Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Nabs Java Exploit That Bypassed Disabled Plugin

timothy posted about a year and a half ago | from the heading-them-off-before-they-head-you-off dept.

Java 97

Trailrunner7 writes "Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn't quite enough to protect users of some versions of OS X."

Sorry! There are no comments related to the filter you selected.

OS X (-1, Troll)

hildolfr (2866861) | about a year and a half ago | (#43188605)

and nothing of value was lost

Re:OS X (-1)

Anonymous Coward | about a year and a half ago | (#43188661)

Yeah. Like when gave up your ass cherry to a gang of horny gay niggers. Joke was on them because your dad popped your ass cherry years ago! LOL!!! :)

Re:OS X (1, Troll)

hildolfr (2866861) | about a year and a half ago | (#43188895)

Woah. That was a pretty good one. 5 points for the use of 'ass cherry'

Java and flash... (4, Insightful)

sdsucks (1161899) | about a year and a half ago | (#43188607)

Incredibly, still the biggest shit on the internet.

Too bad, as a language I actually like Java. Flash is crap though, always was, always will be.

Re:Java and flash... (5, Interesting)

eksith (2776419) | about a year and a half ago | (#43188637)

The problem with flash are the developers. ActionScript can do a lot of things... that doesn't mean those things should have been done. Of course if sandboxing was foolproof, things would have worked better for both technologies. Hopefully HTML5 can fill the gap for both and we can finally do away with both plugins.

Re:Java and flash... (4, Interesting)

GoodNewsJimDotCom (2244874) | about a year and a half ago | (#43188765)

Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.

Re:Java and flash... (2)

sdsucks (1161899) | about a year and a half ago | (#43189017)

Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too.

You have a lot more faith in sandboxing than you should. Sandboxing is more like a fence than it is a wall.

Re:Java and flash... (1)

angel'o'sphere (80593) | about a year and a half ago | (#43190587)

Depends on the way how sand boxing is done.

E.g. you can changeroot the process and then it can't do anything.

On Macs a lot of stuff is getting more and more sand boxed. E.g. PDF rendering in Safari is done in a separate sandboxed process.

Re:Java and flash... (3, Interesting)

drinkypoo (153816) | about a year and a half ago | (#43190867)

E.g. you can changeroot the process and then it can't do anything.

chroot is a big help, but it doesn't preclude gaining access to memory, and if you have enough access to that then you can write files using other processes' permissions. You really need to virtualize to even claim to have a sandbox which is useful from a security standpoint. Even then it's not impossible to exploit a virtual driver and gain access to the underlying hardware indirectly.

Re:Java and flash... (1, Troll)

angel'o'sphere (80593) | about a year and a half ago | (#43192857)

You are right if your OS is buggy, is it not, you can neither access other processes memory nor explot drivers.

Re:Java and flash... (1)

drinkypoo (153816) | about a year and a half ago | (#43193049)

You are right if your OS is buggy, is it not, you can neither access other processes memory nor explot drivers.

Your fucking comment has a bug, you expect an operating system not to?

Re:Java and flash... (1, Troll)

angel'o'sphere (80593) | about a year and a half ago | (#43193221)

Yes I do :)

Albeit knowing that this is rare.

Re:Java and flash... (1)

PDF (2433640) | about a year and a half ago | (#43191345)

On Linux and probably some other unices, chroot is not intended for use as a security mechanism. See http://it.slashdot.org/story/07/09/27/2256235/when-not-to-use-chroot [slashdot.org] and also man 2 chroot.

If you can take the performance hit, a VM of some kind (emulated bytecode, virtualization or JIT compilation) is much better for security. Unfortunately, security is more difficult than it seems at first glance, so it doesn't always get the attention it needs. Hence we have gaping holes in Java applets. This is why we can't have nice things.

Re:Java and flash... (1)

PDF (2433640) | about a year and a half ago | (#43191371)

Actually, we get gaping holes in the Java environment that the applets run on. But I think you get the idea.

Re:Java and flash... (1)

angel'o'sphere (80593) | about a year and a half ago | (#43192893)

A non priviledged process can not break out of its rot directory assigned to him by chroot.

I don't know if that was intended as a security feature, but imho it increaes security greatly. E.g. if your web server is running in a chroot environment ....

Ofc your other points are valid.

Re:Java and flash... (1)

sjames (1099) | about a year and a half ago | (#43193389)

chroot is NOT a security API. Because of that, there are a few clever ways to escape a chroot, particularly if you can run with elevated privilege or get help from another (possibly unprivileged) process outside the jail.

