Six months ago, a certain security flaw in Java was fixed by Sun. This flaw was present in OpenJDK, GIJ, icedtea and Sun’s JRE, but it got fixed in those. There’s one important shipping Java implementation that still has not been fixed to remove this security flaw: Apple’s Java.
This bug is pretty old, first reported to Sun in August last year. While most operating systems have mostly been patched by now, because they use Sun’s JRE or any of the other fixed implementations, Apple’s impementation still hasn’t been fixed (not even in last week’s 10.5.7 update).
Now, we have to take a closer look at just how serious this flaw is. It can be used to create a “write once, exploit everywhere” exploit, assuming you do not have applied a fix for this one yet, which at this point comes down to just Mac OS X users. Google employee Julien Tinnes details on his blog just how dangerous this security flaw is for Mac users. After a lot of technical talk about how to exploit it, he concludes that it’s pretty special.
“This one is a pure Java vulnerability. This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers!” he warns, “Mine has been tested on Firefox, IE6, IE7, IE8, Safari and on MacOS X, Windows, Linux and OpenBSD and should work anywhere. This is close to the holy grail of client-side vulnerabilities.”
He then goes on to say that:
So MacOS X users, please disable Java in your web browser. Others: make sure you have updated Java and still disable it in your web browser: it’s a huge attack surface and it suffers from many other security vulnerabilities.Moreover, even without taking into consideration Java vulnerabilities themselves, since the Java plugin allocates all memory as RWX and doesn’t opt-in for randomization, a Java applet can be used to bypass ASLR and non executability (DEP on Windows) in browser exploits.
A harmless proof-of-concept was made by Landon Fuller, where visiting this web page with a Java applet will invoke /usr/bin/say with your current permission level.
Apple has often been criticised for being quite lax when it comes to fixing known bugs in its operating system. For instance, Mac OS X has a history of shipping with outdated versions of various open source tools, leaving the operating system wide open to known attack vectors.
“In general Apple has been a little slower to apply upstream security updates in Java,” said Dino Dai Zovi, an independent security researcher and co-author of The Mac Hacker’s Handbook, “Whenever basically they’re lagging behind a vulnerability that’s out and known, it’s pretty significant. Potential hackers don’t have to discover anything new; they can use a vulnerability that’s already released.”
For now, the best idea is to disable Java while on Mac OS X, and wait for Apple to get its act together on this one.
Its very rare to find a java exploit that can do any real damage. This one is fairly amazing.
Does anyone know why apple cant just release a small patch? Java, on the OS X platform, has one of the rare privileges of being part of the OS auto-update facilities, so it cant be THAT hard…
Given the way Apple seems to be shunning Java lately I’m surprised it’s still in the software update feature. The jvm that ships with os x is still a 1.5 rather than a 1.6 for example, and Apple has all but deprecated the Cocoa-Java bridge, at least that was their stance a few months ago. Java has been reduced to a second-class citizen on Mac, and Apple seems to like it that way. Given this, I’m disappointed–though not surprised–that their jvm is still unpatched.
Unless Apple restores WebObjects to it’s roots with ObjC and Cocoa then a new release of WOF with a new JVM to cover this will occur.
I’m betting it’ll arrive at WWDC or the day Snow Leopard arrives.
Most likely Sun is demanding that Apple buy a support contract in order to get the code fix.
Java isn’t “free” after all.
Nice try. You missed the part about OpenJDK, GIJ and icedtea already being patched. All of which are “free”.
Apple rolls their own Java, as many others do. Apple is being lazy. Quit making excuses.
And they aren’t Java 5 either.
and… the part about upgrading to Java 6 being in total control of Apple?
Really, Apple should have had this bug fixed long ago and it is not a case of world vs Apple/Apple fans… bah…
Why patch if you’re that cool?
Nice troll. Completely unnecessary. Would you like me to stereotype Linux and Windows while we’re at it?
Since Java is now Open-Source Software, we could simply create a nice mac-os-like installer that would installer the openjdk with all the latest bells & whistle and be free from Apple’s Implementation.
The current Mac OS has Java 5 which is NOT open source. You have to be a paying licensee to get the code updates from Sun.
The current release of Java 6 is only partially open source.
Java 7 is 100% open source and hasn’t been released yet.
Java 6(OpenJDK) is currently open source 100%, but lacks some patented and copyrighted parts(as in graphics or something).
And Apple does support the Java 5 on OSX 100%, and does not need to ask Sun to create patches. Let alone, they asked Sun to support Java on OSX by themselves. Add to that, the fact that Stevie said that he wanted OSX and Macs to be the platform of choice for Java development. So much for trusting that guy.
I’m shaking my head again. Is anything but hardware of interest to Apple now?
I understand the need to make money to keep the company going, but how long will all but the most fanatical accept the company’s complete disregard for reality and security?
I like most of what the company does, but this is no way to encourage new purchases. Sure Mac OS X is reasonably secure by default, but Apple, what have you done for me lately?
I’m sure they’ll fix it after the first Apple machine falls in next year’s Pwn2Own.
Seriously though, they probably stuffed the patches in with the next OS release as they’ve done with proper sandboxing around safari and those other niceties that make breaking osX easy.
(It’s a bit of irony to learn that Windows actually has better security mechanisms in place than osX. The security researcher’s disagree with the marketing.)
I don’t like to wait for them. Since Avie Tevanian left the company, they’ve become far too reckless in their software, as if they’re doing it purposely to sell new hardware.
All the security bits in Windows would mean something if Microsoft removed ActiveX, but it’s still a security leak by design and no matter how many UAC dialogues appear, you can’t change people. You can lead a horse to water, but you can’t make him think, as I say.
What is bad, is Apple base their software partly on Open Source and when Open Source project X fixes something, Apple doesn’t ship the fixes to the users.
