Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mac OS X Users Vulnerable To Major Java Flaw

kdawson posted more than 5 years ago | from the write-once-own-everyone dept.

Security 306

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple. "Security researchers say that Mac OS X users are vulnerable to a critical, 6-month-old, remote vulnerability in Java, a component that is enabled by default in Web browsers on this platform. Julien Tinnes notes that this vulnerability differs from typical Java security flaws in that it is 'a pure Java vulnerability' and doesn't involve any native code. It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,' Julien wrote. This bug was demonstrated during the Pwn2own security challenge this year at CanSecWest, but the details were not made public at that time. Tinnes recommends that Mac OS X users disable Java in their browsers until Apple releases a security update."

cancel ×

306 comments

Sorry! There are no comments related to the filter you selected.

Java and not javascript (5, Informative)

GreatDrok (684119) | more than 5 years ago | (#28022895)

I've disabled Java in Safari and doubt I'll see any difference since so few sites use Java applets these days. This is of course unrelated to Javascript which is much more disruptive when disabled.

Re:Java and not javascript (4, Informative)

Serious Callers Only (1022605) | more than 5 years ago | (#28022939)

I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets. Aside from that, and some upload plugins (though that's mostly flash or AJAX nowadays) client-side java just isn't used much on the web anymore.

I doubt you'll notice the difference.

Re:Java and not javascript (5, Informative)

RevRagnarok (583910) | more than 5 years ago | (#28023337)

I've had Java disabled for years, and have only ever had to enable it for broadband speed test applets.

Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java. My timesheet program = Java. My Expense Report software = "Extensity" which seems to only like one version of the JVM. Lucky you!

Re:Java and not javascript (3, Insightful)

ThePhilips (752041) | more than 5 years ago | (#28023507)

Very similar here.

At home, I had removed all traces of Java like eons ago. Never had a problem. Only OO.o occasionally complains that there is no Java installed, but no crucial functionality is affected.

In office, one of the corporate portals uses ActiveX and Java. Though Java applet is used apparently only during authentication, it still requires Java. (IOW, puny 20K applet wastes countless megabytes/gigabytes of disk space on hundred desktops.) Otherwise - no Java in sight.

Re:Java and not javascript (1, Insightful)

BrokenHalo (565198) | more than 5 years ago | (#28023577)

It has nothing to do with luck, just bad management.

Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.

Re:Java and not javascript (5, Informative)

EthanV2 (1211444) | more than 5 years ago | (#28023735)

Though I'm not sure why this whole discussion is under the title "Mac OS X users vulnerable..." when as the submission says the issue affects everybody. Other than to start yet amother boring FUD/flamebait war, of course.

Maybe it's because everybody else has patched it

FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.

Re:Java and not javascript (1)

Hal_Porter (817932) | more than 5 years ago | (#28023635)

I use a nasty application at work in Java. Some versions only work with JRE 1.4 and some only work with JRE 1.5. They even have a message if the wrong version is installed. Actually .Net is just as shitty. Lookout, an excellent Outlook email indexer only works with .Net 1.1. If you have 2.0 installed it will crash [blogs.com]

There are various hackarounds for this, like using a manifest to force Outlook to load .Net 1.1 or even hacking the binary of Lookout [scw.us] , but on my work machine I just uninstalled .Net 2.0 because I don't use anything that needs it.

Of course the best option would have been for the Lookout people to release an updated binary of Lookout to fix the bug that makes it require an old version of .Net. But there's no chance of that because Microsoft bought the company and took down the website. Lookout is now Microsoft Desktop Search, which I probably should be using instead.

Re:Java and not javascript (0)

Anonymous Coward | more than 5 years ago | (#28023917)

I didn't know there were still people using Outlook.

Re:Java and not javascript (4, Insightful)

Serious Callers Only (1022605) | more than 5 years ago | (#28023761)

Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java.

: ) Reason no 12939 not to work at a gigantic corporation. Having experienced working in large companies, I sympathise.

The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.

Re:Java and not javascript (1)

The Grassy Knoll (112931) | more than 5 years ago | (#28023841)

>thus removing most of the business benefit of using a web application in the first place

Point taken, but then large corporations can define which version of which browser or JVM is standard and installed on their users' machines, n'est-ce pas?

.

Re:Java and not javascript (1)

dwarfking (95773) | more than 5 years ago | (#28023883)

Then you are very lucky, and likely don't work for a ginormous company whose only way to not make things in ActiveX is to make them in Java.

: ) Reason no 12939 not to work at a gigantic corporation. Having experienced working in large companies, I sympathise.

The funniest thing about large companies using web-apps for internal software is that most of them produce web-apps which depend on technology which is not truly cross-platform (Active-X, using a certain JVM, depending on a certain browser, etc), thus removing most of the business benefit of using a web application in the first place.

