Slashdot Mirror
Mac OS X Users Vulnerable To Major Java Flaw
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
FTFA, looks like what it allows is arbitrary execution of Java code. So it wouldn't be architecture-specific at all, unless you started using architecture-specific stuff in said code. If you've got the JVM to exploit, then you've got the JVM to run stuff on.
I'd really like to know if this was/is a flaw in the structure/design of the JVM or just happened to be some kind of pitfall every major JVM-implementor fell into.
The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?
The (untrue) assumption that many people seem to hold that Macs are just invulnerable to anything bad happening has finally spread to Apple itself, and they're the last to patch this exploit. Since a lot of Mac advertising used to be based on "Macs don't get Viruses" you'd think they'd have been the first to patch this to maintain their reputation.
Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.
You can advertise in this sig from as little as £99.99 a month!
For the record, those running Firefox as their default browser, with NoScript installed, won't be affected* unless they *choose* to execute an unknown, untrusted binary within the browser.
*At least the sample exploit at the top of the thread didn't execute for me, YMMV
Some days it's just not worth
chewing through my restraints.
after meeting some Mac newbies I am think I can already see the iceberg. Two are friends, one of which called me out of the blue to tell me that he just bought his first Mac (an iMac actually). Well needless to say I get calls from both since I am the "mac expert" (Read: I had one longer than them).
The simplest way to say it, they are more than happy to key in their password for anything that asks, even if they don't know what they are doing. After all, they are on a Mac, they don't have virus protection because it doesn't need it, so how is something bad going to get on the system. These are not normally dense people, well maybe they are proving me wrong.
So I figure that someone out there will rely on this type of stupidity to get key loggers, bots, and the like, on Macs. The number of people out there who buy one because they think it makes them cool or smart cannot be underestimated.
I do know one of these two did ditch firefox because they didn't like clicking the ad-block button to allow some sites. So it is just a matter of time.
(and no, I do not run a AV or worry about it on either of my Macs)
* Winners compare their achievements to their goals, losers compare theirs to that of others.
So it can arbitrarily execute java code in a browser. Well hold on, arn't browser VMs rather crippled anyway in their functionality? And thats after you take into account it'll only have the priviledges of whichever user launched the browser in the first place. So what exactly could you do with this exploit? Steal some cookies, bring up some annoying windows? Or is this about it being able to escape the sandbox? I don't really get it.
I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology
According to the Sun engineers I've talked to it all has to do with a really old license agreement between Apple and Sun that they can't change for now. Sun is forbidden to directly release Java for Mac OS X until the agreement expire or Apple decides to make a new agreement. The only practical solution they proposed was to use the BSD port of OpenJDK. You won't have the Aqua UI and I think you have to deal with X11, but you will have an overall better Java.
Speaking of liking only one version of the JVM, I worked for a CLEC (a small phone company) that had to interface with the RBOC (The Phone Company - SBC/AT&T) via a Java applicaton for provisioning phone numbers and the like. The application ran on a specific version of Java 1.4.2 (like j2re_1.4.2_01 or something), and the JVM had to patched by SBC software so that the application would run. The name escapes me... Oddly enough, I think LENS (Bell South's Java interface application) used the exact same version of the JVM. And this was before there was even talk of them merging.
Funny, I hear this all the time but I don't remember a commercial where Apple made a claim that Macs don't get viruses. Can you point it out to me. Here I'll get you started.
http://www.apple.com/getamac/ads/
They have pointed out that they aren't vulnerable to the thousands of viruses on Windows and that none of the spyware that affects them affects the Mac. Maybe I've missed it somewhere, please help me find this mythical commercial.
Someone, anyone!!
I don't see the point you're making. You might as well have contrasted nine-year disparate statements about RAM size. Over nine years, Apple's stance towards Java has changed; what's wrong with that? In 2000, Java seemed to have a wider path on the desktops than it does in 2009. Other languages and runtime environments have grown up around Java in the subsequent nine years, and to Apple's thinking, the other languages (such as Objective-C 2.0) allow for building better software than Java allows.
