Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Users Vulnerable To Major Java Flaw

Posted by kdawson on from the write-once-own-everyone dept.

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

17 of 306 comments (clear)

  1. Java and not javascript by GreatDrok · · Score: 5, Informative

    I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.

    --
    "I have the attention span of a strobe lit goldfish, please get to the point quickly!"
    1. Re:Java and not javascript by Serious+Callers+Only · · Score: 4, Informative

      I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets. Aside from that, and some upload plugins (though that's mostly flash or AJAX nowadays) client-side java just isn't used much on the web anymore.

      I doubt you'll notice the difference.

    2. Re:Java and not javascript by DrXym · · Score: 4, Informative
      Sites don't directly use Java but there are plenty of JNLP style apps. Also, JavaFX *may* spark some kind of mini-resurgence which means more sites use Java for video playback or random other things.

      I say may because Flex / Flash is pretty embedded and Microsoft is moneyhatting its way into the scene. Sun doesn't have money so its almost a charity case at this time, relying on good will from mobile phone companies and Java devs.

      Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.

    3. Re:Java and not javascript by RevRagnarok · · Score: 5, Informative

      I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets.

      Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java. My timesheet program = Java. My Expense Report software = "Extensity" which seems to only like one version of the JVM. Lucky you!

      --
      I should put something clever here. Maybe someday.
    4. Re:Java and not javascript by esme · · Score: 4, Informative

      It looks like OpenJDK now runs on MacOSX:

      http://landonf.bikemonkey.org/static/soylatte/

    5. Re:Java and not javascript by EthanV2 · · Score: 5, Informative

      Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.

      Maybe it's because everybody else has patched it

      FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.

    6. Re:Java and not javascript by BrokenHalo · · Score: 5, Informative

      It looks like OpenJDK now runs on MacOSX:

      It does, but only with X11.

  2. Instructions for turning off Java... by Anonymous Coward · · Score: 5, Informative

    In case you don't have OS X but want to pass on the instructions to relatives, etc:

    In Safari (version 4 beta):

    Safari->Preferences->Security->Web Content: Enable Java (uncheck)

    In Firefox (3.5 beta, probably the rest):

    Firefox->Preferences->Content->Enable Java (uncheck)

    I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...

  3. Re:why specify Mac OSX by Draek · · Score: 5, Informative

    If you had read the very first paragraph of the summary, you'd know that it's "a vulnerability in Java that has been patched by everyone but Apple."

    For all the other platforms, architectures and browsers the fix is "use a version of Java that's less than 6 months old". For OSX users, however, the only solution is to stop using it altogether.

    --
    No problem is insoluble in all conceivable circumstances.
  4. Re:Why am I not surprised? by MobyTurbo · · Score: 4, Informative

    You've kinda just proven the OP's point. Snow Leopard is just prettying up what already exists.

    Snow Leopard is mainly a beneath-the-hood architectural upgrade. http://www.apple.com/macosx/snowleopard/ "Taking a break from adding new features..."

    That having been said, there's nothing on there about added security. I can tell you there are some rumors that things like more complete code page protection and address randomization will be in Snow Leo, but Apple's priorities concerning security are rather low; they rely heavily on security-through-obscurity, and one day if they're not careful it's going to bite them.

  5. Also disable Safari's 'Open"safe" files. by landonf · · Score: 4, Informative

    In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file.

    I've also posted a demonstration of the vulnerability at http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

    --
    http://plausible.coop
  6. Re:Now patched? by landonf · · Score: 4, Informative

    No patch is currently available -- a fully patched 10.5.7 system remains vulnerable. See also http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

    --
    http://plausible.coop
  7. Re:Design or implementation flaw? by Draek · · Score: 4, Informative

    This, gotten from the comments at TFA, has a bit more details on it.

    Apparently it's a mix of both, a structural problem with the fact it needs to grant the Calendar class special priviledges to access ZoneInfo objects, and merely a common pitfall in that nobody had thought to limit those priviledges before to *just* accessing the calendar.

    Beautiful stuff they used in the exploit, though, it's as if they actively tried to use every OOP-derived feature in Java on it at the same time ;)

    --
    No problem is insoluble in all conceivable circumstances.
  8. apple letting down java users.. by Anonymous Coward · · Score: 5, Informative

    Steve Jobs, JavaOne Keynote 2000:

    "We want to bring Java back to the desktop in a really big way. Iâ(TM)m here today to personally tell you we are working hard to make Mac the best Java delivery vehicle on the planet. The biggest thing we are doing is we are going to bundle Java 2 SE into every single copy of Mac OS X that we ship later on this year."

    WWDC 2006

    When is the next Java coming? We are following Sun's releases of Java SE 6 betas and other Java updates very closely.

    Steve Jobs, January 2007 (iPhone related):

    "Java's not worth building in. Nobody uses Java anymore. It's this big heavyweight ball and chain..."

    2008/05/01

    Apple (finally!) releases JDK 6 with 64 bit support only. Most apps won't run due to the lack of cocoa 64 bit libraries. 1 y/old notebooks left in the cold without 64bit support.

  9. Re:There is no reason to have Java enabled by Ash-Fox · · Score: 4, Informative

    CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.

    First things I noticed after disabling it, restarting Firefox with my saved tabs:

    • Can't use my bank anymore
    • Citrix from the web doesn't work
    • Akamai download manager doesn't work
    • Website IRC chat no longer works
    • Dragon court no longer works

    At this point I got annoyed and turned Java back on.

    --
    Change is certain; progress is not obligatory.
  10. Re:Why am I not surprised? by singularity · · Score: 4, Informative

    Yeah, this page listing all of the security patches in every Apple update must surely not exist. You know, complete with links to knowledge base articles containing links to the CVE-IDs patched by that particular patch.

    Posts like yours are the reason that Slashdot needs a "-1, Factually Incorrect" moderation.

    I agree that Apple should have patched this a long time ago, but your argument that Apple does not care about security is just plan asinine.

    --
    - (c) 2018 Hank Zimmerman
  11. Re:Oh I don't know... by jimicus · · Score: 4, Informative

    As an agriculture monoculture, PCs were an easy infection target because of their uniformity and number. I wonder if, in an imaginary world where Win, Mac & Linux were split 30/30/30, you would still see 1/3 of the Windows malware? Hopefully not. Hopefully it'd be less.

    I hate to break it to you but I remember the days when there was no Windows monoculture and data was usually passed with floppy disks.

    Malware existed on all common desktop platforms back then. It couldn't spread as fast, but it certainly existed.