Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Blocks Java 7 Plug-in on OS X to Address Widespread Security Threat
- Thread starter MacRumors
- Start date
- Sort by reaction score
How Do I Uninstall Java?
This is my first Mac, 15" MacBook Pro Retina. I had downloaded Java back in Aug when I received my Mac.
I went to System Preferences and saw the Java program listed under "Other" at the bottom.
I clicked to remove it and was prompted that it couldn't be removed due to an error. Am I missing something. Coming from Windows I would just go to Software Management and select software to uninstall.
This is my first Mac, 15" MacBook Pro Retina. I had downloaded Java back in Aug when I received my Mac.
I went to System Preferences and saw the Java program listed under "Other" at the bottom.
I clicked to remove it and was prompted that it couldn't be removed due to an error. Am I missing something. Coming from Windows I would just go to Software Management and select software to uninstall.
. 
I didn't know about the silent updates in OS X, so it surprised me yesterday when I saw it show up. I thought it was malware. 
Yes they are more secure than other OSs. But Java is cross platform so it works on every platform pretty much the same. Good thing Apple is disabling it. You don't see Microsoft doing the same thing. It just goes to show that Apple cares more about their customers.
Actually the Mac is no more secure than Windows is. The only reason there are less security breaches is because it's a much smaller platform and therefore does not get as much attention as Windows from the hackers. But now that Apple is getting a larger market share hackers are becoming more interested.
If you follow hacking conferences at all you will know that Macs are hacked into just as often as Windows machines.
Of course this has nothing at all to do with the whole Java debate going on here, any browser plugin is inherently dangerous. So if you want to be safe disable all plugins like Flash, Silverlight, etc But the real danger lies in the user's own actions. Surfing porn/warez sites is dangerous no matter what you have enable/disabled.
Just disable it in your browser(s), you don't have to kill off Java altogether. Removing Java from your machine just because the browser plugin has a flaw is like throwing out the baby with the bathwater.
(clarification)
It's located in the Security & Privacy system preferences panel, if you have Mountain Lion.
Then (with the panel Unlocked), you have to click on the "Advanced" button at the lower right corner, which was really easy to miss.
Is Opera (or Lightning) a browser that does not respect Apple XProtect?
I have no other browsers installed and wouldn't like to install more.
Many thanks!!
I didn't know about the silent updates in OS X, so it surprised me yesterday when I saw it show up. I thought it was malware.
You saw what exactly? A notification from Apple that said something like....
"This is Apple. Do not panic. We are just sneaking in a small stealth update to help keep your Mac more secure. Now just pretend you didn't see this pop-up!"
Did you see something like that?! I know I never saw that.
You saw what exactly? A notification from Apple that said something like....
"This is Apple. Do not panic. We are just sneaking in a small stealth update to help keep your Mac more secure. Now just pretend you didn't see this pop-up!"
Did you see something like that?! I know I never saw that.
I saw this pop up when I opened a page:
Usually when you get a message like that the moment you open a page, it's from an ad.
While it is a little creepy that Apple can reach into my computer and turn stuff off, it is also amazing that they can protect the entire user community by throwing one switch. The PC world is out there mostly unaware of this threat and people are vulnerable. I was out of town and three computers I manage were back at the office and Apple took care of all of them. This left me having to find a workaround for one app I use but the publisher got that out to me. Not bad. Now if Larry Ellison will just light a proper fire and get this thing fixed...really fixed, that would be nice.
That said, when the nimrods at Homeland Security who grab my genitalia in airports with dirty gloves and harass me at their freeway checkpoints go to DEFCON 4, that's newsworthy. These are (in my experience) people who have difficulty wiping themselves.
That said, when the nimrods at Homeland Security who grab my genitalia in airports with dirty gloves and harass me at their freeway checkpoints go to DEFCON 4, that's newsworthy. These are (in my experience) people who have difficulty wiping themselves.
You're thinking of "Open safe downloads automatically". IIRC, that was also fixed, although I still leave it off on my computer just in case. This is entirely separate from that setting.
jW
I am on 10.8.2
I don't have any Java under "Other" wtf
I do however have Java preferences in launchpad that doesn't do anything when I click on it.
This is an option that you choose to allow. If you don't want them to be able to do so, just uncheck the box in the Security system preference.
Define "hacked". Of course, you can break into a Mac or any PC if you have it physically, and you can brute-force into a Mac via SSH or something.
There are no Mac OS X viruses right now, only trojans like Flashback. So clearly, people have written malware for Mac, but none of the malware are viruses. Hmm... And there WERE viruses for Mac OS 9, which had a (much) smaller market share than OS X has now. You'd also think that there would be at least one Mac OS X virus out there by now, considering how unprepared a Mac user would be for a virus and how Mac OS X has been out since 2001.
So this suggests to me that Mac OS X is more secure than OS 9 and Windows. In addition, if you've used Windows and Mac OS X, you'd notice how bad the Windows security is and how easily users can get tricked into installing malware.