I'm not sure this is a totally correct assessment. Large companies tend to have defined desktop standards that they force all users to adhere to, even when they cause problems (i.e. full disk PGP encryption on a developers desktop work station because they might test with sensitive data). The standards apply to developers, call center and executive admins equally, so they don't really work well for any one group. This is the norm as a way to keep internal support costs down.

But, because of this standardization, the internal development staff only needs to target one defined platform, they aren't really worried about cross-platform support. So they'll use what ever tool they are familiar with or that will get them to the end product fastest, because internal development is also usually an expense (not a revenue generator) and those systems tend to be rushed to not waste money.

Re:Java and not javascript (4, Informative)

DrXym (126579) | more than 5 years ago | (#28023083)

Sites don't directly use Java but there are plenty of JNLP style apps. Also, JavaFX *may* spark some kind of mini-resurgence which means more sites use Java for video playback or random other things.

I say may because Flex / Flash is pretty embedded and Microsoft is moneyhatting its way into the scene. Sun doesn't have money so its almost a charity case at this time, relying on good will from mobile phone companies and Java devs.

Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.

Re:Java and not javascript (-1, Offtopic)

gaspyy (514539) | more than 5 years ago | (#28023237)

Microsoft is moneyhatting its way into the scene

Indeed. The funny thing is that even though they push Silverlight, major sites drop it and go back to Flash/AIR.

After MLB move reported a while ago on Slashdot, New York Times dropped their Silverlight reader and unveiled the Times Reader 2 [nytimes.com] , which is AIR based.

Re:Java and not javascript (5, Insightful)

BikeHelmet (1437881) | more than 5 years ago | (#28023317)

Anyway, Apple's "support" of Java is pretty pathetic. They're usually a year or more behind the curve and its not acceptable.

You're absolutely right about that. Apple decided that they'd be better than Sun at creating a JVM for their OS, so they did it themselves.

The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...

I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology.

Re:Java and not javascript (5, Interesting)

kthreadd (1558445) | more than 5 years ago | (#28023503)

I'm more inclined to let the company that specializes in that stuff deal with it - but then again, maybe it gave them much needed experience for their Rosetta technology

According to the Sun engineers I've talked to it all has to do with a really old license agreement between Apple and Sun that they can't change for now. Sun is forbidden to directly release Java for Mac OS X until the agreement expire or Apple decides to make a new agreement. The only practical solution they proposed was to use the BSD port of OpenJDK. You won't have the Aqua UI and I think you have to deal with X11, but you will have an overall better Java.

Re:Java and not javascript (4, Informative)

esme (17526) | more than 5 years ago | (#28023593)

It looks like OpenJDK now runs on MacOSX:

http://landonf.bikemonkey.org/static/soylatte/ [bikemonkey.org]

Re:Java and not javascript (5, Informative)

BrokenHalo (565198) | more than 5 years ago | (#28023741)

It looks like OpenJDK now runs on MacOSX:

It does, but only with X11.

Re:Java and not javascript (2, Informative)

Cthefuture (665326) | more than 5 years ago | (#28023759)

The result? PPC Macs are stuck on Java 1.5; Intel Macs have outdated, slow, and exploit vulnerable Java 1.6...

Not only that but the Java "1.6" they support isn't the full version, it's missing all sorts of API's that are in the Sun version.

I'm not a huge Java fan but I wish Apple would step up their Java support. I hear rumors that Snow Leopard will contain the full Java 1.6 from Sun.

Re:Java and not javascript (1)

Professor_UNIX (867045) | more than 5 years ago | (#28023475)

Actually that's a good point. The last time I remember Java being needed was for my corporate SSL-VPN that I used about 9 months ago. Java is kind of obsolete these days in a browser what with Flash being everywhere (except my damn iPhone, which doesn't do Java either though anyway).

Great interoperability (5, Funny)

Chrisq (894406) | more than 5 years ago | (#28022907)

'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,'

And the Java critics said total platform independence was impossible!

Re:Great interoperability (4, Funny)

x2A (858210) | more than 5 years ago | (#28022935)

Yay this is gonna be so much easier than trying to ship Wine with my viruses...

Oh I don't know... (4, Interesting)

Shivetya (243324) | more than 5 years ago | (#28023299)

after meeting some Mac newbies I am think I can already see the iceberg. Two are friends, one of which called me out of the blue to tell me that he just bought his first Mac (an iMac actually). Well needless to say I get calls from both since I am the "mac expert" (Read: I had one longer than them).

The simplest way to say it, they are more than happy to key in their password for anything that asks, even if they don't know what they are doing. After all, they are on a Mac, they don't have virus protection because it doesn't need it, so how is something bad going to get on the system. These are not normally dense people, well maybe they are proving me wrong.

So I figure that someone out there will rely on this type of stupidity to get key loggers, bots, and the like, on Macs. The number of people out there who buy one because they think it makes them cool or smart cannot be underestimated.

I do know one of these two did ditch firefox because they didn't like clicking the ad-block button to allow some sites. So it is just a matter of time.

