Mac OS X Users Vulnerable To Major Java Flaw 306
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
Java and not javascript (Score:5, Informative)
I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.
Re:Java and not javascript (Score:5, Informative)
I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets. Aside from that, and some upload plugins (though that's mostly flash or AJAX nowadays) client-side java just isn't used much on the web anymore.
I doubt you'll notice the difference.
Re:Java and not javascript (Score:5, Informative)
I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets.
Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java. My timesheet program = Java. My Expense Report software = "Extensity" which seems to only like one version of the JVM. Lucky you!
Re:Java and not javascript (Score:4, Insightful)
Very similar here.
At home, I had removed all traces of Java like eons ago. Never had a problem. Only OO.o occasionally complains that there is no Java installed, but no crucial functionality is affected.
In office, one of the corporate portals uses ActiveX and Java. Though Java applet is used apparently only during authentication, it still requires Java. (IOW, puny 20K applet wastes countless megabytes/gigabytes of disk space on hundred desktops.) Otherwise - no Java in sight.
Re:Java and not javascript (Score:5, Insightful)
Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java.
: ) Reason no 12939 not to work at a gigantic corporation. Having experienced working in large companies, I sympathise.
The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.
Re: (Score:2)
Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java.
: ) Reason no 12939 not to work at a gigantic corporation. Having experienced working in large companies, I sympathise.
The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.
I'm not sure this is a totally correct assessment. Large companies tend to have defined desktop standards that they force all users to adhere to, even when they cause problems (i.e. full disk PGP encryption on a developers desktop work station because they might test with sensitive data). The standards apply to developers, call center and executive admins equally, so they don't really work well for any one group. This is the norm as a way to keep internal support costs down.
But, because of this standardi
Re:Java and not javascript (Score:5, Insightful)
But, because of this standardization, the internal development staff only needs to target one defined platform, they aren't really worried about cross-platform support.
This works really well as a way to cut costs *for the IT department* in the short term. As to whether it cuts costs for the company as a whole (there's the lost productivity involved in enforcing a standard install that you alluded to, and the lack of choice of tools), is another matter, and I'm sure varies with the company/tech involved. Obviously some degree of standardisation is required when managing large numbers of computers, so I'd happily concede that point.
But there is a bigger issue related to this strategy in the long term. In the long term, targeting one platform exclusively leads to the production of tools which are tied tighter and tighter to that platform. So it means you can never switch to a competitor; you can't even consider switching to a competitor unless you're willing to ditch all the internal software that you've built up which will only work on version X of system X. It becomes simply impossible for your business to even think about switching. You might even find that moving to a new version of an operating system has significant costs which you had not anticipated (an XP to Vista migration for example, or IE 6 to IE 8). These are not the normal costs of doing business, they are the costs of doing business if you choose to lock yourself too tightly to one platform.
There is a reason that Microsoft pushed things like Active-X, .NET and IE for web apps, Sun pushes Java everywhere, Apple encourages web pages made for iPhones, etc. It is to tie developers/companies in to using just their products, and it is in the long-term interests of the tool provider, not the company using the tools to work with.
Using web apps for internal software is a good way out of this conundrum, so long as you do not target a specific platform with them. Otherwise, you may as well be writing binary software tied to a specific version of one OS - the end result is the same - lock-in. I understand completely why, in the real world, these decisions are made, but if you look at the situation rationally they are not good investments of time/money over the long-term, and they undermine the very reasons for writing software as a web application in the first place.
Re: (Score:3, Informative)
The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.
Your experience may be different from mine, but the driving motivation behind using web applications for internal software has nothing to do with being cross platform but rather to do with ease of deployment. The business has a pretty tight control over what platforms are being used, they don't need to cater to any platform they haven't put in place. The real business benefit is not having to send out IT people to update each and every client machine for every update to the software.
Customized JVMs (Score:2, Interesting)
Re:Java and not javascript (Score:5, Informative)
Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.
Maybe it's because everybody else has patched it
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.
