Mac OS X Users Vulnerable To Major Java Flaw

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

Java and not javascript

[GreatDrok]

I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.

Re:Java and not javascript

[Serious+Callers+Only]

I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets. Aside from that, and some upload plugins (though that's mostly flash or AJAX nowadays) client-side java just isn't used much on the web anymore.

I doubt you'll notice the difference.

Re:Java and not javascript

[DrXym]

Sites don't directly use Java but there are plenty of JNLP style apps. Also, JavaFX *may* spark some kind of mini-resurgence which means more sites use Java for video playback or random other things.

I say may because Flex / Flash is pretty embedded and Microsoft is moneyhatting its way into the scene. Sun doesn't have money so its almost a charity case at this time, relying on good will from mobile phone companies and Java devs.

Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.

Re:Java and not javascript

[RevRagnarok]

I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets.

Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java. My timesheet program = Java. My Expense Report software = "Extensity" which seems to only like one version of the JVM. Lucky you!

Re:Java and not javascript

[esme]

It looks like OpenJDK now runs on MacOSX:

http://landonf.bikemonkey.org/static/soylatte/

Re:Java and not javascript

[EthanV2]

Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.

Maybe it's because everybody else has patched it

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.

Re:Java and not javascript

[BrokenHalo]

It looks like OpenJDK now runs on MacOSX:

It does, but only with X11.

Re:Java and not javascript

[Cthefuture]

The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...

Not only that but the Java "1.6" they support isn't the full version, it's missing all sorts of API's that are in the Sun version.

I'm not a huge Java fan but I wish Apple would step up their Java support. I hear rumors that Snow Leopard will contain the full Java 1.6 from Sun.

Re:Java and not javascript

[obijuanvaldez]

The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.

Your experience may be different from mine, but the driving motivation behind using web applications for internal software has nothing to do with being cross platform but rather to do with ease of deployment. The business has a pretty tight control over what platforms are being used, they don't need to cater to any platform they haven't put in place. The real business benefit is not having to send out IT people to update each and every client machine for every update to the software.

Re:Java and not javascript

[TurboNed]

If anything is misleading, it's the "100% reliable" part. It's only 100% reliable against unpatched JVMs. Everybody else has patched their JVM except Apple.

Re:Java and not javascript

[Kz]

If anything is misleading, it's the "100% reliable" part.

that's a quote from the time the flaw was discovered. the news today is that Apple is the only one still vulnerable.

Re:Java and not javascript

[foo+fighter]

Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.

That might have been the initial reason. Maybe.

But Apple really, really wants developers to use Objective-C and Cocoa when they are creating software for OS X. From Apple's strategic perspective, why support an alternative platform (and Java is an alternative platform) that doesn't lead to great Mac software, especially great Mac-only software.

And about that agreement between Sun and Apple that keeps Sun off OS X: now that Java is open sourced, what is keeping the community from creating and releasing an OS X-native client?

Re:Java and not javascript

[nxtw]

It does, but only with X11.

AWT/Swing may be limited to X11, but SWT applications can still use Carbon (or Cocoa using the in-development version.)

Instructions for turning off Java...

In case you don't have OS X but want to pass on the instructions to relatives, etc:

In Safari (version 4 beta):

Safari->Preferences->Security->Web Content: Enable Java (uncheck)

In Firefox (3.5 beta, probably the rest):

Firefox->Preferences->Content->Enable Java (uncheck)

I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...

Re:Instructions for turning off Java...

[mbone]

In Opera

Preferences > Advanced > Content > Enable Java (uncheck) > OK

Re:Instructions for turning off Java...

[Ash-Fox]

It would be nice if there was a way to disable it for all sites but blah.com

Try Noscript.

Re:Instructions for turning off Java...

[hplus]

The question I would have is that does Javascript on OSX have the same vulnerabilities?

No.

Java:Javascript::Ham:Hamburger

Re:Instructions for turning off Java...

The question I would have is that does Javascript on OSX have the same vulnerabilities?

Why would it? JavaScript and Java are two completely distinct languages.

Re:why specify Mac OSX

[Draek]

If you had read the very first paragraph of the summary, you'd know that it's "a vulnerability in Java that has been patched by everyone but Apple."

For all the other platforms, architectures and browsers the fix is "use a version of Java that's less than 6 months old". For OSX users, however, the only solution is to stop using it altogether.

Pick and choose your quotes much?

[Animaether]

Very well...

I choose this one...
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.

So essentially... All Apple users who have left JAVA enabled, and all -other- users who have not yet patched their JAVA installations. Yes, that does include Microsoft Windows, flavor-of-the-month Linux, etc. users who decided to disable auto-updating - if any - of their JAVA installation.

Re:Now patched?

http://support.apple.com/kb/HT3437

Re:Why am I not surprised?

[MobyTurbo]

You've kinda just proven the OP's point. Snow Leopard is just prettying up what already exists.