(and no, I do not run a AV or worry about it on either of my Macs)

Re:Oh I don't know... (3, Insightful)

x2A (858210) | more than 5 years ago | (#28023513)

In "the oldun days", computers used to come with books, instruction manuals, telling you how to use them. Nower days, OS vendors will jump through hoops to try and ensure that their users Do Not Have To Learn A God Damn Thing(tm)... and in some instances, inconsistent user interfaces actually prohibit learning (although I wouldn't call this common case). And this is the result.

I'm not suggesting people should have to know all the nuts and bolts of the internals, but I'm sure there's a middle ground so this culture of "our users are stupid, we must protect their tiny brains" can be vanquished.

(this is not limited to Apple/OSX by any means, although they do appear to me to be worse for it, this gap is closing fast)

Re:Great interoperability (1)

MaggieL (10193) | more than 5 years ago | (#28023551)

And the Java critics said total platform independence was impossible!

Well, the vuln doesn't run the same way on all platforms. It only works on OSX and other severely downlevel JVMs.

Re:Great interoperability (1)

AHuxley (892839) | more than 5 years ago | (#28023819)

And it will run fast too! Its there anything this java exploit cannot do?

Re:Great interoperability (3, Funny)

AJ Mexico (732501) | more than 5 years ago | (#28023855)

And the Java critics said total platform independence was impossible!

Nonsense! For years Java apps have been producing platform-independent error messages on all platforms equally. Fortunately, the exploit will probably error out too!

Chipset independent? (1)

KingRobot (703860) | more than 5 years ago | (#28022909)

Is it independent of the chipset as well, or does it only apply to x86?

Re:Chipset independent? (2, Interesting)

EvanED (569694) | more than 5 years ago | (#28022929)

FTFA, looks like what it allows is arbitrary execution of Java code. So it wouldn't be architecture-specific at all, unless you started using architecture-specific stuff in said code. If you've got the JVM to exploit, then you've got the JVM to run stuff on.

Re:Chipset independent? (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28023425)

Does it matter? If the JVM has access to the filesystem and the network, that's all a virus writer needs.

Why am I not surprised? (0, Flamebait)

briggsl (1475399) | more than 5 years ago | (#28022923)

I'm going to get modded down as flamebait here, but lets face it, unless it pretties up the OS, Apple will ignore it. Security hasn't exactly been their strong point

Re:Why am I not surprised? (2, Insightful)

SoupIsGoodFood_42 (521389) | more than 5 years ago | (#28022941)

Yeah, Snow Leopard was really just an excuse for the programmers to sit around doing nothing all year. Slackers...

Re:Why am I not surprised? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28023005)

You've kinda just proven the OP's point. Snow Leopard is just prettying up what already exists.

Re:Why am I not surprised? (4, Informative)

MobyTurbo (537363) | more than 5 years ago | (#28023077)

You've kinda just proven the OP's point. Snow Leopard is just prettying up what already exists.

Snow Leopard is mainly a beneath-the-hood architectural upgrade. http://www.apple.com/macosx/snowleopard/ [apple.com] "Taking a break from adding new features..."

That having been said, there's nothing on there about added security. I can tell you there are some rumors that things like more complete code page protection and address randomization will be in Snow Leo, but Apple's priorities concerning security are rather low; they rely heavily on security-through-obscurity, and one day if they're not careful it's going to bite them.

Re:Why am I not surprised? (1)

briggsl (1475399) | more than 5 years ago | (#28023287)

You articulated what I was trying to say a whole lot better than I originally did!

Re:Why am I not surprised? (1)

MobyTurbo (537363) | more than 5 years ago | (#28023363)

Yes, but Snow Leo doesn't really "pretty up" anything much, it's all under the hood. Now, if they start updating all of the open and closed-source software that comes with OS X enough to keep it secure too, I'll be more impressed; but I doubt Apple will do that unless they're forced to. (Sound familiar?)

Re:Why am I not surprised? (0, Troll)

BrokenHalo (565198) | more than 5 years ago | (#28023643)

Snow Leopard is mainly a beneath-the-hood architectural upgrade.

Then how are they planning to market it to the Great Unwashed? They're never going to pursuade the fan-base to shell out dollars and cents if they can't see something new and shiny.

Re:Why am I not surprised? (2, Informative)

MobyTurbo (537363) | more than 5 years ago | (#28023703)

Snow Leopard is mainly a beneath-the-hood architectural upgrade. Then how are they planning to market it to the Great Unwashed? They're never going to pursuade the fan-base to shell out dollars and cents if they can't see something new and shiny.

All of those people with Macbook Airs (no pun intended) and any upcoming Apple netbook who's systems could use a more svelte OS would be in the market for it. Think Vista vs. Windows 7, except less of a difference in speed and interface. If you don't believe me, check out the site I linked earlier - Apple's own marketing copy says the new features are on "pause" and the feature of Snow Leo is performance and smaller footprint.