Need help with Java issue
Is there anything I can do to use Safari with any version of Java enabled? I performed the update and now Safari doesn't recognize Java. I need to use Java in the browser to use a remote access application for medical care. This is quite the pain in the but. Is the only option to go find a Windows computer? How ironic if true.
Thanks,
Chris
Is there anything I can do to use Safari with any version of Java enabled? I performed the update and now Safari doesn't recognize Java. I need to use Java in the browser to use a remote access application for medical care. This is quite the pain in the but. Is the only option to go find a Windows computer? How ironic if true.
Thanks,
Chris
we are disabling Java enterprise wide as of midnight.
This sucks.
No idea how our web dept will do their job, their CMS is Java and Flash based.
This sucks.
No idea how our web dept will do their job, their CMS is Java and Flash based.
Mac OS X is more secure than Windows.
1) Until Vista, the admin account in Windows did not implement DAC in a way to prevent malware by default. Also, Windows has a far greater number of privilege escalation vulnerabilities that allow bypassing DAC restrictions even if DAC is enabled in Windows.
Much of the ability to turn these vulnerabilities into exploits is due to the insecurity of the Windows registry. Also, more easily being able to link remote exploits to local privilege escalation exploits in Windows is due to the Windows registry.
Mac OS X does not use an exposed monolithic structure, such as the Windows registry, to store system settings. Also, exposed configuration files in OS X do not exert as much influence over associated processes as the registry does in Windows.
Mac OS X Snow Leopard has contained only 4 elevation of privilege vulnerabilities since it was released; obviously, none of these were used in malware. Lion has contained 2 so far but one of these vulnerabilities doesn't affect all account types because of being due to a permissions error rather than code vulnerability.
The following link shows the number of privilege escalation vulnerabilities in Windows 7 related to just win32k:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+7
More information about privilege escalation in Windows 7:
http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ -> guide to develop exploits to bypass UAC by manipulating registry entries for kernel mode driver vulnerabilities.
https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf -> more complete documentation about Windows kernel exploitation.
http://mista.nu/research/mandt-win32k-paper.pdf -> more complete documentation about alternative methods to exploit the Windows kernel.
http://threatpost.com/en_us/blogs/tdl4-rootkit-now-using-stuxnet-bug-120710 -> article about the TDL-4 botnet which uses a UAC bypass exploit when infecting Windows 7.
2) Windows has the potential to have full ASLR but most software does not fully implement the feature. Most software in Windows has some DLLs (dynamic link libraries = Windows equivalent to dyld) which are not randomized.
http://secunia.com/gfx/pdf/DEP_ASLR_2010_paper.pdf -> article overviewing the issues with ASLR and DEP implementation in Windows.
Also, methods have been found to bypass ASLR in Windows 7.
http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf -> article describing bypassing ASLR in Windows 7.
Mac OS X has full ASLR implemented on par with Linux. This includes ASLR with position independent executables (PIE). DLLs in Windows have to be pre-mapped at fixed addresses to avoid conflicts so full PIE is not possible with ASLR in Windows.
Using Linux distros with similar runtime security mitigations as Lion for a model, client-side exploitation is incredibly difficult without some pre-established local access. Of course, this is self defeating if the goal of the exploitation is to achieve that local access in the first place.
See the paper linked below about bypassing the runtime security mitigations in Linux for more details.
http://www.blackhat.com/presentatio...Europe-2009-Fritsch-Bypassing-aslr-slides.pdf
The author only manages to do so while already having local access to the OS.
3) Mac OS X Lion has DEP on stack and heap for both 64-bit and 32-bit processes. Third party software that is 32-bit may lack this feature until recompiled in Xcode 4 within Lion. Not much software for OS X is still 32-bit.
But, not all software in Windows uses DEP; this includes 64-bit software. See first article linked in #2.
4) Mac OS X implements canaries using ProPolice, the same mitigation used in Linux. ProPolice is considered the most thorough implementation of canaries. It is known to be much more effective than the similar system used in Windows.
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf -> article comparing ProPolice to stack canary implementation in Windows.
5) Application sandboxing and mandatory access controls (MAC) in OS X are the same thing. More specifically, applications are sandboxed in OS X via MAC. Mac OS X uses the TrustedBSD MAC framework, which is a derivative of MAC from SE-Linux. This system is mandatory because it does not rely on inherited permissions. Both mandatorily exposed services (mDNSresponder, netbios...) and many client-side apps (Safari, Preview, TextEdit ) are sandboxed in Lion.
Windows does not have MAC. The system that provides sandboxing in Windows, called mandatory integrity controls (MIC), does not function like MAC because it is not actually mandatory. MIC functions based on inherited permissions so it is essentially an extension of DAC (see #1). If UAC is set with less restrictions or disabled in Windows, then MIC has less restrictions or is disabled.
http://www.exploit-db.com/download_pdf/16031 -> article about Mac sandbox.
http://msdn.microsoft.com/en-us/library/bb648648(v=VS.85).aspx -> MS documentation about MIC.
https://media.blackhat.com/bh-eu-11/Tom_Keetch/BlackHat_EU_2011_Keetch_Sandboxes-Slides.pdf -> researchers have found the MIC in IE is not a security boundary.