Re: (Score:3, Informative)
If anything is misleading, it's the "100% reliable" part.
that's a quote from the time the flaw was discovered. the news today is that Apple is the only one still vulnerable.
Re: (Score:3, Interesting)
Re:Java and not javascript (Score:5, Informative)
I say may because Flex / Flash is pretty embedded and Microsoft is moneyhatting its way into the scene. Sun doesn't have money so its almost a charity case at this time, relying on good will from mobile phone companies and Java devs.
Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.
Re:Java and not javascript (Score:5, Insightful)
Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.
You're absolutely right about that. Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.
The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...
I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology.
Re:Java and not javascript (Score:5, Interesting)
I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology
According to the Sun engineers I've talked to it all has to do with a really old license agreement between Apple and Sun that they can't change for now. Sun is forbidden to directly release Java for Mac OS X until the agreement expire or Apple decides to make a new agreement. The only practical solution they proposed was to use the BSD port of OpenJDK. You won't have the Aqua UI and I think you have to deal with X11, but you will have an overall better Java.
Re:Java and not javascript (Score:5, Informative)
It looks like OpenJDK now runs on MacOSX:
http://landonf.bikemonkey.org/static/soylatte/ [bikemonkey.org]
Re:Java and not javascript (Score:5, Informative)
It does, but only with X11.
Re:Java and not javascript (Score:4, Informative)
AWT/Swing may be limited to X11, but SWT applications can still use Carbon (or Cocoa using the in-development version.)
Re:Java and not javascript (Score:4, Interesting)
Re: (Score:3, Informative)
The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...
Not only that but the Java "1.6" they support isn't the full version, it's missing all sorts of API's that are in the Sun version.
I'm not a huge Java fan but I wish Apple would step up their Java support. I hear rumors that Snow Leopard will contain the full Java 1.6 from Sun.
Re: (Score:2)
What APIs is it missing?
What is even more annoying than 1.5 on PPC, is that Intel Core Duo (32 bit) Intel macs are also doomed to 1.5 only.
Only those with Core 2 Duo get 1.6.
Re:Java and not javascript (Score:4, Informative)
Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.
That might have been the initial reason. Maybe.
But Apple really, really wants developers to use Objective-C and Cocoa when they are creating software for OS X. From Apple's strategic perspective, why support an alternative platform (and Java is an alternative platform) that doesn't lead to great Mac software, especially great Mac-only software.
And about that agreement between Sun and Apple that keeps Sun off OS X: now that Java is open sourced, what is keeping the community from creating and releasing an OS X-native client?
Re: (Score:2)
Actually that's a good point. The last time I remember Java being needed was for my corporate SSL-VPN that I used about 9 months ago. Java is kind of obsolete these days in a browser what with Flash being everywhere (except my damn iPhone, which doesn't do Java either though anyway).
Great interoperability (Score:5, Funny)
'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,'
And the Java critics said total platform independence was impossible!
Re:Great interoperability (Score:5, Funny)
Yay this is gonna be so much easier than trying to ship Wine with my viruses...
Oh I don't know... (Score:5, Interesting)
after meeting some Mac newbies I am think I can already see the iceberg. Two are friends, one of which called me out of the blue to tell me that he just bought his first Mac (an iMac actually). Well needless to say I get calls from both since I am the "mac expert" (Read: I had one longer than them).
The simplest way to say it, they are more than happy to key in their password for anything that asks, even if they don't know what they are doing. After all, they are on a Mac, they don't have virus protection because it doesn't need it, so how is something bad going to get on the system. These are not normally dense people, well maybe they are proving me wrong.
So I figure that someone out there will rely on this type of stupidity to get key loggers, bots, and the like, on Macs. The number of people out there who buy one because they think it makes them cool or smart cannot be underestimated.
I do know one of these two did ditch firefox because they didn't like clicking the ad-block button to allow some sites. So it is just a matter of time.