It can be helpful, but since you're using the call for an unintended purpose, you have to be really careful with it.

Re:Java and flash... (1)

angel'o'sphere (80593) | about a year and a half ago | (#43193527)

Sure, there is always a trick to circumvent something.
Howeve, for what exactly was chroot invented if nott for security? Otherwise I see no reason for it at all.

Re:Java and flash... (1)

sjames (1099) | about a year and a half ago | (#43193811)

It is useful for debugging, protection from simple bugs, and system repair. It can also be used to run multiple instances of a system service designed to have a single instance per machine. In other words, it is a namespace utility.

The point is that the kernel developers do not make an effort to prevent circumventing chroot in several ways because it's not meant to be resistant to circumvention.

Re:Java and flash... (1)

angel'o'sphere (80593) | about a year and a half ago | (#43193917)

That is an intersting point: not ment to be resistant.

OTOH most of your examples (wikipedia mentions them as well) could be done with proper setup of PATH and LDPATH as well, but perhaps it is easier to have a kind of "second system" where you can chroot to.

In fact most chroot systems I encountered where for emulation purpose. E.g. having a certain linux variant as host environment and having another one (chrooted) for development purpose. Some simple stuff like copy/paste not reliable working via X windows from an windows client e.g. made this necessary.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43191783)

And a user level account is merely a sandbox for root. You should rethink your poorly constructed reality.

Re:Java and flash... (4, Insightful)

JDG1980 (2438906) | about a year and a half ago | (#43189045)

Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.

The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security model, though it was undermined by the need for backwards compatibility forcing regular users to run as administrator (UAC was a belated attempt to fix this). But this also means that NT needs a faster processor and a lot more RAM than 9x. The first home version of Windows based on the NT kernel was XP, and people were all up in arms about its "outrageous" system requirements back in 2001.

Nowadays, you can usually get away with running as a limited user and escalating only when installing or updating a program from a trusted source. I agree that sandboxing could be more sophisticated than it is on Windows, but this isn't a unique flaw; in fact, it's a result of copying the outdated Unix security model, which assumes that the program is the user and would do roughly what the user wanted (maybe true in the 1970s on shared university systems, but obvious nonsense now).

Re:Java and flash... (2)

DKlineburg (1074921) | about a year and a half ago | (#43189207)

even if you sandbox, does the average user know when to click yes run, vs no don't? But I want to see cute kittens playing with yarn!

Re:Java and flash... (2)

penix1 (722987) | about a year and a half ago | (#43189341)

The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security model, though it was undermined by the need for backwards compatibility forcing regular users to run as administrator (UAC was a belated attempt to fix this). But this also means that NT needs a faster processor and a lot more RAM than 9x. The first home version of Windows based on the NT kernel was XP, and people were all up in arms about its "outrageous" system requirements back in 2001.

I argue it is a far different reason that has nothing to do with the hardware...

Microsoft's insistence on backwards compatibility is the culprit. They needed to maintain DOS compatibility or the businesses would have ditched them if Win 9x didn't. This is why even right up to Windows 7 you still have an emulated DOS environment. Machines have increasingly become more powerful yet Microsoft still has to maintain the old shit or lose market share with the businesses. This above all else is the reason you have the mess that is a Windows environment. throw in the constant threats of antitrust every time they try to add in security (mostly from the antivirus industry) and it really is a mess.

Re:Java and flash... (2)

dreamchaser (49529) | about a year and a half ago | (#43189413)

Only the 32 bit version of Windows 7 can run old 16 bit code for DOS or Windows, so you're half right since about half the people running Win 7 are using the 64 bit edition.

Re:Java and flash... (1)

drinkypoo (153816) | about a year and a half ago | (#43190859)

Only the 32 bit version of Windows 7 can run old 16 bit code for DOS or Windows

Even in XP Mode? Not that I'm choked up about XP Mode, lots of software doesn't run in it at all.

Re:Java and flash... (1)

fredprado (2569351) | about a year and a half ago | (#43191235)

XP Mode is XP installed in a virtual Machine. You can run pretty much whatever you want in a virtual Machine. With the same argument you could say that Windows runs OS X and Linux applications.

Re:Java and flash... (1)

drinkypoo (153816) | about a year and a half ago | (#43191489)

So was Classic. Except it was Mac OS.

XP Mode won't run Civ 2 on amd64.