Re:Why am I not surprised? (0, Troll)

machine321 (458769) | more than 5 years ago | (#28023485)

Apple doesn't ignore security. They implemented almost a third of an ASLR solution, and it's obviously a waste of time since it wouldn't help with this vulnerability. They dragged their feet patching the Kaminsky DNS vulnerability since DNS is obsolete and everyone should be using Bonjour by now. They didn't bother with DEP/NX, because Macs are about usability, they don't want to prevent you from executing data.

Re:Why am I not surprised? (1)

Keeper Of Keys (928206) | more than 5 years ago | (#28023665)

DNS is obsolete and everyone should be using Bonjour by now.

TQF!

Re:Why am I not surprised? (1, Insightful)

gun26 (151620) | more than 5 years ago | (#28023609)

The problem with Apple is not that they don't take security seriously. Far from it. Lots of stuff does get fixed - witness the multi-hundred megabyte download the other week. But the corporate culture at Apple is secrecy. They must figure that documenting every patch serves only to draw a roadmap for hackers. This "security through obscurity" approach is in dramatic contrast to Microsoft's. Every Windows fix gets a Knowledge Base article which the user can consult before applying the patch. In the case of this Java vulnerability, I'm stunned that Apple didn't fix it in that recent update.

As for "prettying up the OS" I'd argue that current versions of the open source Gnome and KDE desktops, with compositing enabled, are probably prettier than Mac OS in most respects. Apple's strength has always been an unwavering focus on functionality and great industrial design, and on keeping the user experience uncluttered.

This latest story only reinforces the generalization that Scripting Is Dangerous. Mac OS users can be safer by using Firefox with the NoScript extension enabled. So can everyone else, for that matter.

Re:Why am I not surprised? (1)

stiller (451878) | more than 5 years ago | (#28023667)

Although this situation is clearly unacceptable, I would not have called your remark insightful. Apple has been pretty busy with the security updates:
http://support.apple.com/kb/HT1222 [apple.com]
As a whole, I would say leopard is pretty secure (when compared to linux, compared to windows it's ironclad). If additional security is required, consider:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#AppleMac [nsa.gov]

Now patched? (1)

Anonymous Coward | more than 5 years ago | (#28022927)

My mac downloaded a new java patch just tonight.

Is it patched?

Re:Now patched? (1, Informative)

Anonymous Coward | more than 5 years ago | (#28023031)

http://support.apple.com/kb/HT3437

Re:Now patched? (3, Informative)

oDDmON oUT (231200) | more than 5 years ago | (#28023275)

Nope. Patched to 10.5.7, with all updates, and the sample exploit would still run. Of course I use FF with NoScript so I had to allow it to run, which just goes to show that sometimes faster is not better [futuremark.com]

quoting the kb article, chasing numbers (1)

reiisi (1211052) | more than 5 years ago | (#28023943)

Java for Mac OS X 10.5 Update 3
Java

CVE-ID: CVE-2008-2086, CVE-2008-5340, CVE-2008-5342, CVE-2008-5343

Available for: Mac OS X v10.5.6 and later with Java for Mac OS X 10.5 Update 2, Mac OS X Server v10.5.6 and later with Java for Mac OS X 10.5 Update 2
Impact: Multiple vulnerabilities in Java Web Start and Java Plug-in

Description: Multiple vulnerabilities exist in Java Web Start and the Java Plug-in, the most serious of which may allow untrusted Java Web Start applications and untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution with the privileges of the current user. This update provides patches for the Java Bug IDs 6694892, 6707535, 6727081 and 6767668 from Sun Microsystems.

So Apple fixed some things back in February, but I can't tell if they fixed them all.

Re:Now patched? (4, Insightful)

iwein (561027) | more than 5 years ago | (#28023347)

try the 'say' invoking applet by Landon Fuller: http://is.gd/BpBp [is.gd] . That scared the crap out of me... what if it had invoked 'rm -rf ~'?

Re:Now patched? (1)

Vapula (14703) | more than 5 years ago | (#28023371)

The bug affect Java up to 1.6.10... And current J2SE is 1.6.13... Which means that there are 3 updates since that bug has been found...

If you updated your JVM, you should be safe from that issue... One way to check it is to run "java -version" you'll get a line with the current Java Version

Re:Now patched? (1)

Keeper Of Keys (928206) | more than 5 years ago | (#28023687)

IIUC Your advice doesn't apply to macs, which use their own version of Java.

why specify Mac OSX (0, Redundant)

wjh31 (1372867) | more than 5 years ago | (#28022943)

the summary seems to imply that this exploit is viable on "all the platforms, all the architectures and all the browsers" so why specify Mac OSX? It's not special and if an exploit is universal, it seems the title and summary should make this clear, rather than Focussing on OSX. Even a quick look through the linked articles fails to find much about OSX, is the OP just a mac user who finds it astonishing that his perfect OS could be vulnerable?