Apple's stance appears to be, right or wrong, that Java on the desktop and mobile devices is no longer the best way to develop and deploy software, and thus, they've allowed the Java implementation in OS X to grow long in the tooth, and have outright declined to port it to the iPhone/iPod Touch OS.
Obviously Apple is doing this so app developers must use the Cocoa libraries and internal devs can focus on improving Cocoa.
I don't know why any platform developer would devote resources to Java support. That should be up to Sun and the Java community.
Bitch and moan at Apple if you want, but it is Sun who signed an agreement with Apple promising not to release a OS X version of Java from Sun.
obviously no deficiencies vs. no obvious deficiencies
Point taken, but then large corporations can define which version of which browser or JVM is standard and installed on their users' machines, n'est-ce pas?
Their corporate machines, yes. But I am an off-site worker (embedded as a contractor elsewhere) so need to use my personal machine at home to do my time cards, expense reports, etc.
I should put something clever here. Maybe someday.
I'd like to know more about this agreement between Apple and Sun. I did a bit of searching and couldn't find anything. Do you have more info? A link maybe?
A publicly traded company exists solely to make profits for shareholders.
He agrees that Apple does care about security - read again. But he argues that they are not open about the details of what they fix, which as you point out, is incorrect.
I notice most sites don't like it when you turn javascript off, but don't care about java.
The question I would have is that does Javascript on OSX have the same vulnerabilities?
Perhaps the best solution is to install NoScript and white list only the sites needed.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
try the 'say' invoking applet by Landon Fuller:
http://is.gd/BpBp. That scared the crap out of me... what if it had invoked 'rm -rf ~'?
You would restore from your Time Machine backup, or the off site clone that you created with Carbon Copy Cloner or SuperDuper! (or rsync).
Backing up OS X is dead simple (it's mostly POSIX-compliant underneath); there's no reason not to do it.
Could it be that Apple does have security improvements in Snow Leopard, but isn't talking about them yet because they don't want people shouting "OMG Leopard is insecure"?
The shareholder is always right.
If by "public sector" you mean government, it has been my experience that Microsoft has a very small portion of the market. Here in California, most state and county governments use Novell. A lot of them are still on Groupwise 5.5.
That of course 1) assumes someone actually writes a virus targeting the Mac platform, 2) you are somehow redirected to a site that hosts the vulnerability, or launch an attachment that is a java applet itself that contains malicious code, 3) the virus doesn't violate other UNIX security rules that would stop it from running on the Mac platform, and 4) that there's actually data stored on your mac in unencrypted form in a directory the virus can get to to steal information from you, or some way the Java app can infect your machine with other code that can steal your input and passwords.
If all 4 are not true (and they're not yet), then apple users are currently safe. Apple engineers do not rush "emergency" patches out for vulnerabilityies when no ITW code has yet been discovered. They'll also assess what a virus could actually be capable of, and determine the complexity of code required to pull off a hack on their platform, and they'll assign a priority to the code work.
This, I'd gather, is a low priority risk for Mac as I've not actually heard, other than the proof of concept, of an ITW virus for ANY platform exploiting this viln, let alone a targeted mac virus. They'll release a patch, but 6 months in, and with everyone else already having it patched, Apple is likely just waiting to apply it with other patches. Kind of surprised it was not in the 10.5.7 patch recently... must be really low priority. This isn't exactly something they need to invent a fix for...
There is no contest in life for which the unprepared have the advantage.
Funny, I thought timely and accurate patches to the bits of software they want to control and distribute. It is nice that third-parties want to help, and distribute packages built for Java, but hey Apple - I thought I was paying you guys already to do this? How's about getting one of the twenty developers off the 'evil DRMs' project, and onto the seemingly understaffed 'basic patches' project?
*A*