Re:Java and flash... (1)

fredprado (2569351) | about a year and a half ago | (#43192141)

XP Mode runs on Virtual PC a MS virtualization solution, which is similar to VirtualBox and VMWare, if not as polished. Civilization 2 can be run on Virtual PC as long as the OS you decide to install in it is compatible with Civ 2. Windows XP is not.

Re:Java and flash... (1)

drinkypoo (153816) | about a year and a half ago | (#43193059)

Civilization 2 can be run on Virtual PC as long as the OS you decide to install in it is compatible with Civ 2. Windows XP is not.

Civ 2 runs fine on XP. Even better with an idle mode patch. It doesn't run on XP Mode with or without it. It runs fine in vmware on the same machine. Your argument is offensively stupid bullshit both because it is wrong and because it is a Microsoft apology.

Re:Java and flash... (1)

fredprado (2569351) | about a year and a half ago | (#43193115)

The original release of Civ 2 (from 1996) does not run on XP. The new release of Civ 2 from (2002) runs on XP AND on Windows XP Mode too. You probably forgot to disable XP Mode integration features, which is required for it to run most games. If you don't know how to use XP Mode, the problem is certainly you, not XP Mode.

Re:Java and flash... (1)

drinkypoo (153816) | about a year and a half ago | (#43193121)

Civ 2 Multiplayer Gold does not run in XP Mode on Win7 on amd64, or at least, it didn't for me. And I didn't forget to enable anything, it just doesn't work. I know precisely how to use XP Mode. Delete that piece of shit, and install XP in VMware Player, which is dramatically superior software, and costs me just the same amount as XP Mode. Even better, I can run it on something that isn't Windows, where it not only provides superior performance but also doesn't involve me running Windows on my bare hardware. Everyone wins but Microsoft, and I'll be glad when they go away and games are made for some other operating system.

Re:Java and flash... (1)

fredprado (2569351) | about a year and a half ago | (#43194173)

I have Windows 7 64 bits installed and I happen to have Civ 2 Gold Edition (2006) too. It works just fine for me on XP mode. I also have both VMWare and Virtualbox installed and it works in both well too.

Don't take me wrong. I don't like MS either, but XP Mode and Virtual PC are not part of the reasons why I do.

Re:Java and flash... (1)

fa2k (881632) | about a year and a half ago | (#43189899)

the outdated Unix security model, which assumes that the program is the user and would do roughly what the user wanted (maybe true in the 1970s on shared university systems, but obvious nonsense now).

It's a good thing that it evolved this way, because insecurity also makes it easier for the programmer. If malware and cyber* was as rampant in the late 1990s as it is now, we would have some horrible locked down computers which only did ~6 things that were blessed by the manufacturer. Today is a good time to start making systems more secure, but there also needs to be an open-ended environment where small programs can share data without any restrictions.

Re:Java and flash... (1)

tepples (727027) | about a year and a half ago | (#43193227)

If malware and cyber* was as rampant in the late 1990s as it is now, we would have some horrible locked down computers which only did ~6 things that were blessed by the manufacturer.

That's exactly what we have had since 1985 with the lockout mechanisms in the video game consoles that displaced Commodore computers.

Re:Java and flash... (2)

angel'o'sphere (80593) | about a year and a half ago | (#43190643)

This is not insightful, if at all it is informative :D Because it is half wrong.

The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky).
All other operation systems running on similar hardware but having strict security and privileges proof you wrong. Even Linux existed at that time already and ran happily on that hardware.

Also I have the impression most people here are not really sure about what sandboxing actually is.

Sandboxing e.g. has nothing to do with the fact that I run my applications as an ordinary user and escalate to a wheel user when installing software (in fact 90% of the software installs don't require root access anyway).

Sandboxing means e.g.: my mail program can only write into folder where the mail is stored. So regardless how you attack my mail program the operation system will not let it write anything elsewhere, regardless if it runs as "Angelo" or as "root" (hence it can not modify other applications etc.) Also the OS won't let it read any files, except those in the mail folder, the mails I have received or sent.
That was just an example ... Mail.app is not that strong sandboxed.
The performance impact of a sandbox is close to zero. Hence the claim it was impractical on older hardware is just nonsense.

Re:Java and flash... (1, Insightful)

washu_k (1628007) | about a year and a half ago | (#43192447)

All other operation systems running on similar hardware but having strict security and privileges proof you wrong. Even Linux existed at that time already and ran happily on that hardware.

No, he is completely correct. Linux of the time did not "run happily" on that hardware with the same level of GUI complexity as Win9x. Either Linux had no GUI at all, or a simple window manager like TWM or FVWM.