(and no, I do not run a AV or worry about it on either of my Macs)
Re:Oh I don't know... (Score:4, Insightful)
In "the oldun days", computers used to come with books, instruction manuals, telling you how to use them. Nower days, OS vendors will jump through hoops to try and ensure that their users Do Not Have To Learn A God Damn Thing(tm)... and in some instances, inconsistent user interfaces actually prohibit learning (although I wouldn't call this common case). And this is the result.
I'm not suggesting people should have to know all the nuts and bolts of the internals, but I'm sure there's a middle ground so this culture of "our users are stupid, we must protect their tiny brains" can be vanquished.
(this is not limited to Apple/OSX by any means, although they do appear to me to be worse for it, this gap is closing fast)
Re: (Score:3, Insightful)
In "the oldun days", computers used to come with books, instruction manuals, telling you how to use them.
Yup - and we ignored them for the most part. They did look nifty on the shelf. I've still got a few.
Having said that - I agree with the general premise of what you're saying. Back then, we respected the microcomputer for the complex little beastie it was. These days people are being told that their computer is as simple as a toaster. They're buying in to a whole case of snakeoil.
What makes it even more difficult is an almost willful ignorance from end users. I've talked to some very intelligent (in on
Re: (Score:2)
There's not much you can do to prevent the combination of a trojan and a user determined to get it running on his machine.
You almost have to have that sixth sense for dodgy websites or software, because it's not always like the password prompt comes from the wrong place...with at least some of the (few) Mac trojans out there, they're just packaged as disk image files with installers inside, like everything else. For those people, anti-virus is the best option, I suppose.
We can hope that the security "cultur
Re:Oh I don't know... (Score:5, Informative)
As an agriculture monoculture, PCs were an easy infection target because of their uniformity and number. I wonder if, in an imaginary world where Win, Mac & Linux were split 30/30/30, you would still see 1/3 of the Windows malware? Hopefully not. Hopefully it'd be less.
I hate to break it to you but I remember the days when there was no Windows monoculture and data was usually passed with floppy disks.
Malware existed on all common desktop platforms back then. It couldn't spread as fast, but it certainly existed.
Re: (Score:2)
And the Java critics said total platform independence was impossible!
Well, the vuln doesn't run the same way on all platforms. It only works on OSX and other severely downlevel JVMs.
Re: (Score:2)
Re: (Score:3, Funny)
Nonsense! For years Java apps have been producing platform-independent error messages on all platforms equally. Fortunately, the exploit will probably error out too!
Re:Great interoperability (Score:5, Funny)
Am I the only one who first read that headline as "Mac OS X Users Vulnerable To Major Lava Flow"?
Instructions for turning off Java... (Score:5, Informative)
In case you don't have OS X but want to pass on the instructions to relatives, etc:
In Safari (version 4 beta):
Safari->Preferences->Security->Web Content: Enable Java (uncheck)
In Firefox (3.5 beta, probably the rest):
Firefox->Preferences->Content->Enable Java (uncheck)
I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...
Re: (Score:2, Informative)
In Opera
Preferences > Advanced > Content > Enable Java (uncheck) > OK
Re: (Score:2)
It would be nice if there was a way to disable it for all sites but blah.com
Re: (Score:3, Informative)
Re: (Score:2)
It would be nice if there was a way to disable it for all sites but blah.com
Try Noscript.
Noscript for Safari?
Re: (Score:3, Insightful)
I use noscript on firefox. But I would like this option in safari.
Really why should disabling javascript and java with a white list be a feature that requires a 3rd party addon.
Re: (Score:3, Interesting)
I notice most sites don't like it when you turn javascript off, but don't care about java.
The question I would have is that does Javascript on OSX have the same vulnerabilities?
Perhaps the best solution is to install NoScript [wikipedia.org] and white list only the sites needed.
Re: (Score:3, Informative)
The question I would have is that does Javascript on OSX have the same vulnerabilities?
No.
Java:Javascript::Ham:Hamburger
Design or implementation flaw? (Score:5, Interesting)
The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?