Re:why specify Mac OSX (1)

Anonymous Coward | more than 5 years ago | (#28022975)

To my knowledge every other major OS release has already patched its Java.

Re:why specify Mac OSX (0)

Anonymous Coward | more than 5 years ago | (#28022981)

Yeah, but it was patched on other systems.

Re:why specify Mac OSX (5, Informative)

Draek (916851) | more than 5 years ago | (#28022989)

If you had read the very first paragraph of the summary, you'd know that it's "a vulnerability in Java that has been patched by everyone but Apple."

For all the other platforms, architectures and browsers the fix is "use a version of Java that's less than 6 months old". For OSX users, however, the only solution is to stop using it altogether.

Re:why specify Mac OSX (0, Offtopic)

wjh31 (1372867) | more than 5 years ago | (#28022999)

woopsy, i managed to completely overlook that little scentance. Well dont i feel a knob...

Re:why specify Mac OSX (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28023427)

Well dont i feel a knob...

Get your hand off my knob, pervert!

Re:why specify Mac OSX (0)

Anonymous Coward | more than 5 years ago | (#28023001)

Because the other major players have patched it, except for OS X... according to TFA.

Re:why specify Mac OSX (0)

Anonymous Coward | more than 5 years ago | (#28023073)

the OP calls him- or herself FruitWorm - i think it's safe to assume that it's a non-mac user who has just dealt a mighty blow in his holy war...

Only Mac OS users? (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28022945)

"It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. "

Sooooo.... the title should actually be "ALL Users Vulnerable To Major Java Flaw"
Everything to be able to give Apple a bad security name, no?

Pick and choose your quotes much? (3, Informative)

Animaether (411575) | more than 5 years ago | (#28022993)

Very well...

I choose this one...
FruitWorm writes in with word of a vulnerability in Java that has been patched by everyone but Apple.

So essentially... All Apple users who have left JAVA enabled, and all -other- users who have not yet patched their JAVA installations. Yes, that does include Microsoft Windows, flavor-of-the-month Linux, etc. users who decided to disable auto-updating - if any - of their JAVA installation.

Instructions for turning off Java... (5, Informative)

Anonymous Coward | more than 5 years ago | (#28022955)

In case you don't have OS X but want to pass on the instructions to relatives, etc:

In Safari (version 4 beta):

Safari->Preferences->Security->Web Content: Enable Java (uncheck)

In Firefox (3.5 beta, probably the rest):

Firefox->Preferences->Content->Enable Java (uncheck)

I don't have any other browsers (opera, different versions, etc.) on hand, but it might be nice to add instructions in a reply...

Re:Instructions for turning off Java... (1, Informative)

mbone (558574) | more than 5 years ago | (#28023071)

In Opera

Preferences > Advanced > Content > Enable Java (uncheck) > OK

Re:Instructions for turning off Java... (1)

FictionPimp (712802) | more than 5 years ago | (#28023765)

It would be nice if there was a way to disable it for all sites but blah.com

Design or implementation flaw? (5, Interesting)

pwilli (1102893) | more than 5 years ago | (#28022997)

I'd really like to know if this was/is a flaw in the structure/design of the JVM or just happened to be some kind of pitfall every major JVM-implementor fell into.

The articles and bug reports are light on detail, I could only find out it is related to "Deserializing Calendar Objects" and allows the applet to execute stuff with the users rights (or probably more correct, the rights of the webbrowser who started the applet)., which sounds like an implementation problem to me. Was there some reference implementation all JVM-developers used for this specific functionality?

Re:Design or implementation flaw? (1)

ChunderDownunder (709234) | more than 5 years ago | (#28023103)

Historically every 'official' Java implementation has licensed the class libraries from Sun. I'm not sure why GIJ is mentioned in the same breath, since it's code base is based on GNU Classpath, a clean-room implementation of the Sun class libraries. Though, it could have been implemented in a similar manner for binary compatibility across VMs.

So if the flaw is in the class libraries rather than the virtual machine, it's common code... Yes, from the 'reference implementation', now present in OpenJDK - which has now been patched as the article suggests.

Re:Design or implementation flaw? (4, Informative)

Draek (916851) | more than 5 years ago | (#28023189)

This [blogspot.com] , gotten from the comments at TFA, has a bit more details on it.

Apparently it's a mix of both, a structural problem with the fact it needs to grant the Calendar class special priviledges to access ZoneInfo objects, and merely a common pitfall in that nobody had thought to limit those priviledges before to *just* accessing the calendar.

Beautiful stuff they used in the exploit, though, it's as if they actively tried to use every OOP-derived feature in Java on it at the same time ;)

Re:Design or implementation flaw? (1)

pwilli (1102893) | more than 5 years ago | (#28023259)

Thanks for pointing that out. That exploit is much more interesting and creative than I would have expected.