This is also doubly wrong in claiming that all other operating systems at the time had proper security. The biggest competitors to MS at the time were even simpler and less secure OSes. For GUIs there was MacOS which didn't have protected memory and could barely multitask, along with having no security model. On the server side the biggest at the time would have been Novell, which did have a security model, but still had no protected memory and much simpler multitasking than even Win9x.

Re:Java and flash... (2)

angel'o'sphere (80593) | about a year and a half ago | (#43192831)

I had linux installed on a 486 with 16MB and 32MHz.
It run superb and was much faster than Win 95/98 on a Pentium 2.
Also I don't recall that windows had any fancy thing in its windows manager that costs more cpu power than X did.
On top of that, you seem not to know much about computing history.
The OSes I refer too are Sun BSD (Sun OS 4) the early Sun Solaris, HP Ux, Dec Ultrix, Vax VMs, and there are dozens more, SGI, Apollo etc.
So no, you and your parent are wrong. You are wrong on the simple fact: security costs perhaps 1% computing power. So it fucking does not matter wether you are having it on a 2MHz processor or on a 2 GHz processor.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43192901)

Did you run linux in 1995-1998? I really think you did not.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43190653)

8 MB of RAM on a P100? Are you kidding? I had 8MB of RAM on a 486. The P100 was the era of 32~96MB of RAM.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43190805)

The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky).

Poppycock.

Linux and the BSDs ran on the same hardware, and they were able to have give us traditional Unix security on the same hardware without being bogged down. I installed OS/2 Warp shortly after it came out (1994) and then switch to Linux (RH 3.0.3, 1996), and I don't recall any performance annoyances.

There was, and still is, no reason why one needs to trade performance for security in most cases.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43189633)

It's wouldn't be a proper /. thread about Apple, OSX, and Java without someone dragging Microsoft into it. Congrats.

Re:Java and flash... (1)

fredprado (2569351) | about a year and a half ago | (#43191259)

Virus developers adapt. No system is 100% secure as this very article shows, and a single exploit is all that is needed. From the security perspective, being mainstream is the greatest problem Windows always faced, not any inherent security issues.

On the other hand, far from me saying Windows is a good OS. From the usability and stability perspectives, of course, Windows has always been bad.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43189083)

Why do you expect HTML5 sandboxing to be any better?

Re:Java and flash... (2)

angel'o'sphere (80593) | about a year and a half ago | (#43190571)

Flash was a nightmare on Macs untill recently.

After a day or so you always had a flash process running that ate one of your CPUs for 98% or more.

For some reason flash was unable to "not animate" all hidden windows etc.

I switched to Chrome for only one reason: the Taskmanager window. Here you can kill the flash process without harming the open tabs. (Well every flash widget gets a "sad eye": oh! flash is gone!"

This is the reason why iOS does not support Flash natively.

I believe Safari runs Flash now in a separate process which you can "kill -9" if needed.

Before Chrome I really hated it to be forced to kill Safari every few days to get rid of the Flash ... well perhaps I should have been consequent and just disable it.

Re:Java and flash... (1)

drinkypoo (153816) | about a year and a half ago | (#43190837)

The problem with flash are the developers.

Yes, the developers writing malware. Wait, what? If the system permits you to write malware, and part of the purpose of the system is sandboxing, then clearly the system is the problem. Do you mean the developers of flash? We don't really care why the software has holes in it, whether it's developers or physics or aliens. We care about the holes. The programmers are not the direct problem for the user unless they're coming into their house and eating their cheeseburgers.

Re:Java and flash... (5, Informative)

casab1anca (1304953) | about a year and a half ago | (#43188669)

Flash is crap though, always was, always will be.

Flash may be crap now but for a long time, it (and Shockwave before it) was the only practical way of displaying interactive multimedia content in the browser.

Re: Java and flash... (2)

Anonymous Coward | about a year and a half ago | (#43188685)

You're right, but as they added features they always treated security as an afterthought.

If security isn't part of the foundation and framework of your products then you're always going to be playing catchup as you ship vulnerabilities to your customers.

Re: Java and flash... (1)

sdsucks (1161899) | about a year and a half ago | (#43189019)

In a web development project, I consider both Java and Flash unusable for that reason.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43189655)

Interactive multimedia content.... You mean ads. Flash always has been and always will be CRAP.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43191399)

It's still the only practical way of displaying interactive multimedia between many systems.

