought timely and accurate patches to the bits of software they want to control and distribute. It is nice that third-parties want to help, and distribute packages built for Java, but hey Apple - I thought I was paying you guys already to do this? How's about getting one of the twenty developers off the 'evil DRMs' project, and onto the seemingly understaffed 'basic patches' project?
*A*
Looks like we have an new ending for Elimination:
http://www.apple.com/getamac/ads/
Megan: "I just need something that works without a ton of crashes, viruses, or headaches."
PC: "Ah finally, we're even. Hi I'm a PC."
Megan: "Hi. I'm a Megan."
I've gotten very comfortable with the total lack of malware affecting my Mac, but I am not under the illusion that this will last for ever (in fact, I recall cleaning out a WDEF infection out of System 6 many moons ago). For this reason, I run Firefox with Noscript and Adblock; and my user account is not admin enabled.
/Applications, but since 10.4 or thereabouts I am prompted to enter the admin user/pass.
Neither of these really cripples the system's usability; blocked content is only ever a few clicks away, and I find I don't miss wasting all the bandwidth. My account privileges chiefly mean that I don't have write access to
Secure computing and browsing is possible on a Mac, even given Apple's lackadaisical approach to updates, thanks to free software like NoScript. If anything, this is the message here.
Look, if I have to read another stupid article claiming that there's a security hole if I happen to be running a specific version of some software, while standing on my head, chewing gum, and reciting the ten commandments I'm just going to go insane. Like there's some black hat spy out there waiting for me to run a java app so he can break into my mac and take it over. Seriously, computer security is a waste of time, unless *you actually have data somebody wants and is willing to commit a federal crime to get*. My guess is that's about 2% of the slashdot community. Mac owners, don't panic. Your essays, pictures of your dog, and your cracked version of CS4 are all safe from the terrorists no matter how many security flaws there are in Java.
Apple's support of Java on the client is great! They ship Java with every computer they sell. Swing applications look great on OS X. The Apple Look and Feel is great. They do tend to be a little slow with upgrading to the latest version of Java, but the version they do support works well and is optimized for OS X. Want Apple to put more effort into upgrading Java, then start writing more Java applications for the client and start using OS X to host more JEE applications. I for one am happy that they ship a version with every copy of OS X. If I ever need JDK 6, I'll buy a new Mac or run the Open JDK.
As for this vulnerability, it would nice for them to fix the issue. It seems like a small risk for most users as applets are not so popular. Remember you need to visit the page the page that has the malicious applet. It's also kind of funny that the people most upset about this rather obscure vulnerability are increasing its visibility by actually implementing it and putting it out there for everyone to get their hands on.