Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Nabs Java Exploit That Bypassed Disabled Plugin

Posted by timothy on from the heading-them-off-before-they-head-you-off dept.

Trailrunner7 writes "Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn't quite enough to protect users of some versions of OS X."

23 of 97 comments (clear)

  1. Java and flash... by sdsucks · · Score: 4, Insightful

    Incredibly, still the biggest shit on the internet.

    Too bad, as a language I actually like Java. Flash is crap though, always was, always will be.

    1. Re:Java and flash... by eksith · · Score: 5, Interesting

      The problem with flash are the developers. ActionScript can do a lot of things... that doesn't mean those things should have been done. Of course if sandboxing was foolproof, things would have worked better for both technologies. Hopefully HTML5 can fill the gap for both and we can finally do away with both plugins.

      --
      If computers were people, I'd be a misanthrope.
    2. Re:Java and flash... by casab1anca · · Score: 5, Informative

      Flash is crap though, always was, always will be.

      Flash may be crap now but for a long time, it (and Shockwave before it) was the only practical way of displaying interactive multimedia content in the browser.

    3. Re: Java and flash... by Anonymous Coward · · Score: 2

      You're right, but as they added features they always treated security as an afterthought.

      If security isn't part of the foundation and framework of your products then you're always going to be playing catchup as you ship vulnerabilities to your customers.

    4. Re:Java and flash... by GoodNewsJimDotCom · · Score: 4, Interesting

      Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.

      --
      God spoke to me
    5. Re:Java and flash... by sdsucks · · Score: 2

      Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too.

      You have a lot more faith in sandboxing than you should. Sandboxing is more like a fence than it is a wall.

    6. Re:Java and flash... by JDG1980 · · Score: 4, Insightful

      Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.

      The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security model, though it was undermined by the need for backwards compatibility forcing regular users to run as administrator (UAC was a belated attempt to fix this). But this also means that NT needs a faster processor and a lot more RAM than 9x. The first home version of Windows based on the NT kernel was XP, and people were all up in arms about its "outrageous" system requirements back in 2001.

      Nowadays, you can usually get away with running as a limited user and escalating only when installing or updating a program from a trusted source. I agree that sandboxing could be more sophisticated than it is on Windows, but this isn't a unique flaw; in fact, it's a result of copying the outdated Unix security model, which assumes that the program is the user and would do roughly what the user wanted (maybe true in the 1970s on shared university systems, but obvious nonsense now).

    7. Re:Java and flash... by DKlineburg · · Score: 2

      even if you sandbox, does the average user know when to click yes run, vs no don't? But I want to see cute kittens playing with yarn!

      --
      Memory is deceptive because it is colored by today's events. - Albert Einstein
    8. Re:Java and flash... by penix1 · · Score: 2

      The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security model, though it was undermined by the need for backwards compatibility forcing regular users to run as administrator (UAC was a belated attempt to fix this). But this also means that NT needs a faster processor and a lot more RAM than 9x. The first home version of Windows based on the NT kernel was XP, and people were all up in arms about its "outrageous" system requirements back in 2001.

      I argue it is a far different reason that has nothing to do with the hardware...

      Microsoft's insistence on backwards compatibility is the culprit. They needed to maintain DOS compatibility or the businesses would have ditched them if Win 9x didn't. This is why even right up to Windows 7 you still have an emulated DOS environment. Machines have increasingly become more powerful yet Microsoft still has to maintain the old shit or lose market share with the businesses. This above all else is the reason you have the mess that is a Windows environment. throw in the constant threats of antitrust every time they try to add in security (mostly from the antivirus industry) and it really is a mess.

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
    9. Re:Java and flash... by dreamchaser · · Score: 2

      Only the 32 bit version of Windows 7 can run old 16 bit code for DOS or Windows, so you're half right since about half the people running Win 7 are using the 64 bit edition.

    10. Re:Java and flash... by angel'o'sphere · · Score: 2

      Flash was a nightmare on Macs untill recently.

      After a day or so you always had a flash process running that ate one of your CPUs for 98% or more.

      For some reason flash was unable to "not animate" all hidden windows etc.

      I switched to Chrome for only one reason: the Taskmanager window. Here you can kill the flash process without harming the open tabs. (Well every flash widget gets a "sad eye": oh! flash is gone!"

      This is the reason why iOS does not support Flash natively.

      I believe Safari runs Flash now in a separate process which you can "kill -9" if needed.

      Before Chrome I really hated it to be forced to kill Safari every few days to get rid of the Flash ... well perhaps I should have been consequent and just disable it.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    11. Re:Java and flash... by angel'o'sphere · · Score: 2

      This is not insightful, if at all it is informative :D Because it is half wrong.

      The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky).
      All other operation systems running on similar hardware but having strict security and privileges proof you wrong. Even Linux existed at that time already and ran happily on that hardware.

      Also I have the impression most people here are not really sure about what sandboxing actually is.

      Sandboxing e.g. has nothing to do with the fact that I run my applications as an ordinary user and escalate to a wheel user when installing software (in fact 90% of the software installs don't require root access anyway).

