Unpatched OS X Java Vulnerabilities Drawing Attention

MacRumors · May 20, 2009, 03:29 PM

Programmer and former Apple engineer Landon Fuller has released a proof-of-concept exploit demonstrating vulnerabilities in Apple's current implementation of Java that allow arbitrary code execution in Java-enabled Web browsers. While the vulnerabilities, first discovered last August, were disclosed and patched by Sun last December, Apple has yet to roll out a fix for its own implementation of Java.

Quote:

CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.

Unfortunately, these vulnerabilities remain in Apple's shipping JVMs, as well as Soylatte 1.0.3. As Soylatte does not provide browser plugins, the impact of the vulnerability is reduced. The recent release of OpenJDK6/Mac OS X is not affected by CVE-2008-5353.

With the recent release of OS X 10.5.7 failing to address the vulnerabilities, Fuller decided to create and release his proof-of-concept exploit in order to bring attention to the severity of the issue. The proof-of-concept exploit uses a browser-based Java applet to activate the Unix "say" command on the user's system and recite a statement regarding the exploit initiating an innocuous process.

The only recommended workaround at this time is to disable Java applets in all browsers and to disable the 'Open "safe" files after downloading' option in Safari. Disabling Java applets will cause some websites to behave incorrectly, but no other protection against exploits of the vulnerabilities is available until Apple releases a patch.

Article Link: Unpatched OS X Java Vulnerabilities Drawing Attention

themoonisdown09 · May 20, 2009, 03:34 PM

I'm not really sure how to rate this news article.

I could rate Positive because Landon Fuller is really trying to bring the issue to everybody's attention. But then I could rate Negative because Apple still hasn't resolved this issue.

Hmm... decisions, decisions.

frimple · May 20, 2009, 03:35 PM

http://landonf.bikemonkey.org/static...353/hello.html

Go give it a try then

itickings · May 20, 2009, 03:38 PM

When I read this, I immediately went to Safari's preferences menu to disable Java, only to find that I'd already disabled it. I'most likely have had it disabled since right after I finished installing OS X, along with 'Open "safe" files after downloading' of course...

Never noticed anything missing on the web without it. At all.

Bubba Satori · May 20, 2009, 03:38 PM

Totally unacceptable and inexcusable.

celtikmind · May 20, 2009, 03:39 PM

So much for the always annoying Apple quarantine setting to be useful...

amac4me · May 20, 2009, 03:40 PM

Here's the blog post from Intego:

The best way to protect against this exploit is to deactivate Java in your web browser. In Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. It is safe to leave Enable JavaScript activated, since this vulnerability only affects Java applets.

If you use Firefox, this setting is found on the Content tab of the program’s preferences.

http://blog.intego.com/2009/05/20/in...vulnerability/

sd2009 · May 20, 2009, 03:42 PM

Welp...it's been good, guys. but we all knew this day would come.

voyagerd · May 20, 2009, 03:44 PM

This isn't the first exploit that Apple eventually fixes.

SilentPanda · May 20, 2009, 03:45 PM

Quote:

Originally Posted by sleeptodream

Welp...it's been good, guys. but we all knew this day would come.

The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.

fishmoose · May 20, 2009, 03:46 PM

Quote:

Originally Posted by sleeptodream

Welp...it's been good, guys. but we all knew this day would come.

Yeah because Java exploits is something new...

Undecided · May 20, 2009, 03:47 PM

Quote:

Originally Posted by frimple

http://landonf.bikemonkey.org/static...353/hello.html

Go give it a try then

I tried this and nothing happens. I'm using Safari 4.0 beta 2 (build 5528.17). The java app never finishes loading - I just get "This is the applet" and the java logo continuously spinning where the app should appear, I guess. And there's no process called "say" running either. Both Java and Javascript are enabled. <shrug>

ghostface147 · May 20, 2009, 03:48 PM

For all the good that Apple does, they still can't touch Microsoft's reliability when it comes to fixing vulnerabilities in a timely fashion. Sure there have been times that MS failed to deliver a patch for a very long time, but that seems to be in the past now. We know every month we are getting updates in one form or another for Windows, and yet we just hope that we get an update from Apple in some random timeframe that only they know about. They've been working on 10.5.7 for a few months before they released it and didn't bother fixing Java? What is that? Windows is a security nightmare for many, but at least MS makes an attempt to patch as quick as possible. I know I can disable Java and will probably not miss it, but that's not the point here.

roger6106 · May 20, 2009, 03:51 PM

Quote:

Originally Posted by SilentPanda

The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.

