Mac OS X Users Vulnerable To Major Java Flaw

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

Java and not javascript

[GreatDrok]

I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.

Re:Java and not javascript

[Serious+Callers+Only]

I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets. Aside from that, and some upload plugins (though that's mostly flash or AJAX nowadays) client-side java just isn't used much on the web anymore.

I doubt you'll notice the difference.

Re:Java and not javascript

[DrXym]

Sites don't directly use Java but there are plenty of JNLP style apps. Also, JavaFX *may* spark some kind of mini-resurgence which means more sites use Java for video playback or random other things.

I say may because Flex / Flash is pretty embedded and Microsoft is moneyhatting its way into the scene. Sun doesn't have money so its almost a charity case at this time, relying on good will from mobile phone companies and Java devs.

Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.

Re:Java and not javascript

[BikeHelmet]

Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.

You're absolutely right about that. Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.

The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...

I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology.

Re:Java and not javascript

[RevRagnarok]

I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets.

Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java. My timesheet program = Java. My Expense Report software = "Extensity" which seems to only like one version of the JVM. Lucky you!

Re:Java and not javascript

[kthreadd]

I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology

According to the Sun engineers I've talked to it all has to do with a really old license agreement between Apple and Sun that they can't change for now. Sun is forbidden to directly release Java for Mac OS X until the agreement expire or Apple decides to make a new agreement. The only practical solution they proposed was to use the BSD port of OpenJDK. You won't have the Aqua UI and I think you have to deal with X11, but you will have an overall better Java.

Re:Java and not javascript

[esme]

It looks like OpenJDK now runs on MacOSX:

http://landonf.bikemonkey.org/static/soylatte/

Re:Java and not javascript

[EthanV2]

Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.

Maybe it's because everybody else has patched it

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.

Re:Java and not javascript

[BrokenHalo]

It looks like OpenJDK now runs on MacOSX:

It does, but only with X11.

Re:Java and not javascript

[Serious+Callers+Only]

Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java.

: ) Reason no 12939 not to work at a gigantic corporation. Having experienced working in large companies, I sympathise.

The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.

Re:Java and not javascript

[Serious+Callers+Only]

But, because of this standardization, the internal development staff only needs to target one defined platform, they aren't really worried about cross-platform support.

This works really well as a way to cut costs *for the IT department* in the short term. As to whether it cuts costs for the company as a whole (there's the lost productivity involved in enforcing a standard install that you alluded to, and the lack of choice of tools), is another matter, and I'm sure varies with the company/tech involved. Obviously some degree of standardisation is required when managing large numbers of computers, so I'd happily concede that point.

But there is a bigger issue related to this strategy in the long term. In the long term, targeting one platform exclusively leads to the production of tools which are tied tighter and tighter to that platform. So it means you can never switch to a competitor; you can't even consider switching to a competitor unless you're willing to ditch all the internal software that you've built up which will only work on version X of system X. It becomes simply impossible for your business to even think about switching. You might even find that moving to a new version of an operating system has significant costs which you had not anticipated (an XP to Vista migration for example, or IE 6 to IE 8). These are not the normal costs of doing business, they are the costs of doing business if you choose to lock yourself too tightly to one platform.

There is a reason that Microsoft pushed things like Active-X, .NET and IE for web apps, Sun pushes Java everywhere, Apple encourages web pages made for iPhones, etc. It is to tie developers/companies in to using just their products, and it is in the long-term interests of the tool provider, not the company using the tools to work with.

Using web apps for internal software is a good way out of this conundrum, so long as you do not target a specific platform with them. Otherwise, you may as well be writing binary software tied to a specific version of one OS - the end result is the same - lock-in. I understand completely why, in the real world, these decisions are made, but if you look at the situation rationally they are not good investments of time/money over the long-term, and they undermine the very reasons for writing software as a web application in the first place.

Great interoperability

[Chrisq]

'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,'

And the Java critics said total platform independence was impossible!

Re:Great interoperability

[x2A]

Yay this is gonna be so much easier than trying to ship Wine with my viruses...

Re:Great interoperability

[sootman]

Am I the only one who first read that headline as "Mac OS X Users Vulnerable To Major Lava Flow"?

Instructions for turning off Java...

In case you don't have OS X but want to pass on the instructions to relatives, etc:

In Safari (version 4 beta):

Safari->Preferences->Security->Web Content: Enable Java (uncheck)

In Firefox (3.5 beta, probably the rest):

Firefox->Preferences->Content->Enable Java (uncheck)

I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...

Re:why specify Mac OSX

[Draek]

If you had read the very first paragraph of the summary, you'd know that it's "a vulnerability in Java that has been patched by everyone but Apple."

For all the other platforms, architectures and browsers the fix is "use a version of Java that's less than 6 months old". For OSX users, however, the only solution is to stop using it altogether.

Design or implementation flaw?

[pwilli]

I'd really like to know if this was/is a flaw in the structure/design of the JVM or just happened to be some kind of pitfall every major JVM-implementor fell into.

The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?

Re:Design or implementation flaw?

[Draek]

This, gotten from the comments at TFA, has a bit more details on it.

Apparently it's a mix of both, a structural problem with the fact it needs to grant the Calendar class special priviledges to access ZoneInfo objects, and merely a common pitfall in that nobody had thought to limit those priviledges before to *just* accessing the calendar.

Beautiful stuff they used in the exploit, though, it's as if they actively tried to use every OOP-derived feature in Java on it at the same time ;)

Re:Design or implementation flaw?

[QuoteMstr]

technical details here.