      Sandboxing means e.g.: my mail program can only write into folder where the mail is stored. So regardless how you attack my mail program the operation system will not let it write anything elsewhere, regardless if it runs as "Angelo" or as "root" (hence it can not modify other applications etc.) Also the OS won't let it read any files, except those in the mail folder, the mails I have received or sent.
      That was just an example ... Mail.app is not that strong sandboxed.
      The performance impact of a sandbox is close to zero. Hence the claim it was impractical on older hardware is just nonsense.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    12. Re:Java and flash... by drinkypoo · · Score: 3, Interesting

      E.g. you can changeroot the process and then it can't do anything.

      chroot is a big help, but it doesn't preclude gaining access to memory, and if you have enough access to that then you can write files using other processes' permissions. You really need to virtualize to even claim to have a sandbox which is useful from a security standpoint. Even then it's not impossible to exploit a virtual driver and gain access to the underlying hardware indirectly.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    13. Re:Java and flash... by angel'o'sphere · · Score: 2

      I had linux installed on a 486 with 16MB and 32MHz.
      It run superb and was much faster than Win 95/98 on a Pentium 2.
      Also I don't recall that windows had any fancy thing in its windows manager that costs more cpu power than X did.
      On top of that, you seem not to know much about computing history.
      The OSes I refer too are Sun BSD (Sun OS 4) the early Sun Solaris, HP Ux, Dec Ultrix, Vax VMs, and there are dozens more, SGI, Apollo etc.
      So no, you and your parent are wrong. You are wrong on the simple fact: security costs perhaps 1% computing power. So it fucking does not matter wether you are having it on a 2MHz processor or on a 2 GHz processor.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  2. So... by Molochi · · Score: 2, Interesting

    If the Apple Safari browser on Apple OSX had Java disabled it let it run anyway? Glad they fixed that.

    Such an hero.

    --
    "The Adobe Updater must update itself before it can check for updates. Would you like to update the Adobe Updater now?"
    1. Re:So... by Stupendoussteve · · Score: 2

      Kind of.

      The issue was not Java applets embedded in webpages, they were still disabled. It has to do with a (stupid) feature in Safari, "Open 'Safe' files after downloading." Apparently the Java web start files were on the safe list and would auto-execute.

    2. Re:So... by Kyusaku+Natsume · · Score: 2

      Since Safari 2 or 3 that "Open safe files after downloading" as been the worst design decision by the Safari team. It is the first thing I disable when I do a new install of OS X.

      --
      Mexico: 100% conservative's America now!
  3. Not a bug? by subanark · · Score: 5, Informative

    A webstart link is simply a jnlp file, which is an xml file, that if opened with javaws will start up the Java application (in a sandbox or warn the user it won't). This does not attach to the web browser and runs in its own frame. When you install Java it should associate jnlp files with javaws so that when you click with a browser it shouldn't launch the javaws program unless you choose to always open with it when you click it.

    From the article this seems to be a bug with the way the Mac handled scripts in an unexpected way.

    1. Re:Not a bug? by _xeno_ · · Score: 3, Interesting

      It's only not a bug in that it was by design.

      Basically Mac OS X has a list of "safe" files that don't bring up an "are you sure you want to open this file?" dialog after it's been downloaded. The idea is that if you download a text file, you won't get a dialog warning you that the file is insecure when you try and open it.

      JNLP files were put in that list, presumably based on the assumption that Java was "secure." (Bad assumption!)

      The fix was to remove them from the safe list, so now you'll get an "are you sure?" dialog from the OS itself rather than assuming Java is secure.

      --
      You are in a maze of twisty little relative jumps, all alike.
    2. Re:Not a bug? by devent · · Score: 2

      That's the fault of the operating system (i.e. Windows).
      I have Windows 7 for gaming and every time I start it to do some games, a few popup will come up, sometimes my screen will get black with a UAC dialog. That one time, Windows 7 just terminates my game and do a restart (for updates).

      Use a real operating system like Linux and that stupid will go away. No more popups from 10 different applications informing you of an update, no more restarts to do updates (not even for a kernel update you need a restart). And yes, no more stupid "toolbar" that needs to be installed.

      --
      http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
    3. Re:Not a bug? by subanark · · Score: 2

      Not entirely true. You simply want to disable automatic execution of Java code. There are many apps out there that people don't even know use Java to run (although many of them use a private JVM to run in). The same goes for flash.... you wouldn't want your flash app to stop working since you disabled it in your web browser.

      I know that Ubuntu requires jars to have the executable set on them before you can use them with java. What the mac did will still allow this, as it marks files as to their original location. If you download a program (including java jars) you will get a warning that you downloaded this [java, perl, unix, flash, windows, , ect...] program on the internet, It could harm your computer. Are you sure you want to continue? Additionally, since Java isn't installed on Macs by default anymore, it will ask you if you want to install it if you try and open a jar.

  4. Why is the browser launching anything? by Animats · · Score: 2

    Hello? Why is a web browser launching other applications without explicit user consent? Ever?

    This was the classic Microsoft security hole - executing anything that came in which could possibly be executed - Word documents, spreadsheets, autoplay files, Universal Plug and Play. Microsoft has now turned most of that off. Apple is replicating a classic Microsoft mistake here.

  5. Re:Don't use computers, problem solved by Psychotria · · Score: 2

    I solved the problem by:

    1) Uninstalling Java
    2) Throwing the computer in the trash

    Problem solved.

    I have done this as well! I also don't use the internet.