It would be nice if Apple rolled open source patches into their OS updates at a greater clip and I wonder sometimes how many resources they pour into this.
I think there are signs of the company quietly getting more serious about it’s security issues. For instance, they just hired Ivan Krstic who was the director security architecture for OLPC. I guess that one just slipped by…
I waited six months for Apple to patch an issue in the Safari RSS reader that allowed remote JS to run in the file:// zone. Meanwhile the engineer who was assigned the defect was actually working on Safari 4 features. They didn’t fix it until I made noise publicly about it. So, their prioritization is all wrong.
Safari users with default settings have been vulnerable to arbitrary code execution vulnerabilities since the browser was first released in 2003 and remain vulnerable today. It’d be trivial to turn any of these into a virus (see http://brian.mastenbrook.net/display/32 ). When will they start taking these issues seriously? Probably after a virus happens.
Browser: Mozilla/5.0 (iPod; U; CPU iPhone OS 2_2_1 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11a Safari/525.20
I was going to say; “at least there is an osX native Firefox” but it’s actually any browser run on osX that is vulnerable to much the platform has to offer.
Thanks for the link. I have java turned off now. This is really bad^H^H^Hsad!! Everyone should read that link you posted and it does work in any browser (I tried opera, safari, firefox) except Chromium which does not support java by default!
To scare all the moms and pops of this world.
I wish to see this on the news, the same way Conficker was.
I mean they scared my parents and they don’t even use computers.
Imagine what could happen to Apples growth if this was in the media.
Maybe that is why Apple is protected by these companies.
I am just wondering if OpenJDK isn’t better solution for Apple users then? Unless Apple’s Java is tightly bound to MacOS X, or has special features, I can’t see a reason why not to use up-to-date, secure solution that Linux users use.
Best,
H.
Soylatte is affected as well on Mac OS X – but OpenJDK6 for Mac indeed is not.
Unfortunately Apple cannot replace their VM investment with the OpenJDK. From what i understand, in the earily days of Mac OS X, Objective-C was not very popular, and seen by Apple as a hinderence. To entice more developers over to the platform, Apple commited to making Java a “first class citizen” on the Mac OS X platform. So there are a lot of Apple only features in the Apple JDK. They also intergrated swing and their aqua interface. As well as little things like spell checking and such. As Objective-C gained popularity, Apple’s Java commitment waned.
I suspect because of the OS level intergration they wont be using any GPL’d code, as they dont want to show their source.
A few years ago, Apple was releasing a new version of their JRE every month to fix security problems… because of course Apple can’t be trusted to do anything securely in the first place. I guess they got sick of constantly working on Java, and so they’re ignoring the problems.
I’d like to see widespread coverage of this, it might make Apple pull its head in a bit.
Don’t count on it. Apple websites will systematically ignore this, and take a guess where the truly major sites get their Mac news from…
Bingo.
MacGeneration which is a well known french Apple site has an article about it.
Don’t assume too much when you don’t know.
Well, it’s on MacRumors and CNBC, the financial network watches MR closely so others will likely take notice.
You’re totally full of it… Please point to the ones ignoring this?
http://daringfireball.net/linked/2009/05/20/fuller-java-mac-os-x
http://www.macworld.com/article/140704/2009/05/java_vulnerability.h…
http://www.macnn.com/articles/09/05/20/java.vulnerability.in.os.x/
And you got modded up for your troll…
It wasn’t a troll. This news was out and about for a long time already, and the sites that are SUPPOSED to carry it (Mac sites), did not. Explain to me how the latest fart from an Apple employee gets pushed across the Apple blogosphere at lightspeed, but something negative takes days to appear?
They are carrying it and they aren’t glossing it over. Days to appear?
http://landonf.bikemonkey.org/2009/05/19#CVE-2008-5353.20090519 was posted on the 19th. The sites I linked to all had stories up today (the 20th). Days… you say.
I suppose you lump this site in with them as well, since it took OSnews a day to get to it as well.
Here is what you said:
So again where are the sites systematically ignoring this?
T-R-O-L-L
Hate it that I can’t even trust an OS’s implementation of JRE, and have to resort to running a separate OS in a VM.
Being able to pop open an easily restored VM for untrusted sites is just a good idea all around. Even with 64bit flashplayer now on my Mandriva or a near bulletproof Windows install (thanks to third party software), there isn’t a site that can’t wait five minutes while a Windows VM boots from a clean restore point.
Actually there are some things people forget when they discuss about Java in Mac OS X.
Mac OS X is the only major consumer-oriented operating system that still ships with Java installed by default. That decision was taken at the end of the nineties. At that era every one though Java would be the future.
However, most desktop applications do not use Java these days. It could be that Sun did not open source the thing before, or that they never focus on the desktop and only on the Enterprise. Or that Java suffered so much on the performance land that people decided to code in something else.
Anyway, these days, the major Apps Java made I can think of are NetBeans, JDeveloper, IntelliJ, Eclipse… There are very few customer apps made in Java these days if you not consider enterprise.
And since Apple is not focused on the enterprise, I believe they are focusing on other things more important, like Snow Leopard and ITouch.
The problem, however, is not Java per se, in my opinion. The problem is the way browsers work (Firefox, Safari, Explorer, etc.).
This time is Java, but we have seen the same security threats from Flash, Quicktime, Windows Media Player, Javascript and every single thing that can be made plugin and used on a web page. And somehow all Operating systems could get compromised. At this time, the flaw is patch, but non patched systems are all affected no matter the OS.
I do not understand how all browsers trust so much on everything they find on the web and give rights to execute whatever they like. I really hope Chrome fixes that. It is just so wrong.
Edited 2009-05-22 00:32 UTC