Snow Leopard is mainly a beneath-the-hood architectural upgrade. http://www.apple.com/macosx/snowleopard/ "Taking a break from adding new features..."

That having been said, there's nothing on there about added security. I can tell you there are some rumors that things like more complete code page protection and address randomization will be in Snow Leo, but Apple's priorities concerning security are rather low; they rely heavily on security-through-obscurity, and one day if they're not careful it's going to bite them.

Also disable Safari's 'Open"safe" files.

[landonf]

In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file.

I've also posted a demonstration of the vulnerability at http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

Re:Now patched?

[landonf]

No patch is currently available -- a fully patched 10.5.7 system remains vulnerable. See also http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

Re:Design or implementation flaw?

[Draek]

This, gotten from the comments at TFA, has a bit more details on it.

Apparently it's a mix of both, a structural problem with the fact it needs to grant the Calendar class special priviledges to access ZoneInfo objects, and merely a common pitfall in that nobody had thought to limit those priviledges before to *just* accessing the calendar.

Beautiful stuff they used in the exploit, though, it's as if they actively tried to use every OOP-derived feature in Java on it at the same time ;)

Re:Now patched?

[oDDmON+oUT]

Nope. Patched to 10.5.7, with all updates, and the sample exploit would still run. Of course I use FF with NoScript so I had to allow it to run, which just goes to show that sometimes faster is not better

apple letting down java users..

Steve Jobs, JavaOne Keynote 2000:

"We want to bring Java back to the desktop in a really big way. Iâ(TM)m here today to personally tell you we are working hard to make Mac the best Java delivery vehicle on the planet. The biggest thing we are doing is we are going to bundle Java 2 SE into every single copy of Mac OS X that we ship later on this year."

WWDC 2006

When is the next Java coming? We are following Sun's releases of Java SE 6 betas and other Java updates very closely.

Steve Jobs, January 2007 (iPhone related):

"Java's not worth building in. Nobody uses Java anymore. It's this big heavyweight ball and chain..."

2008/05/01

Apple (finally!) releases JDK 6 with 64 bit support only. Most apps won't run due to the lack of cocoa 64 bit libraries. 1 y/old notebooks left in the cold without 64bit support.

Re:Why am I not surprised?

[MobyTurbo]

Snow Leopard is mainly a beneath-the-hood architectural upgrade. Then how are they planning to market it to the Great Unwashed? They're never going to pursuade the fan-base to shell out dollars and cents if they can't see something new and shiny.

All of those people with Macbook Airs (no pun intended) and any upcoming Apple netbook who's systems could use a more svelte OS would be in the market for it. Think Vista vs. Windows 7, except less of a difference in speed and interface. If you don't believe me, check out the site I linked earlier - Apple's own marketing copy says the new features are on "pause" and the feature of Snow Leo is performance and smaller footprint.

Re:There is no reason to have Java enabled

[Ash-Fox]

CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.

First things I noticed after disabling it, restarting Firefox with my saved tabs:

• Can't use my bank anymore
• Citrix from the web doesn't work
• Akamai download manager doesn't work
• Website IRC chat no longer works
• Dragon court no longer works

At this point I got annoyed and turned Java back on.

Same "Stuff", Different Vulnerability

[sqlrob]

Apple took more than a year after Sun patched it to patch an exploited buffer overflow in the JVM. They'll take forever to fix this too.

Re:Why am I not surprised?

[singularity]

Yeah, this page listing all of the security patches in every Apple update must surely not exist. You know, complete with links to knowledge base articles containing links to the CVE-IDs patched by that particular patch.

Posts like yours are the reason that Slashdot needs a "-1, Factually Incorrect" moderation.

I agree that Apple should have patched this a long time ago, but your argument that Apple does not care about security is just plan asinine.

Re:Oh I don't know...

[jimicus]

As an agriculture monoculture, PCs were an easy infection target because of their uniformity and number. I wonder if, in an imaginary world where Win, Mac & Linux were split 30/30/30, you would still see 1/3 of the Windows malware? Hopefully not. Hopefully it'd be less.

I hate to break it to you but I remember the days when there was no Windows monoculture and data was usually passed with floppy disks.

Malware existed on all common desktop platforms back then. It couldn't spread as fast, but it certainly existed.

Re:So how much damage can this do?

[DrgnDancer]

Actually virtually no Mac users run as "admin", they run on admin enabled accounts, but those accounts require you to enter your password (either in the GUI, or in sudo depending on the function) to perform any admin tasks. It's actually a bit of a chore to actually login as "root" on a Mac, it's a disabled account by default. Trivial for an experienced Unix user or admin to get in and activate it, but in theory that's not our worry here. My last couple of Macs I reactivated root, but on my most recent one I decided it was silly and use sudo when I need root access.

Having said that, you can still do plenty of damage as a "regular" user. I'd hate to lose my home directory, it contains more or less everything I use day to day. It's backed up, but I doubt everybody's is (Though Time Machine makes it pretty easy, so maybe more people have backups than I think)