Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Users Vulnerable To Major Java Flaw

Posted by kdawson on from the write-once-own-everyone dept.

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

12 of 306 comments (clear)

  1. Java and not javascript by GreatDrok · · Score: 5, Informative

    I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.

    --
    "I have the attention span of a strobe lit goldfish, please get to the point quickly!"
    1. Re:Java and not javascript by BikeHelmet · · Score: 5, Insightful

      Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.

      You're absolutely right about that. Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.

      The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...

      I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology.

    2. Re:Java and not javascript by RevRagnarok · · Score: 5, Informative

      I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets.

      Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java. My timesheet program = Java. My Expense Report software = "Extensity" which seems to only like one version of the JVM. Lucky you!

      --
      I should put something clever here. Maybe someday.
    3. Re:Java and not javascript by kthreadd · · Score: 5, Interesting

      I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology

      According to the Sun engineers I've talked to it all has to do with a really old license agreement between Apple and Sun that they can't change for now. Sun is forbidden to directly release Java for Mac OS X until the agreement expire or Apple decides to make a new agreement. The only practical solution they proposed was to use the BSD port of OpenJDK. You won't have the Aqua UI and I think you have to deal with X11, but you will have an overall better Java.

    4. Re:Java and not javascript by EthanV2 · · Score: 5, Informative

      Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.

      Maybe it's because everybody else has patched it

      FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.

    5. Re:Java and not javascript by BrokenHalo · · Score: 5, Informative

      It looks like OpenJDK now runs on MacOSX:

      It does, but only with X11.

  2. Great interoperability by Chrisq · · Score: 5, Funny

    'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,'

    And the Java critics said total platform independence was impossible!

  3. Instructions for turning off Java... by Anonymous Coward · · Score: 5, Informative

    In case you don't have OS X but want to pass on the instructions to relatives, etc:

    In Safari (version 4 beta):

    Safari->Preferences->Security->Web Content: Enable Java (uncheck)

    In Firefox (3.5 beta, probably the rest):

    Firefox->Preferences->Content->Enable Java (uncheck)

    I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...

  4. Re:why specify Mac OSX by Draek · · Score: 5, Informative

    If you had read the very first paragraph of the summary, you'd know that it's "a vulnerability in Java that has been patched by everyone but Apple."

    For all the other platforms, architectures and browsers the fix is "use a version of Java that's less than 6 months old". For OSX users, however, the only solution is to stop using it altogether.

    --
    No problem is insoluble in all conceivable circumstances.
  5. Design or implementation flaw? by pwilli · · Score: 5, Interesting

    I'd really like to know if this was/is a flaw in the structure/design of the JVM or just happened to be some kind of pitfall every major JVM-implementor fell into.

    The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?

  6. apple letting down java users.. by Anonymous Coward · · Score: 5, Informative

    Steve Jobs, JavaOne Keynote 2000:

    "We want to bring Java back to the desktop in a really big way. Iâ(TM)m here today to personally tell you we are working hard to make Mac the best Java delivery vehicle on the planet. The biggest thing we are doing is we are going to bundle Java 2 SE into every single copy of Mac OS X that we ship later on this year."

    WWDC 2006

    When is the next Java coming? We are following Sun's releases of Java SE 6 betas and other Java updates very closely.

    Steve Jobs, January 2007 (iPhone related):

    "Java's not worth building in. Nobody uses Java anymore. It's this big heavyweight ball and chain..."

    2008/05/01

    Apple (finally!) releases JDK 6 with 64 bit support only. Most apps won't run due to the lack of cocoa 64 bit libraries. 1 y/old notebooks left in the cold without 64bit support.

    1. Re:apple letting down java users.. by cshbell · · Score: 5, Interesting

      I don't see the point you're making. You might as well have contrasted nine-year disparate statements about RAM size. Over nine years, Apple's stance towards Java has changed; what's wrong with that? In 2000, Java seemed to have a wider path on the desktops than it does in 2009. Other languages and runtime environments have grown up around Java in the subsequent nine years, and to Apple's thinking, the other languages (such as Objective-C 2.0) allow for building better software than Java allows.

      Apple's stance appears to be, right or wrong, that Java on the desktop and mobile devices is no longer the best way to develop and deploy software, and thus, they've allowed the Java implementation in OS X to grow long in the tooth, and have outright declined to port it to the iPhone/iPod Touch OS.