Re: (Score:2)
Historically every 'official' Java implementation has licensed the class libraries from Sun. I'm not sure why GIJ is mentioned in the same breath, since it's code base is based on GNU Classpath, a clean-room implementation of the Sun class libraries. Though, it could have been implemented in a similar manner for binary compatibility across VMs.
So if the flaw is in the class libraries rather than the virtual machine, it's common code... Yes, from the 'reference implementation', now present in OpenJDK - whic
Re:Design or implementation flaw? (Score:5, Informative)
This [blogspot.com], gotten from the comments at TFA, has a bit more details on it.
Apparently it's a mix of both, a structural problem with the fact it needs to grant the Calendar class special priviledges to access ZoneInfo objects, and merely a common pitfall in that nobody had thought to limit those priviledges before to *just* accessing the calendar.
Beautiful stuff they used in the exploit, though, it's as if they actively tried to use every OOP-derived feature in Java on it at the same time ;)
Re:Design or implementation flaw? (Score:5, Interesting)
technical details here [cr0.org].
The gist of it that the Java Calendar code temporarily elevates its privileges in order to deserialize a ZoneInfo object. If you substitute your own object's serialization for the ZoneInfo, you can get the Java runtime to create any object you want. Some questions:
Re: (Score:2)
In answer to question number 3 I would guess that there are quite a few more vulnerabilities to be found in the standard library but with the near non-existence of applets in the wild very few black hatters will be looking for them I suspect.
There is a possible problem with web start applications (of which there are a few) but it would probably be easier to just use peoples ignorance of security to get them to grant your application all permissions. Much as I would like to see it differently JavaFX isn't go
Re:Design or implementation flaw? (Score:4, Interesting)
Good link. It should have been in the summary. It seems like a fairly obscure bug though. Here's an interesting quote:
"I've mentioned that this was a class of vulnerabilities: the reason is that with this design, every time Java code deserializes an attacker-controlled input in a privileged context, it's a security vulnerability."
Maybe it's just lack of imagination on my part, but I can't think of a good reason for a privileged app to deserialize objects from an untrusted source.
To be expected (Score:4, Interesting)
Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.
Re: (Score:2, Funny)
The (untrue) assumption that many people seem to hold that Macs are just invulnerable to anything bad happening has finally spread to Apple itself, and they're the last to patch this exploit. Since a lot of Mac advertising used to be based on "Macs don't get Viruses" you'd think they'd have been the first to patch this to maintain their reputation. Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.
yes, you were correct about ONE thing,
Re:To be expected (Score:5, Interesting)
"The (untrue) assumption that many people seem to hold (is) that...", patching actually is a "best practice", when it's not.
Marcus Ranum has a interesting and humorous take [ranum.com] on patching that spells it out much better than I could.
The short version:
This is true of 99.9% of software in use.
Re: (Score:2)
You have to have some sympathy for programmers though, I mean the ingenuity and sheer determination of malware authors means that even the smallest oversight or design flaw is going to be found and used for "evil" purposes.
Re: (Score:2)
Not to defend bad design here, but the relatively recent advent of online play (often in massive numbers) makes it a LOT more difficult to ship flawless games right out of the box. Doing Q&A testing with million user loads is difficult, even with a beta release (and many game developers are loathe to even do open betas, because of piracy issues). Add to this the problems with a large number of those million users trying to exploit cheats in and pirate said software--and you're pretty much guaranteed tha
Re: (Score:2, Insightful)
Usually it's like this
Release 1.0 is shipped. Testing is very extensive and a huge list of bugs are found. The most critical ones are fixed, the rest are scheduled for Patch 1.0. The experienced part of the team moves onto their next project or takes a vacation. Now a load of new people are handed copies of Release 1.0 and assigned a bug. Most of them will manage, but a minority of them will make chages with severe side effects - e.g. their code will corrupt the stack or heap. They module test, missing the
Re: (Score:2)
Re: (Score:2)
<sarcasm>
At least we know that Duke Nukem Forever will be secure when it comes out. After all, the developers aren't ever going to push a product out of the door there in the hope that it will at least start earning them some cash...