Re:Design or implementation flaw? (4, Interesting)

QuoteMstr (55051) | more than 5 years ago | (#28023195)

technical details here [cr0.org] .

The gist of it that the Java Calendar code temporarily elevates its privileges in order to deserialize a ZoneInfo object. If you substitute your own object's serialization for the ZoneInfo, you can get the Java runtime to create any object you want. Some questions:

  1. Didn't anyone realize how dangerous arbitrary privilege elevation is?
  2. Didn't anyone think that it might be overkill to elevate privileges in order to read a timezone?
  3. How many other similar vulnerabilities are lurking in the standard library?

Re:Design or implementation flaw? (1)

squoozer (730327) | more than 5 years ago | (#28023269)

In answer to question number 3 I would guess that there are quite a few more vulnerabilities to be found in the standard library but with the near non-existence of applets in the wild very few black hatters will be looking for them I suspect.

There is a possible problem with web start applications (of which there are a few) but it would probably be easier to just use peoples ignorance of security to get them to grant your application all permissions. Much as I would like to see it differently JavaFX isn't going to be a problem either.

To be fair to Java I think it's security track record is pretty amazing. There have been a few problems but this is the first major one that I can think of that doesn't involve native code.

cell phones? (1)

Gravis Zero (934156) | more than 5 years ago | (#28023055)

'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers,'

prepare to be cell pwn3d!

Re:cell phones? (1)

aurasdoom (1279164) | more than 5 years ago | (#28023125)

Actually Java SE is not Java ME

don't worry (0)

speedtux (1307149) | more than 5 years ago | (#28023079)

Although written in pure Java, the exploit is OS-specific and therefore not cross platform. Since the Java community disapproves of non-cross-platform code, no real Java programmer would ever actually write code like that, and so there really is nothing to worry about :-)

Re:don't worry (1)

freedom_india (780002) | more than 5 years ago | (#28023307)

Sometimes it blows my mind when i try to understand oxymorons.
Pure Java = pure platform independent.
OS Specific Java = Not Pure Java
non-cross-platform java code = propreitary Java code.
Before i get angry at you, let me try to explain something here. I have been using Java since 1.0.2 JDK in 1996 and failed to install JDK on Win 16-bit with 32-bit extensions...
OS-specific exploits can be written in Java using JNI. JNI alone canm interact with C language (although technically C++ and that code can invoke Assembly, blah blah).
Pure Java does not and should not contain any JNI calls.
This exploit involves the user downloading a native library and then visiting the website which will invoke this downloaded library (which has to be in CLASSPATH) and the OS in correct version/make for it to work. Under Vista's brutal UAC, this exploit will fail. Under XP it may succeed.
Under Mac OS X, well, hell the the OS cannot understand the library in first place so it will not load it. Secondly, the CLASSPATH is different in a Mac, so EVEN if the user downloaded the same onto ~\Libraries it will not work.
Its more like blasting the Guns of Navarone or Sinking the Titanic. Yes, it can happen, and it happens only once under extraordinary circumstances and executed by extraordinarily talented people.
A Mac user hell-bent on infecting his Mac can get the source code to this JNI library, recompile it under XCode, put it in his \Libraries (if he types the root user password) then visit the page to ghet himself infected.
Its much like cutting off your own foot with a rusty chainsaw without anesthetic, place it on a table, hammer a bullet into the foot, rejoin the foot again to the leg with Super Glue and claim you shot yourself in foot.
I wonder how people can be so dumb and yet be on slashdot.

Re:don't worry (1)

SL Baur (19540) | more than 5 years ago | (#28023995)

Its much like cutting off your own foot with a rusty chainsaw without anesthetic, place it on a table, hammer a bullet into the foot, rejoin the foot again to the leg with Super Glue and claim you shot yourself in foot.
I wonder how people can be so dumb and yet be on slashdot.

Nobody is going to understand that without a car analogy. You must be new here.

To be expected (4, Interesting)

Shrike82 (1471633) | more than 5 years ago | (#28023159)

The (untrue) assumption that many people seem to hold that Macs are just invulnerable to anything bad happening has finally spread to Apple itself, and they're the last to patch this exploit. Since a lot of Mac advertising used to be based on "Macs don't get Viruses" you'd think they'd have been the first to patch this to maintain their reputation.

Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.

Re:To be expected (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#28023349)

Good old /. moderation. Some mac fanboy spots someone slagging off a mac and thinks its trolling.

Re:To be expected (2, Funny)

perryizgr8 (1370173) | more than 5 years ago | (#28023369)

The (untrue) assumption that many people seem to hold that Macs are just invulnerable to anything bad happening has finally spread to Apple itself, and they're the last to patch this exploit. Since a lot of Mac advertising used to be based on "Macs don't get Viruses" you'd think they'd have been the first to patch this to maintain their reputation. Yes I know I'm probably going to get modded down immediately for saying this, but hell, it's the truth.

yes, you were correct about ONE thing,

Re:To be expected (4, Interesting)

oDDmON oUT (231200) | more than 5 years ago | (#28023489)

"The (untrue) assumption that many people seem to hold (is) that...", patching actually is a "best practice", when it's not.

