Mac OS X Users Vulnerable To Major Java Flaw 306
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."
Re:Chipset independent? (Score:2, Interesting)
FTFA, looks like what it allows is arbitrary execution of Java code. So it wouldn't be architecture-specific at all, unless you started using architecture-specific stuff in said code. If you've got the JVM to exploit, then you've got the JVM to run stuff on.
Design or implementation flaw? (Score:5, Interesting)
The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?
To be expected (Score:4, Interesting)
Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.
Re:Design or implementation flaw? (Score:5, Interesting)
technical details here [cr0.org].
The gist of it that the Java Calendar code temporarily elevates its privileges in order to deserialize a ZoneInfo object. If you substitute your own object's serialization for the ZoneInfo, you can get the Java runtime to create any object you want. Some questions:
Not all OS X users at risk (Score:4, Interesting)
For the record, those running Firefox as their default browser, with NoScript installed, won't be affected* unless they *choose* to execute an unknown, untrusted binary within the browser.
*At least the sample exploit at the top of the thread didn't execute for me, YMMV
Oh I don't know... (Score:5, Interesting)
after meeting some Mac newbies I am think I can already see the iceberg. Two are friends, one of which called me out of the blue to tell me that he just bought his first Mac (an iMac actually). Well needless to say I get calls from both since I am the "mac expert" (Read: I had one longer than them).
The simplest way to say it, they are more than happy to key in their password for anything that asks, even if they don't know what they are doing. After all, they are on a Mac, they don't have virus protection because it doesn't need it, so how is something bad going to get on the system. These are not normally dense people, well maybe they are proving me wrong.
So I figure that someone out there will rely on this type of stupidity to get key loggers, bots, and the like, on Macs. The number of people out there who buy one because they think it makes them cool or smart cannot be underestimated.
I do know one of these two did ditch firefox because they didn't like clicking the ad-block button to allow some sites. So it is just a matter of time.
(and no, I do not run a AV or worry about it on either of my Macs)
So how much damage can this do? (Score:3, Interesting)
So it can arbitrarily execute java code in a browser. Well hold on, arn't browser VMs rather crippled anyway in their functionality? And thats after you take into account it'll only have the priviledges of whichever user launched the browser in the first place. So what exactly could you do with this exploit? Steal some cookies, bring up some annoying windows? Or is this about it being able to escape the sandbox? I don't really get it.
Re:So how much damage can this do? (Score:3, Interesting)
A *lot*.
Consider. Many, if not most, Mac users run with admin privileges (though this is a not solely a Mac problem), so having an untrusted binary, able to execute whatever the hell it wants, accessing everything from / on down... well... I leave it to your imagination, but nuking your home directory would be the least of your problems.
Re:To be expected (Score:5, Interesting)
"The (untrue) assumption that many people seem to hold (is) that...", patching actually is a "best practice", when it's not.
Marcus Ranum has a interesting and humorous take [ranum.com] on patching that spells it out much better than I could.
The short version:
This is true of 99.9% of software in use.
Re:Java and not javascript (Score:5, Interesting)
I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology
According to the Sun engineers I've talked to it all has to do with a really old license agreement between Apple and Sun that they can't change for now. Sun is forbidden to directly release Java for Mac OS X until the agreement expire or Apple decides to make a new agreement. The only practical solution they proposed was to use the BSD port of OpenJDK. You won't have the Aqua UI and I think you have to deal with X11, but you will have an overall better Java.
Customized JVMs (Score:2, Interesting)
Re:Incorrect (Score:1, Interesting)
Funny, I hear this all the time but I don't remember a commercial where Apple made a claim that Macs don't get viruses. Can you point it out to me. Here I'll get you started.
http://www.apple.com/getamac/ads/
They have pointed out that they aren't vulnerable to the thousands of viruses on Windows and that none of the spyware that affects them affects the Mac. Maybe I've missed it somewhere, please help me find this mythical commercial.
Someone, anyone!!
Re:apple letting down java users.. (Score:5, Interesting)
I don't see the point you're making. You might as well have contrasted nine-year disparate statements about RAM size. Over nine years, Apple's stance towards Java has changed; what's wrong with that? In 2000, Java seemed to have a wider path on the desktops than it does in 2009. Other languages and runtime environments have grown up around Java in the subsequent nine years, and to Apple's thinking, the other languages (such as Objective-C 2.0) allow for building better software than Java allows.
Apple's stance appears to be, right or wrong, that Java on the desktop and mobile devices is no longer the best way to develop and deploy software, and thus, they've allowed the Java implementation in OS X to grow long in the tooth, and have outright declined to port it to the iPhone/iPod Touch OS.