Thanks to HTML5's failed promises, it's still far far easier to get multimedia content working and looking identical between desktop browsers using Flash than it using HTML5.

This is why a number of industries, such as for example, many e-learning companies, are still supporting Flash - their clients want training materials to look identical across browsers so that they can produce training guides and so forth and Flash is still the only way to reliably do this.

Even things that sound like they should be simple, such as HTML5 video, work and need to be implemented completely differently for different browsers, even trivial things like rounded corners aren't implemented consistently.

Worse, because Steve Jobs killed off Flash on mobile using anti-competitive practices, there's now not a single solution in existence that lets you reliably create cross-platform multimedia content.

Don't get me wrong, I fucking hate Flash as a technology which is why I always refused to learn it, but the idea that HTML5 was, or still is somehow an acceptable replacement is a complete and utter fucking fallacy made up by idiots who put WHATWG fanboyism ahead of reality, and that causes problems for companies across the globe.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43188723)

"However, itappearsthatmeasurewasn't quite enough to protect users of some versions of OS X."

A car can run 100mph, which to most people they would get into an accident.

And you guys think Java and flash are so bad, what C++ or even C are any better?

This article sure oozes of flamebait.

Re:Java and flash... (1)

sdsucks (1161899) | about a year and a half ago | (#43189031)

C and C++ applications are typically not embedded in web pages, and no web browser would execute them if they were.

Flash and Java are both commonly embedded in web pages, and execute automatically if the user has the plugin installed.

Re:Java and flash... (1)

TwilightXaos (860408) | about a year and a half ago | (#43189309)

http://noscript.net/ [noscript.net]

Maybe.

Re:Java and flash... (1)

Psychotria (953670) | about a year and a half ago | (#43189395)

Server-side C or C++ work fine. But then there is the problem that the server is executing the code so most website servers wouldn't be able to handle the load. The alternative is for the client to do the processing which is fraught with danger. It's one of the reasons that I've always been averse to client-side execution from the start but, pragmatically, there is no way around it. Web-browsers these days are more like virtual machines than anything else.

Re:Java and flash... (1)

sproketboy (608031) | about a year and a half ago | (#43189935)

Er, Java and Flash are written in C or C++.

Re:Java and flash... (1)

angel'o'sphere (80593) | about a year and a half ago | (#43190651)

I guess you never heard about ActiveX ;D

Re:Java and flash... (1)

Stupendoussteve (891822) | about a year and a half ago | (#43192383)

Or Google's Native Client.

Re:Java and flash... (1)

sdsucks (1161899) | about a year and a half ago | (#43189011)

Regardless of the "Flamebait" modding, the reality is that Flash and Java alone are responsible for far more than their fair share of actively exploited vulnerabilities.

Re:Java and flash... (1)

Clsid (564627) | about a year and a half ago | (#43190981)

I don't feel sorry for Java, on the contrary I'm quite happy that Java is going away. Java was like a hippie ideal for peace, neat idea but so much bs going on around it.

I have always felt that using languages that wasted so many CPU cycles like Java were making our hardware obsolete before time. I still remember when on a Pentium 100 you could do wonders. Even Visual Basic, which was also inefficient, was pretty fast and it was perfect for business applications, until they started doing the Java thing with .NET

This is one of the main reasons I like the approach Apple took to their development. Even if they use a lot of eye candy, they stick to using a variant of C that is fast and useful. That in turn worked wonders when it was the turn to develop for iOS and save battery and processing power.

Re:Java and flash... (0)

Anonymous Coward | about a year and a half ago | (#43194053)

Java the VM (the JVM) ain't that bad. Some people hate it (like Linus Torvalds) and, honestly, the JVM has quite a few very very shitty edges. But I still kinda like the JVM.

Flash usage lost 20% market share in one year, which is gigantic. From 25% of websites using Flash in 2011, there were only 20% left in 2012.

So thankfully the Flash issue shall "soon" be solved. Flash was and still is one of the biggest piece of shit ever.

What's really bad in the Java ecosystem is applets. Applets are used on about 2% of the websites and should die a horrible death.

So... (2, Interesting)

Molochi (555357) | about a year and a half ago | (#43188729)

If the Apple Safari browser on Apple OSX had Java disabled it let it run anyway? Glad they fixed that.

Such an hero.

Re:So... (2)

Stupendoussteve (891822) | about a year and a half ago | (#43192421)

Kind of.