Marcus Ranum has a interesting and humorous take [ranum.com] on patching that spells it out much better than I could.

The short version:

  • Patching is a substitute for good design
  • Patching exists for the simple reason that there is a rush to get products out the door, rather than take the time to ensure that they are secure

This is true of 99.9% of software in use.

Re:To be expected (1)

Shrike82 (1471633) | more than 5 years ago | (#28023533)

As an avid gamer this sounds very familiar - the amount of games I've bought in the past that have been verging on uplayable until the third of fourth patch.

You have to have some sympathy for programmers though, I mean the ingenuity and sheer determination of malware authors means that even the smallest oversight or design flaw is going to be found and used for "evil" purposes.

Re:To be expected (0)

Anonymous Coward | more than 5 years ago | (#28023541)

Try playing Red Alert 3!
Each patch seems to add more and more errors into the game, it was best when it came out between 1.00-1.03, after that it's become much worse, random full screen errors, game not loading, unable to connect, etc!

Re:To be expected (2, Insightful)

Hal_Porter (817932) | more than 5 years ago | (#28023793)

Usually it's like this

Release 1.0 is shipped. Testing is very extensive and a huge list of bugs are found. The most critical ones are fixed, the rest are scheduled for Patch 1.0. The experienced part of the team moves onto their next project or takes a vacation. Now a load of new people are handed copies of Release 1.0 and assigned a bug. Most of them will manage, but a minority of them will make chages with severe side effects - e.g. their code will corrupt the stack or heap. They module test, missing the corruption and check the code in.

So now Patch 1.0 contains a lot of fixes, some very badly coded. Possibly they will cause problems on their own, or possibly when combined. There are bugs that were missed in the big release too. A lot of the new people will get assigned off the project. Usually the amount of system testing on pathces is not as much as Release 1.0

The other issue is that the commercial pressure on the company is dropping - bugs introduced by a patch when people have already paid are less serious commercially than bugs at release when they're still thinking about paying.

So it's quite possible that updates will actually make a product worse.

Re:To be expected (1)

gbarules2999 (1440265) | more than 5 years ago | (#28023699)

True? Yes. But no software is perfect. For example (you may have heard about this one recently in the news), there is a flaw right now in Java in Mac OS X, and it's not fixed.

Re:To be expected (1)

dkf (304284) | more than 5 years ago | (#28023811)

  • Patching exists for the simple reason that there is a rush to get products out the door, rather than take the time to ensure that they are secure

<sarcasm>
At least we know that Duke Nukem Forever will be secure when it comes out. After all, the developers aren't ever going to push a product out of the door there in the hope that it will at least start earning them some cash...
</sarcasm>

Also disable Safari's 'Open"safe" files. (4, Informative)

landonf (905751) | more than 5 years ago | (#28023161)

In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file.

I've also posted a demonstration of the vulnerability at http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html [bikemonkey.org]

Ob (0, Offtopic)

Hognoxious (631665) | more than 5 years ago | (#28023239)

The whipped cream mochafroppatopping might not be 100% organic? That's simply scandalous!

Not all OS X users at risk (3, Interesting)

oDDmON oUT (231200) | more than 5 years ago | (#28023247)

For the record, those running Firefox as their default browser, with NoScript installed, won't be affected* unless they *choose* to execute an unknown, untrusted binary within the browser.

*At least the sample exploit at the top of the thread didn't execute for me, YMMV

So how much damage can this do? (2, Interesting)

Viol8 (599362) | more than 5 years ago | (#28023309)

So it can arbitrarily execute java code in a browser. Well hold on, arn't browser VMs rather crippled anyway in their functionality? And thats after you take into account it'll only have the priviledges of whichever user launched the browser in the first place. So what exactly could you do with this exploit? Steal some cookies, bring up some annoying windows? Or is this about it being able to escape the sandbox? I don't really get it.

Re:So how much damage can this do? (0)

Anonymous Coward | more than 5 years ago | (#28023391)

'rm -rf ~' would wipe out the user, which the user would have the ability to do. The more annoying scenarios are installing scripts for scheduled reboots, trojans for botnets, etc...

Re:So how much damage can this do? (1)

iwein (561027) | more than 5 years ago | (#28023407)

It can run any command as the user running the browser. I usually run the browser as myself, so it could clean out my home for example.

If you're on Mac: http://is.gd/BpBp [is.gd]

Re:So how much damage can this do? (2, Interesting)

oDDmON oUT (231200) | more than 5 years ago | (#28023431)

A *lot*.

Consider. Many, if not most, Mac users run with admin privileges (though this is a not solely a Mac problem), so having an untrusted binary, able to execute whatever the hell it wants, accessing everything from / on down... well... I leave it to your imagination, but nuking your home directory would be the least of your problems.