6) In relation to DAC and interprocess sandboxing in OS X in comparison with some functionality of MIC in Windows 7 (see #5), the XNU kernel used in OS X has always had more secure interprocess communication (IPC) since the initial release of OS X.
Mac OS X, via being based on Mach and BSD (UNIX foundation), facilitates IPC using mach messages secured using port rights that implement a measure of access controls on that communication. These access controls applied to IPC make it more difficult to migrate injected code from one process to another.
Adding difficulty to transporting injected code across processes reduces the likelihood of linking remote exploits to local exploits to achieve system level access.
As of OS X Lion, the XPC service has also been added to implement MAC (see #5) on IPC in OS X. (http://developer.apple.com/library/...stemStartup/Chapters/CreatingXPCServices.html)
7) Security benefits of a UNIX foundation
Not all software vulnerabilities are exploitable. Vulnerabilities that are not exploitable only allow a denial of service condition upon being triggered. Exploitable vulnerabilities allow code execution when triggered.
There are two methods to achieve code execution in relation to buffer overflows:
1) RET overwrite -> control return address of instruction pointer
2) SEH (structured exception handler) overwrite -> control content of handler that will be executed upon an exception
To clarify:
Basically, SEH overwrites provide a second method to exploit a vulnerability in the event that a RET overwrite is unsuccessful or not exploitable. Obviously, more vectors being available to facilitate exploiting a vulnerability increases the number of vulnerabilities that are exploitable. SEH overwrites reduce the number of vulnerabilities that only produce a denial of service condition.
Mitigations have been developed to prevent SEH overwrites. These include SafeSEH and SEHOP. Methods are known that allow bypassing both mitigations.
SafeSEH is bypassed if only one component of the program doesn't implement this mitigation; it is common that not all components implement SafeSEH.
SEHOP is bypassed if ASLR is compromised via a memory disclosure vulnerability.
So, what does this have to do with the security benefits of a UNIX foundation?
UNIX and UNIX-like operating systems, such as Mac OS X and Linux, don't have structured exception handling. So, SEH overwrites, as a vector to increase the number of exploitable vulnerabilities, doesn't exist in these operating systems. The signalling system used in these operating systems isn't liable to this type of manipulation.
SEH overwrites do provide a plausible explanation for more vulnerabilities being exploitable in Windows.
http://www.i-hacked.com/freefiles/EasyChat_SEH_exploit_v1.3.pdf
http://www.sysdream.com/sites/default/files/sehop_en.pdf
8) Windows has far more public and/or unpatched vulnerabilities than OS X.
http://m.prnewswire.com/news-releas...-vulnerability-in-microsoft-os-110606584.html -> article about 18 year old UAC bypass vulnerability.
9) Password handling in OS X is much more secure than Windows.
The default account created in Windows does not require a password. The protected storage API in Windows incorporates the users password into the encryption key for items located in protected storage. If no password is set, then the encryption algorithm used is not as strong. Also, no access controls are applied to items within protected storage.
In Mac OS X, the system prompts the user to define a password at setup. This password is incorporated into the encryption keys for items stored in keychain. Access controls are implemented for items within keychain.
Also, Mac OS X Lion uses a salted SHA512 hash, which is still considered cryptographically secure. It is more robust than the MD4 NTLMv2 hash used to store passwords in Windows 7.
http://www.windowsecurity.com/articles/How-Cracked-Windows-Password-Part1.html -> article about Windows password hashing.
10) The new runtime security mitigation improvements to be included in Windows 8 have already been defeated.
http://vulnfactory.org/blog/2011/09/21/defeating-windows-8-rop-mitigation/
To put this into perspective, methods to bypass the new runtime security mitigations in Mac OS X Lion are not yet available.
11)In regards to recent earlier version of Mac OS X:
The following article relates to varying levels of security mitigations in different Linux distros but it is applicable in revealing that the runtime security mitigations in some earlier versions of Mac OS X prior to Lion were far from inadequate.
http://www.blackhat.com/presentatio...Europe-2009-Fritsch-Bypassing-aslr-slides.pdf
While Mac OS X Leopard/SL lack full ASLR, Windows Vista/7 have stack canaries (aka stack cookies) that are trivial to bypass.
The following link shows the issues with stack canaries in Windows. -> http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf
So:
Windows Vista/7 = NX + ASLR
Mac OS X Leopard/SL = NX + stack cookies
These articles show that NX in combination with stack canaries is more difficult to bypass than a combination of NX and ASLR.
12) Mountain Lion only improves upon the security of Lion.
BTW, Safari on a Mac running Lion was not hacked at the last pwn2own.