The issue was not Java applets embedded in webpages, they were still disabled. It has to do with a (stupid) feature in Safari, "Open 'Safe' files after downloading." Apparently the Java web start files were on the safe list and would auto-execute.

Re:So... (2)

Kyusaku Natsume (1098) | about a year and a half ago | (#43194463)

Since Safari 2 or 3 that "Open safe files after downloading" as been the worst design decision by the Safari team. It is the first thing I disable when I do a new install of OS X.

Re:So... (0)

Anonymous Coward | about a year and a half ago | (#43194573)

Good call, why was the article titled in a way that made it sound like they fixed something in Java? Weird.

Not a bug? (5, Informative)

subanark (937286) | about a year and a half ago | (#43188745)

A webstart link is simply a jnlp file, which is an xml file, that if opened with javaws will start up the Java application (in a sandbox or warn the user it won't). This does not attach to the web browser and runs in its own frame. When you install Java it should associate jnlp files with javaws so that when you click with a browser it shouldn't launch the javaws program unless you choose to always open with it when you click it.

From the article this seems to be a bug with the way the Mac handled scripts in an unexpected way.

Re:Not a bug? (2)

ninlilizi (2759613) | about a year and a half ago | (#43188917)

And thats the real issue.

This is an Apple Safari flaw, which has been incorrectly spun as a Java problem.
It's a stretch to even call this an exploit.

Re:Not a bug? (3, Interesting)

_xeno_ (155264) | about a year and a half ago | (#43188965)

It's only not a bug in that it was by design.

Basically Mac OS X has a list of "safe" files that don't bring up an "are you sure you want to open this file?" dialog after it's been downloaded. The idea is that if you download a text file, you won't get a dialog warning you that the file is insecure when you try and open it.

JNLP files were put in that list, presumably based on the assumption that Java was "secure." (Bad assumption!)

The fix was to remove them from the safe list, so now you'll get an "are you sure?" dialog from the OS itself rather than assuming Java is secure.

Re:Not a bug? (0)

Anonymous Coward | about a year and a half ago | (#43189055)

Interesting. Our applications back in the day used Webstart, and it would bring up an "Are you sure?" type of dialog. Jnlp files must have been put on the safe list later on. (I left the job in 2006, and don't even have Java installed on my MacBook. I think Java serves no purpose for most people now. Even back then, Webstart was an odd choice made by higher-ups.)

Re:Not a bug? (1)

_xeno_ (155264) | about a year and a half ago | (#43189077)

Java Web Start itself can also bring up an "are you sure?" dialog, which is different from the OS dialog. There's a generic universal "you downloaded this file off the Internet, are you sure you want to open it?" dialog that is shown in Mac OS X by Finder for all "non-safe" files.

The Java Web Start one I think only got triggered if your app was signed and requested not to run in the sandbox. If it was unsigned and didn't request to run outside the sandbox, I'm pretty sure JWS has always just launched the app without asking the user, based on the assumption that the sandbox made it safe.

Re:Not a bug? (0)

Anonymous Coward | about a year and a half ago | (#43189105)

At my work, a small (10 employees) local business, we actually need Java in order to do business. I hate it. I hate it with a burning passion. Every week, it pops up with an update notification. If my coworkers install it, they invariably neglect to disable installation of the Ask toolbar. Every week, it seems to break something we need, so the choice is to run something terribly insecure (vs. just vulnerable) or lose random functionality, such as the ability to print receipts, for a day or so.

I hate it.

(Yes, I am actively looking for alternatives. Yes, I should change some things about how the computers are set up and used. The problem is, as a small business, my job is busy enough as it is, and that sort of thing isn't even in my job description to begin with.)

Re:Not a bug? (0)

Anonymous Coward | about a year and a half ago | (#43189187)

Do you have an Active Directory domain set up?

If so, you can start the Java EXE installer, go to the temp folder, find the MSI that the Java installer installs from, move it to your desktop, and quit the Java installer. Then you can use a group policy to install the MSI and not have to worry about the damned Ask toolbar.

Unfortunately, many people in my office rely on Java-based sites, so I have to do this regularly on a network with hundreds of computers. Having to have Java installed is bad enough, but having to manually run the installer on each system would be a pain in the ass equivalent to the damn Adobe Reader updater. At least for Adobe Reader you can just leave it out and install Foxit instead. I wish there was an available alternative to Java.

Re:Not a bug? (1)

drinkypoo (153816) | about a year and a half ago | (#43190823)

Do you have an Active Directory domain set up?