The big problem is that this vulnerability has been known about for a while. Apparently it's been known about for 6 months. Other companies have already patched it, but Apple hasn't done anything about it.

sd2009 · 03:54 PM

Quote:

Originally Posted by Undecided

I tried this and nothing happens. I'm using Safari 4.0 beta 2 (build 5528.17). The java app never finishes loading - I just get "This is the applet" and the java logo continuously spinning where the app should appear, I guess. And there's no process called "say" running either. Both Java and Javascript are enabled. <shrug>

Well that's your problem since it runs just fine here.

Quote:

Originally Posted by fishmoose

Yeah because Java exploits is something new...

Yeah man, java has been exploited before, so we're safe.

lukin · May 20, 2009, 03:58 PM

This reminds me of how I don't like the fact that Apple has to release java on it's own to begin with...

Corrosive vinyl · May 20, 2009, 03:59 PM

wait wait wait... so those 8 or so java updates were for what?

OrganMusic · May 20, 2009, 04:00 PM

You'd think that given all the virus-free trash talk in Apple ads lately that it won't be long before someone writes a really good OSX or java virus. Which could turn into a bit of a PR problem...

Westside guy · May 20, 2009, 04:01 PM

Hopefully this'll get patched soon, now that it's being widely acknowledged. But it did serve as a good reminder for me to turn off Java.

I think it's more important that Mac users learn to stop running as an admin by default! There's no good reason for doing that, since OS X makes it brainless (and transparent) to invoke an admin username/password when necessary. If you're not running as an admin, the worst an exploit like this could do is hose stuff in your own account. That's still very bad; but it's less likely to allow installation of something like a keylogger, trojan or spyware without your knowledge. Besides, you all have current backups don't you?

mac jones · May 20, 2009, 04:02 PM

Why don't you just draw the hackers a diagram?

SydneyDev · May 20, 2009, 04:03 PM

The first thing I do when I install any browser is disable Java Applets. The thought of having such a powerful programming environment available to all and sundry is scary. Javascript itself is bad enough.

When you browse around the web these days, you are not just viewing this URL and viewing that URL, you are running this program and running that program. Hundreds of programs one after the other and you often know nothing about who wrote them. People are so careful about what they install, but then just browse any old where.

Prenvo · May 20, 2009, 04:03 PM

Quote:

Originally Posted by itickings

Never noticed anything missing on the web without it. At all.

The only Java I've ever used is on Facebook. Unless I'm not leaving the confines of my oak table enough these days, I can't think of a single other website which uses Java :\

o0samotech0o · May 20, 2009, 04:06 PM

Sounds sad, but I would do anything to keep the Mac community safe from Viruses. This shouldn't be the time that viruses come in mass for Macs.

If your in Safari 4, go tell Apple about it. I clicked the bug button

They probably know, but oh well. Still do it

dejo · May 20, 2009, 04:07 PM

Quote:

Originally Posted by OrganMusic

You'd think that given all the virus-free trash talk in Apple ads lately that it won't be long before someone writes a really good OSX or java virus. Which could turn into a bit of a PR problem...

After 8 years of waiting, it's gonna happen any day now, right?

DELLsFan · May 20, 2009, 04:09 PM

Sounds like we'll be having at least one more update before Snow Leopard.

May 20, 2009, 03:34 PM	#2
themoonisdown09 macrumors Demi-God Join Date: Nov 2007 Location: Georgia, USA	I'm not really sure how to rate this news article. I could rate Positive because Landon Fuller is really trying to bring the issue to everybody's attention. But then I could rate Negative because Apple still hasn't resolved this issue. Hmm... decisions, decisions. __________________ Looks like I picked the wrong week to quit sniffing glue.

May 20, 2009, 03:35 PM	#3
frimple macrumors Demi-God Join Date: Nov 2008 Location: Denver, CO	http://landonf.bikemonkey.org/static...353/hello.html Go give it a try then __________________ [Gandalf-Q8200\|Server 2008 R2] [Durin-3.2 W5580 Quad\|10.6.2] [Arien-iMac\|10.6.2] [Arwen-G4 Mini\|Server 10.4] [Aragorn-G4 Mini\|Server 10.4] [Frodo-G4 Cube\|10.2]

May 20, 2009, 03:40 PM	#7
amac4me macrumors 65816 Join Date: Apr 2005	Workaround is to disable Java in your browser Here's the blog post from Intego: The best way to protect against this exploit is to deactivate Java in your web browser. In Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. It is safe to leave Enable JavaScript activated, since this vulnerability only affects Java applets. If you use Firefox, this setting is found on the Content tab of the program’s preferences. http://blog.intego.com/2009/05/20/in...vulnerability/ __________________ Switch To A Mac http://switchtoamac.com

May 20, 2009, 03:44 PM	#9
voyagerd macrumors 6502a Join Date: Jun 2002 Location: Lake Oswego, OR	This isn't the first exploit that Apple eventually fixes. __________________ 2.6GHz 15" MacBook Pro (Penryn) / 4GB RAM / 500GB 7200RPM HDD / 8600M GT 512MB 32GB iPhone 3GS