</sarcasm>
Re: (Score:2)
"The (untrue) assumption that many people seem to hold (is) that...", patching actually is a "best practice", when it's not.
I don't get WTF you're saying here. It's best not to patch, and just to keep having a security hole? The majority of customers have proven time and time again that they don't want security, they want features. Unfortunately, what we all NEED is security. Simple reality dictates that software will have bugs. I mean, you could run an entirely proven OS... have fun with Hello World!
Re: (Score:2)
Re: (Score:3, Interesting)
"I don't get WTF you're saying here. It's best not to patch, and just to keep having a security hole?"
Not all. I'm saying the features are possible, and so is security, if the companies involved would *take*the*time* to make them a priority, rather than making the public the largest unpaid beta-test pool on the planet.
Part of the problem is there is no liability to them for *not* doing so, the standard EULA ensures that.
"I mean, you could run an entirely proven OS... have fun with Hello World!"
If you'd tak
Re: (Score:2)
Re:To be expected (Score:4, Insightful)
Frak, someone always has to make this post, don't they?
Of course OS X has security flaws: it's a modern, general purpose operating system.
The fact remains that by many metrics it is much more secure than Windows. For one, there are no where near the number of malware in the wild targeting OS X as there are for Windows. Most people who run OS X have never, ever had to worry about contracting a virus, trojan, or worm. That is not the same thing as saying they never will, but it is a remarkable track record.
I am concerned about Apple's slow response to newly identified flaws. Their lack of candor in discussing vulnerabilities, their potential impact on the platform, or details of its remediation in patches' release notes is also worrisome. They need to pick up their game if they want to keep that track record as the platform expands.
Also disable Safari's 'Open"safe" files. (Score:5, Informative)
In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file.
I've also posted a demonstration of the vulnerability at http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html [bikemonkey.org]
Not all OS X users at risk (Score:4, Interesting)
For the record, those running Firefox as their default browser, with NoScript installed, won't be affected* unless they *choose* to execute an unknown, untrusted binary within the browser.
*At least the sample exploit at the top of the thread didn't execute for me, YMMV
So how much damage can this do? (Score:3, Interesting)
So it can arbitrarily execute java code in a browser. Well hold on, arn't browser VMs rather crippled anyway in their functionality? And thats after you take into account it'll only have the priviledges of whichever user launched the browser in the first place. So what exactly could you do with this exploit? Steal some cookies, bring up some annoying windows? Or is this about it being able to escape the sandbox? I don't really get it.
Re: (Score:2)
If you're on Mac: http://is.gd/BpBp [is.gd]
Re: (Score:3, Interesting)
A *lot*.
Consider. Many, if not most, Mac users run with admin privileges (though this is a not solely a Mac problem), so having an untrusted binary, able to execute whatever the hell it wants, accessing everything from / on down... well... I leave it to your imagination, but nuking your home directory would be the least of your problems.
Re: (Score:3, Insightful)
Re: (Score:3, Informative)
Actually virtually no Mac users run as "admin", they run on admin enabled accounts, but those accounts require you to enter your password (either in the GUI, or in sudo depending on the function) to perform any admin tasks. It's actually a bit of a chore to actually login as "root" on a Mac, it's a disabled account by default. Trivial for an experienced Unix user or admin to get in and activate it, but in theory that's not our worry here. My last couple of Macs I reactivated root, but on my most recent on
apple letting down java users.. (Score:5, Informative)
Steve Jobs, JavaOne Keynote 2000:
WWDC 2006
Steve Jobs, January 2007 (iPhone related):
2008/05/01
Re:apple letting down java users.. (Score:5, Interesting)
I don't see the point you're making. You might as well have contrasted nine-year disparate statements about RAM size. Over nine years, Apple's stance towards Java has changed; what's wrong with that? In 2000, Java seemed to have a wider path on the desktops than it does in 2009. Other languages and runtime environments have grown up around Java in the subsequent nine years, and to Apple's thinking, the other languages (such as Objective-C 2.0) allow for building better software than Java allows.