Re:apple letting down java users.. (Score:3, Interesting)
Obviously Apple is doing this so app developers must use the Cocoa libraries and internal devs can focus on improving Cocoa.
I don't know why any platform developer would devote resources to Java support. That should be up to Sun and the Java community.
Bitch and moan at Apple if you want, but it is Sun who signed an agreement with Apple promising not to release a OS X version of Java from Sun.
Re:Java and not javascript (Score:2, Interesting)
Point taken, but then large corporations can define which version of which browser or JVM is standard and installed on their users' machines, n'est-ce pas?
Their corporate machines, yes. But I am an off-site worker (embedded as a contractor elsewhere) so need to use my personal machine at home to do my time cards, expense reports, etc.
Re:Java and not javascript (Score:4, Interesting)
Re:Design or implementation flaw? (Score:4, Interesting)
Good link. It should have been in the summary. It seems like a fairly obscure bug though. Here's an interesting quote:
"I've mentioned that this was a class of vulnerabilities: the reason is that with this design, every time Java code deserializes an attacker-controlled input in a privileged context, it's a security vulnerability."
Maybe it's just lack of imagination on my part, but I can't think of a good reason for a privileged app to deserialize objects from an untrusted source.
Re:Why am I not surprised? (Score:3, Interesting)
He agrees that Apple does care about security - read again. But he argues that they are not open about the details of what they fix, which as you point out, is incorrect.
Re:Instructions for turning off Java... (Score:3, Interesting)
I notice most sites don't like it when you turn javascript off, but don't care about java.
The question I would have is that does Javascript on OSX have the same vulnerabilities?
Perhaps the best solution is to install NoScript [wikipedia.org] and white list only the sites needed.
back ups (Score:1, Interesting)
try the 'say' invoking applet by Landon Fuller:
http://is.gd/BpBp [is.gd]. That scared the crap out of me... what if it had invoked 'rm -rf ~'?
You would restore from your Time Machine backup, or the off site clone that you created with Carbon Copy Cloner or SuperDuper! (or rsync).
Backing up OS X is dead simple (it's mostly POSIX-compliant underneath); there's no reason not to do it.
Re:To be expected (Score:3, Interesting)
"I don't get WTF you're saying here. It's best not to patch, and just to keep having a security hole?"
Not all. I'm saying the features are possible, and so is security, if the companies involved would *take*the*time* to make them a priority, rather than making the public the largest unpaid beta-test pool on the planet.
Part of the problem is there is no liability to them for *not* doing so, the standard EULA ensures that.
"I mean, you could run an entirely proven OS... have fun with Hello World!"
If you'd taken the time to follow the link I provided, you would have read that Ranum coded a fully functional OS/web server combo for a porn site a decade ago that's never been successfully hacked, because it was designed with security and a feature set from the very beginning.
BTW, "Hello World!" is not a entirely proven OS that I know of.
Re:Why am I not surprised? (Score:3, Interesting)
Could it be that Apple does have security improvements in Snow Leopard, but isn't talking about them yet because they don't want people shouting "OMG Leopard is insecure"?
Re:Java and not javascript (Score:3, Interesting)
Re:why specify Mac OSX (Score:3, Interesting)
That of course 1) assumes someone actually writes a virus targeting the Mac platform, 2) you are somehow redirected to a site that hosts the vulnerability, or launch an attachment that is a java applet itself that contains malicious code, 3) the virus doesn't violate other UNIX security rules that would stop it from running on the Mac platform, and 4) that there's actually data stored on your mac in unencrypted form in a directory the virus can get to to steal information from you, or some way the Java app can infect your machine with other code that can steal your input and passwords.
If all 4 are not true (and they're not yet), then apple users are currently safe. Apple engineers do not rush "emergency" patches out for vulnerabilityies when no ITW code has yet been discovered. They'll also assess what a virus could actually be capable of, and determine the complexity of code required to pull off a hack on their platform, and they'll assign a priority to the code work.
This, I'd gather, is a low priority risk for Mac as I've not actually heard, other than the proof of concept, of an ITW virus for ANY platform exploiting this viln, let alone a targeted mac virus. They'll release a patch, but 6 months in, and with everyone else already having it patched, Apple is likely just waiting to apply it with other patches. Kind of surprised it was not in the 10.5.7 patch recently... must be really low priority. This isn't exactly something they need to invent a fix for...
So, what *am* I paying Apple for then? (Score:1, Interesting)
Funny, I thought timely and accurate patches to the bits of software they want to control and distribute. It is nice that third-parties want to help, and distribute packages built for Java, but hey Apple - I thought I was paying you guys already to do this? How's about getting one of the twenty developers off the 'evil DRMs' project, and onto the seemingly understaffed 'basic patches' project?
*A*