Re:So how much damage can this do? (1)

maxume (22995) | more than 5 years ago | (#28023847)

I like the way I have things setup, but my data is a heck of a lot more important to me than my operating system, so I'm not sure what bigger problem there would be than losing it all (of course, I have reasonable backups, but that isn't something normal people do yet).

Re:So how much damage can this do? (1)

aaaaaaargh! (1150173) | more than 5 years ago | (#28023603)

It can delete all of your work and all of the backups of your work (unless the backups are made by another user on your system).

Never use java so its disabled. (0)

Anonymous Coward | more than 5 years ago | (#28023357)

No one uses client side applets.

Steve is always right (0)

sarchiapons (947599) | more than 5 years ago | (#28023435)

If they (Apple) would like to fix it, they had fix it time ago. They have a lot of money and all the developers a company can just dream The problem is there is not anymore love affair between Apple and Java. It's finished. Game over. Stop. It was not fixed because it's ok to be in that way ... yes. You know that guy doesn't have middle misure. Steve thinks Java is dead on the desktop and my opinion is ... he is right. Java is outperformed on the desktop side by C# (windows) and Objective-C (Mac) the others doe$n't count. On the Web development side Apple is investing on Ruby. Java is just Enterprise and enterprise is a no-market for Apple. Apple is going to support any day less and less Java on Mac OS X. If you really want Java, switch platform (and don't go Windows because the war between MS and Oracle it's just starting) ,and if you are a Ruby developer the way to go is Mac. Java is Oracle, and running Java you do a favor to Sun-Oracle. Apple and Microsoft will become a bit nasty about it. It's all about surviving in the future. It's not a joke and no, doing what the customers say is not always the right thing to do. In my opinion Steve is right about it.

apple letting down java users.. (5, Informative)

Anonymous Coward | more than 5 years ago | (#28023449)

Steve Jobs, JavaOne Keynote 2000:

"We want to bring Java back to the desktop in a really big way. Iâ(TM)m here today to personally tell you we are working hard to make Mac the best Java delivery vehicle on the planet. The biggest thing we are doing is we are going to bundle Java 2 SE into every single copy of Mac OS X that we ship later on this year."

WWDC 2006

When is the next Java coming? We are following Sun's releases of Java SE 6 betas and other Java updates very closely.

Steve Jobs, January 2007 (iPhone related):

"Java's not worth building in. Nobody uses Java anymore. It's this big heavyweight ball and chain..."

2008/05/01

Apple (finally!) releases JDK 6 with 64 bit support only. Most apps won't run due to the lack of cocoa 64 bit libraries. 1 y/old notebooks left in the cold without 64bit support.

Incorrect (1, Funny)

Anonymous Coward | more than 5 years ago | (#28023629)

As we know from that one Mac vs. PC commercial, Macs don't get viruses. And if something is invulnerable to viruses, it has no flaws of any kind. Implying that Macs have a Java flaw implies they can get infected, correct? Which means they can get viruses, which obviously cannot be true, if that Mac Genius, Megan commercial is correct.

There is no reason to have Java enabled (1)

WD (96061) | more than 5 years ago | (#28023641)

CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.

http://www.cert.org/tech_tips/securing_browser [cert.org]

Re:There is no reason to have Java enabled (4, Informative)

Ash-Fox (726320) | more than 5 years ago | (#28023949)

CERT has been telling users to disable Java in your web browser for years. If you haven't done so already, give it a shot. You probably won't miss it.

First things I noticed after disabling it, restarting Firefox with my saved tabs:

  • Can't use my bank anymore
  • Citrix from the web doesn't work
  • Akamai download manager doesn't work
  • Website IRC chat no longer works
  • Dragon court [ffiends.com] no longer works

At this point I got annoyed and turned Java back on.

Why "on Mac"? (-1, Troll)

jw3 (99683) | more than 5 years ago | (#28023695)

As a Linux user, I was about to ignore the article when I glanced over the sentence "It affected not only Sun's Java but other implementations such as OpenJDK, on multiple platforms, including Linux and Windows. "

If I understand it correctly, all Java implementations have this flaw, so why write that it is a "MacOS vulnerability" and not "Java vulnerability"?

I want to know more how it affects my Ubuntu box!

j.

Re:Why "on Mac"? (1)

dave420 (699308) | more than 5 years ago | (#28023813)

There are fixes for every other platform apart from OSX, so yeah, it's solely an OSX vulnerability at the moment.

Re:Why "on Mac"? (1)

the_other_chewey (1119125) | more than 5 years ago | (#28023817)

If I understand it correctly, all Java implementations have this flaw, so why write that it is a "MacOS vulnerability" and not "Java vulnerability"?

Because by now, all others are fixed, and the vulnerability remains only in Apple's Mac-specific version of Java.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>