Apple's stance appears to be, right or wrong, that Java on the desktop and mobile devices is no longer the best way to develop and deploy software, and thus, they've allowed the Java implementation in OS X to grow long in the tooth, and have outright declined to port it to the iPhone/iPod Touch OS.
Re: (Score:3, Interesting)
Obviously Apple is doing this so app developers must use the Cocoa libraries and internal devs can focus on improving Cocoa.
I don't know why any platform developer would devote resources to Java support. That should be up to Sun and the Java community.
Bitch and moan at Apple if you want, but it is Sun who signed an agreement with Apple promising not to release a OS X version of Java from Sun.
There is no reason to have Java enabled (Score:2)
CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.
http://www.cert.org/tech_tips/securing_browser [cert.org]
Comment removed (Score:5, Informative)
The Money Quote (Score:2)
Others: make sure you have updated Java and still disable it in your web browser: it's a huge attack surface and it suffers from many other security vulnerabilities.
Same "Stuff", Different Vulnerability (Score:3, Informative)
Apple took more than a year after Sun patched it to patch an exploited buffer overflow in the JVM. They'll take forever to fix this too.
Can't disable Java at work (Score:3, Insightful)
- Our Internet filter keeps you authenticated with a popup that embeds a Java applet
- Our Internet filter admin interface is Java
- Our wireless network login uses a Java applet to authenticate your username and password
- Our student record database runs on Oracle with a Java interface
Basically if I disabled Java I could only access one or two superfluous file servers on the LAN, and only using an Ethernet cable. Not gonna happen, unfortunately.
Re: (Score:2, Interesting)
FTFA, looks like what it allows is arbitrary execution of Java code. So it wouldn't be architecture-specific at all, unless you started using architecture-specific stuff in said code. If you've got the JVM to exploit, then you've got the JVM to run stuff on.
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
Yeah, Snow Leopard was really just an excuse for the programmers to sit around doing nothing all year. Slackers...
Re:Why am I not surprised? (Score:5, Informative)
You've kinda just proven the OP's point. Snow Leopard is just prettying up what already exists.
Snow Leopard is mainly a beneath-the-hood architectural upgrade. http://www.apple.com/macosx/snowleopard/ [apple.com] "Taking a break from adding new features..."
That having been said, there's nothing on there about added security. I can tell you there are some rumors that things like more complete code page protection and address randomization will be in Snow Leo, but Apple's priorities concerning security are rather low; they rely heavily on security-through-obscurity, and one day if they're not careful it's going to bite them.
Re: (Score:3, Interesting)
Could it be that Apple does have security improvements in Snow Leopard, but isn't talking about them yet because they don't want people shouting "OMG Leopard is insecure"?
Re: (Score:2)
Re: (Score:3, Informative)
Snow Leopard is mainly a beneath-the-hood architectural upgrade. Then how are they planning to market it to the Great Unwashed? They're never going to pursuade the fan-base to shell out dollars and cents if they can't see something new and shiny.
All of those people with Macbook Airs (no pun intended) and any upcoming Apple netbook who's systems could use a more svelte OS would be in the market for it. Think Vista vs. Windows 7, except less of a difference in speed and interface. If you don't believe me, check out the site I linked earlier - Apple's own marketing copy says the new features are on "pause" and the feature of Snow Leo is performance and smaller footprint.
Re: (Score:2)
Although this situation is clearly unacceptable, I would not have called your remark insightful. Apple has been pretty busy with the security updates:
http://support.apple.com/kb/HT1222 [apple.com]
As a whole, I would say leopard is pretty secure (when compared to linux, compared to windows it's ironclad). If additional security is required, consider:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#AppleMac [nsa.gov]
Re: (Score:3, Insightful)
Re: (Score:2)
DNS is obsolete and everyone should be using Bonjour by now.
TQF!