Ah yes. I can see how much easier Windows is to administer, I have to have a domain before I can do anything sensible with it. Of course, I'd better have a backup domain controller. In a small office you might have four PCs, now I need two more and each on their own UPS to make sure that I don't have a failure that prevents work from being done.

At least for Adobe Reader you can just leave it out and install Foxit instead. I wish there was an available alternative to Java.

I am able to run what few Java things I try to run on my Linux system with the available alternative. When it gets updated automatically along with my OS updates, I don't even have to notice. In fact, I usually don't, because more than half the time the update-manager GUI won't actually appear, but I can still right-click the icon and install all updates. Yay Ubuntu! Obviously, it's not all sunshine and roses.

Re:Not a bug? (2)

devent (1627873) | about a year and a half ago | (#43189867)

That's the fault of the operating system (i.e. Windows).
I have Windows 7 for gaming and every time I start it to do some games, a few popup will come up, sometimes my screen will get black with a UAC dialog. That one time, Windows 7 just terminates my game and do a restart (for updates).

Use a real operating system like Linux and that stupid will go away. No more popups from 10 different applications informing you of an update, no more restarts to do updates (not even for a kernel update you need a restart). And yes, no more stupid "toolbar" that needs to be installed.

Re:Not a bug? (0)

Anonymous Coward | about a year and a half ago | (#43190579)

Linux is a kernel and not an operating system. Ubuntu is an operating system. Slackware is an operating system. The last time I used Ubuntu, it did need reboots once in awhile for updates - not every time, but often enough that it was definitely noticeable that it wasn't a reboot free OS. Go ahead and use a Linux based operating system; there is nothing wrong with it as a choice. You should always choose the right tool for the job and base your decision not on "software religion" but on more concrete things like whether it meets your needs, runs well on the hardware you are going to use, runs the proper mix of applications that you need, provides the security you expect, etc. Choosing to not use Windows because it doesn't have a central updater is certainly one of the odder reasons to choose an OS. But, definitely choose the one that is right for your needs. Most folks aren't computer hobbyists or hackers so they tend to choose something that comes with their hardware (Mac or Windows). Even a dead simple installer like modern GNU/Linux distributions have is too much trouble for the masses.

Re:Not a bug? (1)

Stupendoussteve (891822) | about a year and a half ago | (#43192451)

I don't think this was a flaw in that safe files list. It mentions it could be executed automatically, not that it was executed without warning.

Safari has the "Open 'safe' files automatically' option which is turned on by default. I think this is more likely the issue.

Re:Not a bug? (1)

girlinatrainingbra (2738457) | about a year and a half ago | (#43189583)

Scripts are executeables, too, eh? ;>) It took the mac-masses a while to notice. The problem with saying "there's a problem with java" and disabling java in the browser was leaving an attack vector open on the desktop by leaving java as a standalone. So if there's a known java explout and the recommended action is to disable java, then stopping the browser-plug-in is only part of the solution. Disabling the standalone java or jar execution system is also necessary.

Re:Not a bug? (2)

subanark (937286) | about a year and a half ago | (#43190973)

Not entirely true. You simply want to disable automatic execution of Java code. There are many apps out there that people don't even know use Java to run (although many of them use a private JVM to run in). The same goes for flash.... you wouldn't want your flash app to stop working since you disabled it in your web browser.

I know that Ubuntu requires jars to have the executable set on them before you can use them with java. What the mac did will still allow this, as it marks files as to their original location. If you download a program (including java jars) you will get a warning that you downloaded this [java, perl, unix, flash, windows, , ect...] program on the internet, It could harm your computer. Are you sure you want to continue? Additionally, since Java isn't installed on Macs by default anymore, it will ask you if you want to install it if you try and open a jar.

what JAVA? (0)

Anonymous Coward | about a year and a half ago | (#43188791)

nm

Re:what JAVA? (1)

Molochi (555357) | about a year and a half ago | (#43188795)

It's that thing that allows your users to access their web client at work.

Re:what JAVA? (1)

binarylarry (1338699) | about a year and a half ago | (#43189895)

Just Another Vulnerability Angle?

FYI Java is not an acronym.

Remove Java (0)

Anonymous Coward | about a year and a half ago | (#43188863)

Don't count on plugins.

how long? (1)

arbiter1 (1204146) | about a year and a half ago | (#43188977)

Issue really is How long was the flaw known and How long did it take Apple to get off their ASS to fix it?

Re:how long? (0)

Anonymous Coward | about a year and a half ago | (#43189277)

Why do you want to know?

