Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Nabs Java Exploit That Bypassed Disabled Plugin

Posted by timothy on from the heading-them-off-before-they-head-you-off dept.

Trailrunner7 writes "Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn't quite enough to protect users of some versions of OS X."

5 of 97 comments (clear)

  1. Re:Java and flash... by eksith · · Score: 5, Interesting

    The problem with flash are the developers. ActionScript can do a lot of things... that doesn't mean those things should have been done. Of course if sandboxing was foolproof, things would have worked better for both technologies. Hopefully HTML5 can fill the gap for both and we can finally do away with both plugins.

    --
    If computers were people, I'd be a misanthrope.
  2. So... by Molochi · · Score: 2, Interesting

    If the Apple Safari browser on Apple OSX had Java disabled it let it run anyway? Glad they fixed that.

    Such an hero.

    --
    "The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
  3. Re:Java and flash... by GoodNewsJimDotCom · · Score: 4, Interesting

    Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.

    --
    God spoke to me
  4. Re:Not a bug? by _xeno_ · · Score: 3, Interesting

    It's only not a bug in that it was by design.

    Basically Mac OS X has a list of "safe" files that don't bring up an "are you sure you want to open this file?" dialog after it's been downloaded. The idea is that if you download a text file, you won't get a dialog warning you that the file is insecure when you try and open it.

    JNLP files were put in that list, presumably based on the assumption that Java was "secure." (Bad assumption!)

    The fix was to remove them from the safe list, so now you'll get an "are you sure?" dialog from the OS itself rather than assuming Java is secure.

    --
    You are in a maze of twisty little relative jumps, all alike.
  5. Re:Java and flash... by drinkypoo · · Score: 3, Interesting

    E.g. you can changeroot the process and then it can't do anything.

    chroot is a big help, but it doesn't preclude gaining access to memory, and if you have enough access to that then you can write files using other processes' permissions. You really need to virtualize to even claim to have a sandbox which is useful from a security standpoint. Even then it's not impossible to exploit a virtual driver and gain access to the underlying hardware indirectly.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"