Re: (Score:2, Flamebait)
The problem with Apple is not that they don't take security seriously.
I think it's clear from the outdated state of Open Source components in OSX that Apple does not take security seriously.
But the corporate culture at Apple is secrecy. They must figure that documenting every patch serves only to draw a roadmap for hackers. This "security through obscurity" approach is in dramatic contrast to Microsoft's.
Security through obscurity doesn't work. Numerous hackers have said OSX is less secure than Windows or Linux. But don't let the facts get involved, eh?
As for "prettying up the OS" I'd argue that current versions of the open source Gnome and KDE desktops, with compositing enabled, are probably prettier than Mac OS in most respects.
The smoothness/speed of animation in Compiz is shit. I say this speaking as someone with a Quadro 2700M. Don't let me hear that bullshit about how a Quadro isn't meant for performance, because I can play HL2 at 1920x1080 with all the detail
Re:Why am I not surprised? (Score:5, Informative)
Yeah, this page listing all of the security patches in every Apple update [apple.com] must surely not exist. You know, complete with links to knowledge base articles containing links to the CVE-IDs patched by that particular patch.
Posts like yours are the reason that Slashdot needs a "-1, Factually Incorrect" moderation.
I agree that Apple should have patched this a long time ago, but your argument that Apple does not care about security is just plan asinine.
Re: (Score:3, Interesting)
He agrees that Apple does care about security - read again. But he argues that they are not open about the details of what they fix, which as you point out, is incorrect.
Re:why specify Mac OSX (Score:5, Informative)
If you had read the very first paragraph of the summary, you'd know that it's "a vulnerability in Java that has been patched by everyone but Apple."
For all the other platforms, architectures and browsers the fix is "use a version of Java that's less than 6 months old". For OSX users, however, the only solution is to stop using it altogether.
Re: (Score:3, Interesting)
That of course 1) assumes someone actually writes a virus targeting the Mac platform, 2) you are somehow redirected to a site that hosts the vulnerability, or launch an attachment that is a java applet itself that contains malicious code, 3) the virus doesn't violate other UNIX security rules that would stop it from running on the Mac platform, and 4) that there's actually data stored on your mac in unencrypted form in a directory the virus can get to to steal information from you, or some way the Java app
Pick and choose your quotes much? (Score:4, Informative)
Very well...
I choose this one...
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.
So essentially... All Apple users who have left JAVA enabled, and all -other- users who have not yet patched their JAVA installations. Yes, that does include Microsoft Windows, flavor-of-the-month Linux, etc. users who decided to disable auto-updating - if any - of their JAVA installation.
Re:Now patched? (Score:5, Informative)
No patch is currently available -- a fully patched 10.5.7 system remains vulnerable. See also http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html [bikemonkey.org]
Re:Now patched? (Score:5, Insightful)
Re:Now patched? (Score:4, Informative)
Nope. Patched to 10.5.7, with all updates, and the sample exploit would still run. Of course I use FF with NoScript so I had to allow it to run, which just goes to show that sometimes faster is not better [futuremark.com]
quoting the kb article, chasing numbers (Score:2)
Re: (Score:2)
IIUC Your advice doesn't apply to macs, which use their own version of Java.
Re: (Score:2)
Sometimes it blows my mind when i try to understand oxymorons.
Pure Java = pure platform independent.
OS Specific Java = Not Pure Java
non-cross-platform java code = propreitary Java code.
Before i get angry at you, let me try to explain something here. I have been using Java since 1.0.2 JDK in 1996 and failed to install JDK on Win 16-bit with 32-bit extensions...
OS-specific exploits can be written in Java using JNI. JNI alone canm interact with C language (although technically C++ and that code can invoke Asse
Re: (Score:2)
Re: (Score:2)
If I understand it correctly, all Java implementations have this flaw, so why write that it is a "MacOS vulnerability" and not "Java vulnerability"?
Because by now, all others are fixed, and the vulnerability remains only in Apple's Mac-specific version of Java.