May 20, 2009, 03:59 PM	#17
Corrosive vinyl macrumors 6502 Join Date: Sep 2006	wait wait wait... so those 8 or so java updates were for what? __________________ "Technological progress is like an axe in the hands of a pathological criminal." "Nationalism is an infantile disease. It is the measles of mankind. " -Einstein

May 20, 2009, 03:38 PM	#4
itickings macrumors 6502 Join Date: Apr 2007	When I read this, I immediately went to Safari's preferences menu to disable Java, only to find that I'd already disabled it. I'most likely have had it disabled since right after I finished installing OS X, along with 'Open "safe" files after downloading' of course... Never noticed anything missing on the web without it. At all.

May 20, 2009, 03:38 PM	#5
Bubba Satori macrumors 68000 Join Date: Feb 2008 Location: B'ham	Totally unacceptable and inexcusable.

May 20, 2009, 03:39 PM	#6
celtikmind macrumors 6502 Join Date: Feb 2009	So much for the always annoying Apple quarantine setting to be useful...

May 20, 2009, 03:42 PM	#8
sd2009 macrumors 6502 Join Date: May 2008	Welp...it's been good, guys. but we all knew this day would come.

May 20, 2009, 03:48 PM	#13
ghostface147 macrumors regular Join Date: May 2008	For all the good that Apple does, they still can't touch Microsoft's reliability when it comes to fixing vulnerabilities in a timely fashion. Sure there have been times that MS failed to deliver a patch for a very long time, but that seems to be in the past now. We know every month we are getting updates in one form or another for Windows, and yet we just hope that we get an update from Apple in some random timeframe that only they know about. They've been working on 10.5.7 for a few months before they released it and didn't bother fixing Java? What is that? Windows is a security nightmare for many, but at least MS makes an attempt to patch as quick as possible. I know I can disable Java and will probably not miss it, but that's not the point here.

May 20, 2009, 03:58 PM	#16
lukin macrumors member Join Date: Jul 2008	This reminds me of how I don't like the fact that Apple has to release java on it's own to begin with...

May 20, 2009, 04:00 PM	#18
OrganMusic macrumors regular Join Date: Sep 2008 Location: Western IL	You'd think that given all the virus-free trash talk in Apple ads lately that it won't be long before someone writes a really good OSX or java virus. Which could turn into a bit of a PR problem... __________________ Was a PC, now my house is carpeted with Apple products... iMac / MBP / MM / Cube / IPT / iPod 5g / Would have iPhones if AT&T didn't suck.

May 20, 2009, 04:01 PM	#19
Westside guy macrumors 68040 Join Date: Oct 2003 Location: The soggy part of the Pacific NW	Hopefully this'll get patched soon, now that it's being widely acknowledged. But it did serve as a good reminder for me to turn off Java. I think it's more important that Mac users learn to stop running as an admin by default! There's no good reason for doing that, since OS X makes it brainless (and transparent) to invoke an admin username/password when necessary. If you're not running as an admin, the worst an exploit like this could do is hose stuff in your own account. That's still very bad; but it's less likely to allow installation of something like a keylogger, trojan or spyware without your knowledge. Besides, you all have current backups don't you? __________________ The fevered rantings found in this post are generated randomly. Any resemblance to coherent thought is completely coincidental.

May 20, 2009, 04:02 PM	#20
mac jones macrumors 6502a Join Date: Apr 2006	Why don't you just draw the hackers a diagram?

May 20, 2009, 04:03 PM	#21
SydneyDev macrumors 6502 Join Date: Sep 2008 Location: Down under	The first thing I do when I install any browser is disable Java Applets. The thought of having such a powerful programming environment available to all and sundry is scary. Javascript itself is bad enough. When you browse around the web these days, you are not just viewing this URL and viewing that URL, you are running this program and running that program. Hundreds of programs one after the other and you often know nothing about who wrote them. People are so careful about what they install, but then just browse any old where. __________________ 24" 2.93 iMac, iPhone 3G

May 20, 2009, 04:06 PM	#23
o0samotech0o macrumors regular Join Date: Sep 2008	Sounds sad, but I would do anything to keep the Mac community safe from Viruses. This shouldn't be the time that viruses come in mass for Macs. If your in Safari 4, go tell Apple about it. I clicked the bug button They probably know, but oh well. Still do it

May 20, 2009, 04:09 PM	#25
DELLsFan macrumors 6502a Join Date: Jan 2009 Location: New England, USA	Sounds like we'll be having at least one more update before Snow Leopard. __________________ Dell Vostro A90 Aluminum iMac 7,1 iPhone 3G AEBS TV

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode