Apple Nabs Java Exploit That Bypassed Disabled Plugin

← Back to Stories (view on slashdot.org)

Apple Nabs Java Exploit That Bypassed Disabled Plugin

Posted by timothy on Friday March 15, 2013 @03:52PM from the heading-them-off-before-they-head-you-off dept.

Trailrunner7 writes "Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn't quite enough to protect users of some versions of OS X."

73 of 97 comments (clear)

Min score:

Reason:

Sort:

Java and flash... by sdsucks · 2013-03-15 15:53 · Score: 4, Insightful

Incredibly, still the biggest shit on the internet.
Too bad, as a language I actually like Java. Flash is crap though, always was, always will be.
1. Re:Java and flash... by eksith · 2013-03-15 15:58 · Score: 5, Interesting
  
  The problem with flash are the developers. ActionScript can do a lot of things... that doesn't mean those things should have been done. Of course if sandboxing was foolproof, things would have worked better for both technologies. Hopefully HTML5 can fill the gap for both and we can finally do away with both plugins.
  
  --
  If computers were people, I'd be a misanthrope.
2. Re:Java and flash... by casab1anca · 2013-03-15 16:07 · Score: 5, Informative
  
  Flash is crap though, always was, always will be.
  Flash may be crap now but for a long time, it (and Shockwave before it) was the only practical way of displaying interactive multimedia content in the browser.
3. Re: Java and flash... by Anonymous Coward · 2013-03-15 16:12 · Score: 2
  
  You're right, but as they added features they always treated security as an afterthought.
  If security isn't part of the foundation and framework of your products then you're always going to be playing catchup as you ship vulnerabilities to your customers.
4. Re:Java and flash... by GoodNewsJimDotCom · 2013-03-15 16:36 · Score: 4, Interesting
  
  Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.
  
  --
  God spoke to me
5. Re:Java and flash... by sdsucks · 2013-03-15 18:05 · Score: 1
  
  Regardless of the "Flamebait" modding, the reality is that Flash and Java alone are responsible for far more than their fair share of actively exploited vulnerabilities.
6. Re:Java and flash... by sdsucks · 2013-03-15 18:08 · Score: 2
  
  Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too.
  You have a lot more faith in sandboxing than you should. Sandboxing is more like a fence than it is a wall.
7. Re: Java and flash... by sdsucks · 2013-03-15 18:09 · Score: 1
  
  In a web development project, I consider both Java and Flash unusable for that reason.
8. Re:Java and flash... by sdsucks · 2013-03-15 18:12 · Score: 1
  
  C and C++ applications are typically not embedded in web pages, and no web browser would execute them if they were.
  Flash and Java are both commonly embedded in web pages, and execute automatically if the user has the plugin installed.
9. Re:Java and flash... by JDG1980 · 2013-03-15 18:19 · Score: 4, Insightful
  
  Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.
  The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security model, though it was undermined by the need for backwards compatibility forcing regular users to run as administrator (UAC was a belated attempt to fix this). But this also means that NT needs a faster processor and a lot more RAM than 9x. The first home version of Windows based on the NT kernel was XP, and people were all up in arms about its "outrageous" system requirements back in 2001.
  Nowadays, you can usually get away with running as a limited user and escalating only when installing or updating a program from a trusted source. I agree that sandboxing could be more sophisticated than it is on Windows, but this isn't a unique flaw; in fact, it's a result of copying the outdated Unix security model, which assumes that the program is the user and would do roughly what the user wanted (maybe true in the 1970s on shared university systems, but obvious nonsense now).
10. Re:Java and flash... by DKlineburg · 2013-03-15 19:30 · Score: 2
  
  even if you sandbox, does the average user know when to click yes run, vs no don't? But I want to see cute kittens playing with yarn!
  
  --
  Memory is deceptive because it is colored by today's events. - Albert Einstein
11. Re:Java and flash... by TwilightXaos · 2013-03-15 20:37 · Score: 1
  
  http://noscript.net/
  Maybe.
12. Re:Java and flash... by penix1 · 2013-03-15 21:00 · Score: 2
  
  The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security model, though it was undermined by the need for backwards compatibility forcing regular users to run as administrator (UAC was a belated attempt to fix this). But this also means that NT needs a faster processor and a lot more RAM than 9x. The first home version of Windows based on the NT kernel was XP, and people were all up in arms about its "outrageous" system requirements back in 2001.
  I argue it is a far different reason that has nothing to do with the hardware...
  Microsoft's insistence on backwards compatibility is the culprit. They needed to maintain DOS compatibility or the businesses would have ditched them if Win 9x didn't. This is why even right up to Windows 7 you still have an emulated DOS environment. Machines have increasingly become more powerful yet Microsoft still has to maintain the old shit or lose market share with the businesses. This above all else is the reason you have the mess that is a Windows environment. throw in the constant threats of antitrust every time they try to add in security (mostly from the antivirus industry) and it really is a mess.
  
  --
  This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
13. Re:Java and flash... by Psychotria · 2013-03-15 21:22 · Score: 1
  
  Server-side C or C++ work fine. But then there is the problem that the server is executing the code so most website servers wouldn't be able to handle the load. The alternative is for the client to do the processing which is fraught with danger. It's one of the reasons that I've always been averse to client-side execution from the start but, pragmatically, there is no way around it. Web-browsers these days are more like virtual machines than anything else.
14. Re:Java and flash... by dreamchaser · 2013-03-15 21:25 · Score: 2
  
  Only the 32 bit version of Windows 7 can run old 16 bit code for DOS or Windows, so you're half right since about half the people running Win 7 are using the 64 bit edition.
15. Re:Java and flash... by fa2k · 2013-03-16 00:18 · Score: 1
  
  the outdated Unix security model, which assumes that the program is the user and would do roughly what the user wanted (maybe true in the 1970s on shared university systems, but obvious nonsense now).
  It's a good thing that it evolved this way, because insecurity also makes it easier for the programmer. If malware and cyber* was as rampant in the late 1990s as it is now, we would have some horrible locked down computers which only did ~6 things that were blessed by the manufacturer. Today is a good time to start making systems more secure, but there also needs to be an open-ended environment where small programs can share data without any restrictions.
16. Re:Java and flash... by sproketboy · 2013-03-16 00:31 · Score: 1
  
  Er, Java and Flash are written in C or C++.
17. Re:Java and flash... by angel'o'sphere · 2013-03-16 02:34 · Score: 2
  
  Flash was a nightmare on Macs untill recently.
  After a day or so you always had a flash process running that ate one of your CPUs for 98% or more.
  For some reason flash was unable to "not animate" all hidden windows etc.
  I switched to Chrome for only one reason: the Taskmanager window. Here you can kill the flash process without harming the open tabs. (Well every flash widget gets a "sad eye": oh! flash is gone!"
  This is the reason why iOS does not support Flash natively.
  I believe Safari runs Flash now in a separate process which you can "kill -9" if needed.
  Before Chrome I really hated it to be forced to kill Safari every few days to get rid of the Flash ... well perhaps I should have been consequent and just disable it.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
18. Re:Java and flash... by angel'o'sphere · 2013-03-16 02:36 · Score: 1
  
  Depends on the way how sand boxing is done.
  E.g. you can changeroot the process and then it can't do anything.
  On Macs a lot of stuff is getting more and more sand boxed. E.g. PDF rendering in Safari is done in a separate sandboxed process.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
19. Re:Java and flash... by angel'o'sphere · 2013-03-16 02:46 · Score: 2
  
  This is not insightful, if at all it is informative :D Because it is half wrong.
  The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky).
  All other operation systems running on similar hardware but having strict security and privileges proof you wrong. Even Linux existed at that time already and ran happily on that hardware.
  Also I have the impression most people here are not really sure about what sandboxing actually is.
  Sandboxing e.g. has nothing to do with the fact that I run my applications as an ordinary user and escalate to a wheel user when installing software (in fact 90% of the software installs don't require root access anyway).
  Sandboxing means e.g.: my mail program can only write into folder where the mail is stored. So regardless how you attack my mail program the operation system will not let it write anything elsewhere, regardless if it runs as "Angelo" or as "root" (hence it can not modify other applications etc.) Also the OS won't let it read any files, except those in the mail folder, the mails I have received or sent.
  That was just an example ... Mail.app is not that strong sandboxed.
  The performance impact of a sandbox is close to zero. Hence the claim it was impractical on older hardware is just nonsense.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
20. Re:Java and flash... by angel'o'sphere · 2013-03-16 02:48 · Score: 1
  
  I guess you never heard about ActiveX ;D
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
21. Re:Java and flash... by drinkypoo · 2013-03-16 03:18 · Score: 1
  
  The problem with flash are the developers.
  Yes, the developers writing malware. Wait, what? If the system permits you to write malware, and part of the purpose of the system is sandboxing, then clearly the system is the problem. Do you mean the developers of flash? We don't really care why the software has holes in it, whether it's developers or physics or aliens. We care about the holes. The programmers are not the direct problem for the user unless they're coming into their house and eating their cheeseburgers.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
22. Re:Java and flash... by drinkypoo · 2013-03-16 03:21 · Score: 1
  
  Only the 32 bit version of Windows 7 can run old 16 bit code for DOS or Windows
  Even in XP Mode? Not that I'm choked up about XP Mode, lots of software doesn't run in it at all.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
23. Re:Java and flash... by drinkypoo · 2013-03-16 03:23 · Score: 3, Interesting
  
  E.g. you can changeroot the process and then it can't do anything.
  chroot is a big help, but it doesn't preclude gaining access to memory, and if you have enough access to that then you can write files using other processes' permissions. You really need to virtualize to even claim to have a sandbox which is useful from a security standpoint. Even then it's not impossible to exploit a virtual driver and gain access to the underlying hardware indirectly.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
24. Re:Java and flash... by Clsid · 2013-03-16 03:41 · Score: 1
  
  I don't feel sorry for Java, on the contrary I'm quite happy that Java is going away. Java was like a hippie ideal for peace, neat idea but so much bs going on around it.
  I have always felt that using languages that wasted so many CPU cycles like Java were making our hardware obsolete before time. I still remember when on a Pentium 100 you could do wonders. Even Visual Basic, which was also inefficient, was pretty fast and it was perfect for business applications, until they started doing the Java thing with .NET
  This is one of the main reasons I like the approach Apple took to their development. Even if they use a lot of eye candy, they stick to using a variant of C that is fast and useful. That in turn worked wonders when it was the turn to develop for iOS and save battery and processing power.
25. Re:Java and flash... by fredprado · 2013-03-16 04:38 · Score: 1
  
  XP Mode is XP installed in a virtual Machine. You can run pretty much whatever you want in a virtual Machine. With the same argument you could say that Windows runs OS X and Linux applications.
26. Re:Java and flash... by fredprado · 2013-03-16 04:43 · Score: 1
  
  Virus developers adapt. No system is 100% secure as this very article shows, and a single exploit is all that is needed. From the security perspective, being mainstream is the greatest problem Windows always faced, not any inherent security issues.
  
  On the other hand, far from me saying Windows is a good OS. From the usability and stability perspectives, of course, Windows has always been bad.
27. Re:Java and flash... by PDF · 2013-03-16 04:52 · Score: 1
  
  On Linux and probably some other unices, chroot is not intended for use as a security mechanism. See http://it.slashdot.org/story/07/09/27/2256235/when-not-to-use-chroot and also man 2 chroot.
  If you can take the performance hit, a VM of some kind (emulated bytecode, virtualization or JIT compilation) is much better for security. Unfortunately, security is more difficult than it seems at first glance, so it doesn't always get the attention it needs. Hence we have gaping holes in Java applets. This is why we can't have nice things.
28. Re:Java and flash... by PDF · 2013-03-16 04:55 · Score: 1
  
  Actually, we get gaping holes in the Java environment that the applets run on. But I think you get the idea.
29. Re:Java and flash... by drinkypoo · 2013-03-16 05:07 · Score: 1
  
  So was Classic. Except it was Mac OS.
  XP Mode won't run Civ 2 on amd64.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
30. Re:Java and flash... by fredprado · 2013-03-16 06:57 · Score: 1
  
  XP Mode runs on Virtual PC a MS virtualization solution, which is similar to VirtualBox and VMWare, if not as polished. Civilization 2 can be run on Virtual PC as long as the OS you decide to install in it is compatible with Civ 2. Windows XP is not.
31. Re:Java and flash... by Stupendoussteve · 2013-03-16 07:48 · Score: 1
  
  Or Google's Native Client.
32. Re:Java and flash... by washu_k · 2013-03-16 07:57 · Score: 1, Insightful
  
  All other operation systems running on similar hardware but having strict security and privileges proof you wrong. Even Linux existed at that time already and ran happily on that hardware.
  No, he is completely correct. Linux of the time did not "run happily" on that hardware with the same level of GUI complexity as Win9x. Either Linux had no GUI at all, or a simple window manager like TWM or FVWM.
  
  This is also doubly wrong in claiming that all other operating systems at the time had proper security. The biggest competitors to MS at the time were even simpler and less secure OSes. For GUIs there was MacOS which didn't have protected memory and could barely multitask, along with having no security model. On the server side the biggest at the time would have been Novell, which did have a security model, but still had no protected memory and much simpler multitasking than even Win9x.
33. Re:Java and flash... by angel'o'sphere · 2013-03-16 08:56 · Score: 2
  
  I had linux installed on a 486 with 16MB and 32MHz.
  It run superb and was much faster than Win 95/98 on a Pentium 2.
  Also I don't recall that windows had any fancy thing in its windows manager that costs more cpu power than X did.
  On top of that, you seem not to know much about computing history.
  The OSes I refer too are Sun BSD (Sun OS 4) the early Sun Solaris, HP Ux, Dec Ultrix, Vax VMs, and there are dozens more, SGI, Apollo etc.
  So no, you and your parent are wrong. You are wrong on the simple fact: security costs perhaps 1% computing power. So it fucking does not matter wether you are having it on a 2MHz processor or on a 2 GHz processor.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
34. Re:Java and flash... by angel'o'sphere · 2013-03-16 09:00 · Score: 1, Troll
  
  You are right if your OS is buggy, is it not, you can neither access other processes memory nor explot drivers.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
35. Re:Java and flash... by angel'o'sphere · 2013-03-16 09:04 · Score: 1
  
  A non priviledged process can not break out of its rot directory assigned to him by chroot.
  I don't know if that was intended as a security feature, but imho it increaes security greatly. E.g. if your web server is running in a chroot environment ....
  Ofc your other points are valid.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
36. Re:Java and flash... by drinkypoo · 2013-03-16 09:36 · Score: 1
  
  You are right if your OS is buggy, is it not, you can neither access other processes memory nor explot drivers.
  Your fucking comment has a bug, you expect an operating system not to?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
37. Re:Java and flash... by drinkypoo · 2013-03-16 09:37 · Score: 1
  
  Civilization 2 can be run on Virtual PC as long as the OS you decide to install in it is compatible with Civ 2. Windows XP is not.
  Civ 2 runs fine on XP. Even better with an idle mode patch. It doesn't run on XP Mode with or without it. It runs fine in vmware on the same machine. Your argument is offensively stupid bullshit both because it is wrong and because it is a Microsoft apology.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
38. Re:Java and flash... by fredprado · 2013-03-16 09:53 · Score: 1
  
  The original release of Civ 2 (from 1996) does not run on XP. The new release of Civ 2 from (2002) runs on XP AND on Windows XP Mode too. You probably forgot to disable XP Mode integration features, which is required for it to run most games. If you don't know how to use XP Mode, the problem is certainly you, not XP Mode.
39. Re:Java and flash... by drinkypoo · 2013-03-16 09:56 · Score: 1
  
  Civ 2 Multiplayer Gold does not run in XP Mode on Win7 on amd64, or at least, it didn't for me. And I didn't forget to enable anything, it just doesn't work. I know precisely how to use XP Mode. Delete that piece of shit, and install XP in VMware Player, which is dramatically superior software, and costs me just the same amount as XP Mode. Even better, I can run it on something that isn't Windows, where it not only provides superior performance but also doesn't involve me running Windows on my bare hardware. Everyone wins but Microsoft, and I'll be glad when they go away and games are made for some other operating system.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
40. Re:Java and flash... by angel'o'sphere · 2013-03-16 10:13 · Score: 1, Troll
  
  Yes I do :)
  Albeit knowing that this is rare.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
41. Re:Java and flash... by tepples · 2013-03-16 10:14 · Score: 1
  
  If malware and cyber* was as rampant in the late 1990s as it is now, we would have some horrible locked down computers which only did ~6 things that were blessed by the manufacturer.
  That's exactly what we have had since 1985 with the lockout mechanisms in the video game consoles that displaced Commodore computers.
42. Re:Java and flash... by sjames · 2013-03-16 10:36 · Score: 1
  
  chroot is NOT a security API. Because of that, there are a few clever ways to escape a chroot, particularly if you can run with elevated privilege or get help from another (possibly unprivileged) process outside the jail.
  It can be helpful, but since you're using the call for an unintended purpose, you have to be really careful with it.
43. Re:Java and flash... by angel'o'sphere · 2013-03-16 10:57 · Score: 1
  
  Sure, there is always a trick to circumvent something.
  Howeve, for what exactly was chroot invented if nott for security? Otherwise I see no reason for it at all.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
44. Re:Java and flash... by sjames · 2013-03-16 11:46 · Score: 1
  
  It is useful for debugging, protection from simple bugs, and system repair. It can also be used to run multiple instances of a system service designed to have a single instance per machine. In other words, it is a namespace utility.
  The point is that the kernel developers do not make an effort to prevent circumventing chroot in several ways because it's not meant to be resistant to circumvention.
45. Re:Java and flash... by angel'o'sphere · 2013-03-16 12:05 · Score: 1
  
  That is an intersting point: not ment to be resistant.
  OTOH most of your examples (wikipedia mentions them as well) could be done with proper setup of PATH and LDPATH as well, but perhaps it is easier to have a kind of "second system" where you can chroot to.
  In fact most chroot systems I encountered where for emulation purpose. E.g. having a certain linux variant as host environment and having another one (chrooted) for development purpose. Some simple stuff like copy/paste not reliable working via X windows from an windows client e.g. made this necessary.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
46. Re:Java and flash... by fredprado · 2013-03-16 13:07 · Score: 1
  
  I have Windows 7 64 bits installed and I happen to have Civ 2 Gold Edition (2006) too. It works just fine for me on XP mode. I also have both VMWare and Virtualbox installed and it works in both well too.
  
  Don't take me wrong. I don't like MS either, but XP Mode and Virtual PC are not part of the reasons why I do.
So... by Molochi · 2013-03-15 16:28 · Score: 2, Interesting

If the Apple Safari browser on Apple OSX had Java disabled it let it run anyway? Glad they fixed that.
Such an hero.

--
"The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
1. Re:So... by Stupendoussteve · 2013-03-16 07:54 · Score: 2
  
  Kind of.
  The issue was not Java applets embedded in webpages, they were still disabled. It has to do with a (stupid) feature in Safari, "Open 'Safe' files after downloading." Apparently the Java web start files were on the safe list and would auto-execute.
2. Re:So... by Kyusaku+Natsume · 2013-03-16 14:06 · Score: 2
  
  Since Safari 2 or 3 that "Open safe files after downloading" as been the worst design decision by the Safari team. It is the first thing I disable when I do a new install of OS X.
  
  --
  Mexico: 100% conservative's America now!
Not a bug? by subanark · 2013-03-15 16:33 · Score: 5, Informative

A webstart link is simply a jnlp file, which is an xml file, that if opened with javaws will start up the Java application (in a sandbox or warn the user it won't). This does not attach to the web browser and runs in its own frame. When you install Java it should associate jnlp files with javaws so that when you click with a browser it shouldn't launch the javaws program unless you choose to always open with it when you click it.
From the article this seems to be a bug with the way the Mac handled scripts in an unexpected way.
1. Re:Not a bug? by _xeno_ · 2013-03-15 17:46 · Score: 3, Interesting
  
  It's only not a bug in that it was by design.
  Basically Mac OS X has a list of "safe" files that don't bring up an "are you sure you want to open this file?" dialog after it's been downloaded. The idea is that if you download a text file, you won't get a dialog warning you that the file is insecure when you try and open it.
  JNLP files were put in that list, presumably based on the assumption that Java was "secure." (Bad assumption!)
  The fix was to remove them from the safe list, so now you'll get an "are you sure?" dialog from the OS itself rather than assuming Java is secure.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
2. Re:Not a bug? by _xeno_ · 2013-03-15 18:33 · Score: 1
  
  Java Web Start itself can also bring up an "are you sure?" dialog, which is different from the OS dialog. There's a generic universal "you downloaded this file off the Internet, are you sure you want to open it?" dialog that is shown in Mac OS X by Finder for all "non-safe" files.
  The Java Web Start one I think only got triggered if your app was signed and requested not to run in the sandbox. If it was unsigned and didn't request to run outside the sandbox, I'm pretty sure JWS has always just launched the app without asking the user, based on the assumption that the sandbox made it safe.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
3. Re:Not a bug? by girlinatrainingbra · 2013-03-15 22:26 · Score: 1
  
  Scripts are executeables, too, eh? ;>) It took the mac-masses a while to notice. The problem with saying "there's a problem with java" and disabling java in the browser was leaving an attack vector open on the desktop by leaving java as a standalone. So if there's a known java explout and the recommended action is to disable java, then stopping the browser-plug-in is only part of the solution. Disabling the standalone java or jar execution system is also necessary.
4. Re:Not a bug? by devent · 2013-03-16 00:07 · Score: 2
  
  That's the fault of the operating system (i.e. Windows).
  I have Windows 7 for gaming and every time I start it to do some games, a few popup will come up, sometimes my screen will get black with a UAC dialog. That one time, Windows 7 just terminates my game and do a restart (for updates).
  Use a real operating system like Linux and that stupid will go away. No more popups from 10 different applications informing you of an update, no more restarts to do updates (not even for a kernel update you need a restart). And yes, no more stupid "toolbar" that needs to be installed.
  
  --
  http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
5. Re:Not a bug? by drinkypoo · 2013-03-16 03:16 · Score: 1
  
  Do you have an Active Directory domain set up?
  Ah yes. I can see how much easier Windows is to administer, I have to have a domain before I can do anything sensible with it. Of course, I'd better have a backup domain controller. In a small office you might have four PCs, now I need two more and each on their own UPS to make sure that I don't have a failure that prevents work from being done.
  
  At least for Adobe Reader you can just leave it out and install Foxit instead. I wish there was an available alternative to Java.
  I am able to run what few Java things I try to run on my Linux system with the available alternative. When it gets updated automatically along with my OS updates, I don't even have to notice. In fact, I usually don't, because more than half the time the update-manager GUI won't actually appear, but I can still right-click the icon and install all updates. Yay Ubuntu! Obviously, it's not all sunshine and roses.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
6. Re:Not a bug? by subanark · 2013-03-16 03:40 · Score: 2
  
  Not entirely true. You simply want to disable automatic execution of Java code. There are many apps out there that people don't even know use Java to run (although many of them use a private JVM to run in). The same goes for flash.... you wouldn't want your flash app to stop working since you disabled it in your web browser.
  I know that Ubuntu requires jars to have the executable set on them before you can use them with java. What the mac did will still allow this, as it marks files as to their original location. If you download a program (including java jars) you will get a warning that you downloaded this [java, perl, unix, flash, windows, , ect...] program on the internet, It could harm your computer. Are you sure you want to continue? Additionally, since Java isn't installed on Macs by default anymore, it will ask you if you want to install it if you try and open a jar.
7. Re:Not a bug? by Stupendoussteve · 2013-03-16 07:57 · Score: 1
  
  I don't think this was a flaw in that safe files list. It mentions it could be executed automatically, not that it was executed without warning.
  Safari has the "Open 'safe' files automatically' option which is turned on by default. I think this is more likely the issue.
Re:what JAVA? by Molochi · 2013-03-15 16:48 · Score: 1

It's that thing that allows your users to access their web client at work.

--
"The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
how long? by arbiter1 · 2013-03-15 17:51 · Score: 1

Issue really is How long was the flaw known and How long did it take Apple to get off their ASS to fix it?
Why is the browser launching anything? by Animats · 2013-03-15 18:27 · Score: 2

Hello? Why is a web browser launching other applications without explicit user consent? Ever?
This was the classic Microsoft security hole - executing anything that came in which could possibly be executed - Word documents, spreadsheets, autoplay files, Universal Plug and Play. Microsoft has now turned most of that off. Apple is replicating a classic Microsoft mistake here.
1. Re:Why is the browser launching anything? by Psychotria · 2013-03-15 21:26 · Score: 1
  
  Even displaying a PDF (or rendering fonts for that matter -- they are code as well in most instances these days) is the browser executing something.
2. Re:Why is the browser launching anything? by Psychotria · 2013-03-15 21:33 · Score: 1
  
  Actually I am pretty sure that font rendering under Windows is in kernel space, so conceivably simply displaying a font could be an effective attack vector; i.e. I don't think that an exploit relying at least partially the font rendering system is beyond the realm of possibility.
3. Re:Why is the browser launching anything? by jo_ham · 2013-03-16 00:33 · Score: 1, Insightful
  
  Hello? Why is a web browser launching other applications without explicit user consent? Ever?
  This was the classic Microsoft security hole - executing anything that came in which could possibly be executed - Word documents, spreadsheets, autoplay files, Universal Plug and Play. Microsoft has now turned most of that off. Apple is replicating a classic Microsoft mistake here.
  It doesn't, or it shouldn't - that was the point. Safari *does* explicitly ask for consent before launching apps downloaded from the internet, but one script type was whitelisted by accident/oversight. This has now been fixed.
4. Re:Why is the browser launching anything? by loufoque · 2013-03-16 06:07 · Score: 1
  
  You clicked the link, that's explicit consent.
5. Re:Why is the browser launching anything? by tepples · 2013-03-16 10:23 · Score: 1
  
  You clicked the link, that's explicit consent.
  No, the advertisement on an unrelated web page redirected to the link.
Don't use computers, problem solved by Anonymous Coward · 2013-03-15 19:06 · Score: 1

I solved the problem by:
1) Uninstalling Java
2) Throwing the computer in the trash
Problem solved.
1. Re:Don't use computers, problem solved by Psychotria · 2013-03-15 21:33 · Score: 2
  
  I solved the problem by:
  1) Uninstalling Java
  2) Throwing the computer in the trash
  Problem solved.
  I have done this as well! I also don't use the internet.
2. Re:Don't use computers, problem solved by roman_mir · 2013-03-15 21:59 · Score: 1
  
  You are doing it all wrong, arms. GET RID OF THE ARMS! Did you know arms were digital?
  
  --
  You can't handle the truth.
Re:what JAVA? by binarylarry · 2013-03-16 00:18 · Score: 1

Just Another Vulnerability Angle?
FYI Java is not an acronym.

--
Mod me down, my New Earth Global Warmingist friends!
Qt Java by dannydawg5 · 2013-03-16 00:35 · Score: 1

I used to be a Java fan until I found Qt. I see no reason for Java except in very narrow cases.
http://dannagle.com/2013/03/qt-java/
Re:Qt Java by gtall · 2013-03-16 03:58 · Score: 1

Except for the mountains of back end Java code which happily works just fine, surely you knew this, yes?
Re:Qt Java by tepples · 2013-03-16 10:25 · Score: 1

thanks to JIT compilation
How is JIT compilation compatible with strict W^X security?