Why is the browser launching anything? (2)

Animats (122034) | about a year and a half ago | (#43189061)

Hello? Why is a web browser launching other applications without explicit user consent? Ever?

This was the classic Microsoft security hole - executing anything that came in which could possibly be executed - Word documents, spreadsheets, autoplay files, Universal Plug and Play. Microsoft has now turned most of that off. Apple is replicating a classic Microsoft mistake here.

Re:Why is the browser launching anything? (1)

Psychotria (953670) | about a year and a half ago | (#43189421)

Even displaying a PDF (or rendering fonts for that matter -- they are code as well in most instances these days) is the browser executing something.

Re:Why is the browser launching anything? (1)

Psychotria (953670) | about a year and a half ago | (#43189441)

Actually I am pretty sure that font rendering under Windows is in kernel space, so conceivably simply displaying a font could be an effective attack vector; i.e. I don't think that an exploit relying at least partially the font rendering system is beyond the realm of possibility.

Re:Why is the browser launching anything? (1, Insightful)

jo_ham (604554) | about a year and a half ago | (#43189947)

Hello? Why is a web browser launching other applications without explicit user consent? Ever?

This was the classic Microsoft security hole - executing anything that came in which could possibly be executed - Word documents, spreadsheets, autoplay files, Universal Plug and Play. Microsoft has now turned most of that off. Apple is replicating a classic Microsoft mistake here.

It doesn't, or it shouldn't - that was the point. Safari *does* explicitly ask for consent before launching apps downloaded from the internet, but one script type was whitelisted by accident/oversight. This has now been fixed.

Re:Why is the browser launching anything? (0)

Anonymous Coward | about a year and a half ago | (#43190875)

Javascript is still whitelisted. Is this an accident/oversight too? You guys think we should ask for consent depending on executable/non-executable or app/non-app (is there a difference?), but the test should be safe/non-safe.

Re:Why is the browser launching anything? (1)

loufoque (1400831) | about a year and a half ago | (#43191819)

You clicked the link, that's explicit consent.

Re:Why is the browser launching anything? (1)

tepples (727027) | about a year and a half ago | (#43193301)

You clicked the link, that's explicit consent.

No, the advertisement on an unrelated web page redirected to the link.

Don't use computers, problem solved (1)

Anonymous Coward | about a year and a half ago | (#43189165)

I solved the problem by:

1) Uninstalling Java
2) Throwing the computer in the trash

Problem solved.

Re:Don't use computers, problem solved (2)

Psychotria (953670) | about a year and a half ago | (#43189447)

I solved the problem by:

1) Uninstalling Java
2) Throwing the computer in the trash

Problem solved.

I have done this as well! I also don't use the internet.

Re:Don't use computers, problem solved (1)

roman_mir (125474) | about a year and a half ago | (#43189521)

You are doing it all wrong, arms. GET RID OF THE ARMS! Did you know arms were digital?

Qt Java (1)

dannydawg5 (910769) | about a year and a half ago | (#43189959)

I used to be a Java fan until I found Qt. I see no reason for Java except in very narrow cases.

http://dannagle.com/2013/03/qt-java/ [dannagle.com]

Re:Qt Java (1)

gtall (79522) | about a year and a half ago | (#43191059)

Except for the mountains of back end Java code which happily works just fine, surely you knew this, yes?

Re:Qt Java (0)

Anonymous Coward | about a year and a half ago | (#43191485)

An article dissing a managed language over security and then suggesting it can be replaced by an unmanaged language is comical to say the least.

There's a reason why the decline in buffer and stack overflows on the web has declined relative to the decrease in unmanaged languages on the web, in this case, correlation is causation.

Absolutely there are good C++ developers out there who write very secure code, and absolutely there are practices you can put in place to avoid the inherent security risks of an unmanaged language, but I can absolutely assure you that if you replace Java with C++ then Java's security issues will look meaningless as the number of buffer overflows that simply slipped through will cause way more numerous and serious exploits than Java's vulnerabilities have.

Still, it was clear the article was written by someone rather clueless when I saw this:

"There is no âoebyte-codeâ nonsense. Everything is a binary running full speed."

Obviously he doesn't even realise that thanks to JIT compilation, byte-code is converted into native machine code, and with machine specific (rather than just platform specific such as x86 as is often the case with C++ compiles) optimisations to boot.

Re:Qt Java (1)

tepples (727027) | about a year and a half ago | (#43193311)

thanks to JIT compilation

How is JIT compilation compatible with strict W^X security?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?