The gist of it that the Java Calendar code temporarily elevates its privileges in order to deserialize a ZoneInfo object. If you substitute your own object's serialization for the ZoneInfo, you can get the Java runtime to create any object you want. Some questions:

1. Didn't anyone realize how dangerous arbitrary privilege elevation is?
2. Didn't anyone think that it might be overkill to elevate privileges in order to read a timezone?
3. How many other similar vulnerabilities are lurking in the standard library?

Re:Why am I not surprised?

[MobyTurbo]

You've kinda just proven the OP's point. Snow Leopard is just prettying up what already exists.

Snow Leopard is mainly a beneath-the-hood architectural upgrade. http://www.apple.com/macosx/snowleopard/ "Taking a break from adding new features..."

That having been said, there's nothing on there about added security. I can tell you there are some rumors that things like more complete code page protection and address randomization will be in Snow Leo, but Apple's priorities concerning security are rather low; they rely heavily on security-through-obscurity, and one day if they're not careful it's going to bite them.

To be expected

[Shrike82]

The (untrue) assumption that many people seem to hold that Macs are just invulnerable to anything bad happening has finally spread to Apple itself, and they're the last to patch this exploit. Since a lot of Mac advertising used to be based on "Macs don't get Viruses" you'd think they'd have been the first to patch this to maintain their reputation.

Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.

Re:To be expected

[oDDmON+oUT]

"The (untrue) assumption that many people seem to hold (is) that...", patching actually is a "best practice", when it's not.

Marcus Ranum has a interesting and humorous take on patching that spells it out much better than I could.

The short version:

• Patching is a substitute for good design
• Patching exists for the simple reason that there is a rush to get products out the door, rather than take the time to ensure that they are secure

This is true of 99.9% of software in use.

Also disable Safari's 'Open"safe" files.

[landonf]

In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file.

I've also posted a demonstration of the vulnerability at http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

Re:Now patched?

[landonf]

No patch is currently available -- a fully patched 10.5.7 system remains vulnerable. See also http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

Oh I don't know...

[Shivetya]

after meeting some Mac newbies I am think I can already see the iceberg. Two are friends, one of which called me out of the blue to tell me that he just bought his first Mac (an iMac actually). Well needless to say I get calls from both since I am the "mac expert" (Read: I had one longer than them).

The simplest way to say it, they are more than happy to key in their password for anything that asks, even if they don't know what they are doing. After all, they are on a Mac, they don't have virus protection because it doesn't need it, so how is something bad going to get on the system. These are not normally dense people, well maybe they are proving me wrong.

So I figure that someone out there will rely on this type of stupidity to get key loggers, bots, and the like, on Macs. The number of people out there who buy one because they think it makes them cool or smart cannot be underestimated.

I do know one of these two did ditch firefox because they didn't like clicking the ad-block button to allow some sites. So it is just a matter of time.

(and no, I do not run a AV or worry about it on either of my Macs)

Re:Oh I don't know...

[jimicus]

As an agriculture monoculture, PCs were an easy infection target because of their uniformity and number. I wonder if, in an imaginary world where Win, Mac & Linux were split 30/30/30, you would still see 1/3 of the Windows malware? Hopefully not. Hopefully it'd be less.

I hate to break it to you but I remember the days when there was no Windows monoculture and data was usually passed with floppy disks.

Malware existed on all common desktop platforms back then. It couldn't spread as fast, but it certainly existed.

Re:Now patched?

[iwein]

try the 'say' invoking applet by Landon Fuller: http://is.gd/BpBp. That scared the crap out of me... what if it had invoked 'rm -rf ~'?

apple letting down java users..

Steve Jobs, JavaOne Keynote 2000:

"We want to bring Java back to the desktop in a really big way. Iâ(TM)m here today to personally tell you we are working hard to make Mac the best Java delivery vehicle on the planet. The biggest thing we are doing is we are going to bundle Java 2 SE into every single copy of Mac OS X that we ship later on this year."

WWDC 2006

When is the next Java coming? We are following Sun's releases of Java SE 6 betas and other Java updates very closely.

Steve Jobs, January 2007 (iPhone related):

"Java's not worth building in. Nobody uses Java anymore. It's this big heavyweight ball and chain..."

2008/05/01

Apple (finally!) releases JDK 6 with 64 bit support only. Most apps won't run due to the lack of cocoa 64 bit libraries. 1 y/old notebooks left in the cold without 64bit support.

Re:apple letting down java users..

[cshbell]

I don't see the point you're making. You might as well have contrasted nine-year disparate statements about RAM size. Over nine years, Apple's stance towards Java has changed; what's wrong with that? In 2000, Java seemed to have a wider path on the desktops than it does in 2009. Other languages and runtime environments have grown up around Java in the subsequent nine years, and to Apple's thinking, the other languages (such as Objective-C 2.0) allow for building better software than Java allows.

Apple's stance appears to be, right or wrong, that Java on the desktop and mobile devices is no longer the best way to develop and deploy software, and thus, they've allowed the Java implementation in OS X to grow long in the tooth, and have outright declined to port it to the iPhone/iPod Touch OS.

Re:There is no reason to have Java enabled

[Ash-Fox]

CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.

First things I noticed after disabling it, restarting Firefox with my saved tabs:

• Can't use my bank anymore
• Citrix from the web doesn't work
• Akamai download manager doesn't work
• Website IRC chat no longer works
• Dragon court no longer works

At this point I got annoyed and turned Java back on.

Re:Why am I not surprised?

[singularity]

Yeah, this page listing all of the security patches in every Apple update must surely not exist. You know, complete with links to knowledge base articles containing links to the CVE-IDs patched by that particular patch.

Posts like yours are the reason that Slashdot needs a "-1, Factually Incorrect" moderation.

I agree that Apple should have patched this a long time ago, but your argument that Apple does not care about security is just plan asinine.