Unpatched OS X Java Vulnerabilities Drawing Attention

[MacRumors]

Programmer and former Apple engineer Landon Fuller has released a proof-of-concept exploit demonstrating vulnerabilities in Apple's current implementation of Java that allow arbitrary code execution in Java-enabled Web browsers. While the vulnerabilities, first discovered last August, were disclosed and patched by Sun last December, Apple has yet to roll out a fix for its own implementation of Java.

CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.

Unfortunately, these vulnerabilities remain in Apple's shipping JVMs, as well as Soylatte 1.0.3. As Soylatte does not provide browser plugins, the impact of the vulnerability is reduced. The recent release of OpenJDK6/Mac OS X is not affected by CVE-2008-5353.

With the recent release of OS X 10.5.7 failing to address the vulnerabilities, Fuller decided to create and release his proof-of-concept exploit in order to bring attention to the severity of the issue. The proof-of-concept exploit uses a browser-based Java applet to activate the Unix "say" command on the user's system and recite a statement regarding the exploit initiating an innocuous process.

The only recommended workaround at this time is to disable Java applets in all browsers and to disable the 'Open "safe" files after downloading' option in Safari. Disabling Java applets will cause some websites to behave incorrectly, but no other protection against exploits of the vulnerabilities is available until Apple releases a patch.

Article Link: Unpatched OS X Java Vulnerabilities Drawing Attention

 

[themoonisdown09]

I'm not really sure how to rate this news article.

I could rate Positive because Landon Fuller is really trying to bring the issue to everybody's attention. But then I could rate Negative because Apple still hasn't resolved this issue.

Hmm... decisions, decisions.

 

[frimple]

http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html

Go give it a try then

 

[itickings]

When I read this, I immediately went to Safari's preferences menu to disable Java, only to find that I'd already disabled it. I'most likely have had it disabled since right after I finished installing OS X, along with 'Open "safe" files after downloading' of course...

Never noticed anything missing on the web without it. At all.

 

[Bubba Satori]

Totally unacceptable and inexcusable.

 

[celtikmind]

So much for the always annoying Apple quarantine setting to be useful...

 

[amac4me]

Workaround is to disable Java in your browser

Here's the blog post from Intego:

The best way to protect against this exploit is to deactivate Java in your web browser. In Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. It is safe to leave Enable JavaScript activated, since this vulnerability only affects Java applets.

If you use Firefox, this setting is found on the Content tab of the program’s preferences.

http://blog.intego.com/2009/05/20/intego-security-memo-java-vulnerability/

 

[sd2009]

Welp...it's been good, guys. but we all knew this day would come.

 

[voyagerd]

This isn't the first exploit that Apple eventually fixes.

 

[SilentPanda]

Welp...it's been good, guys. but we all knew this day would come.

The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.

 

[fishmoose]

Welp...it's been good, guys. but we all knew this day would come.

Yeah because Java exploits is something new...

 

[Undecided]

http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html

Go give it a try then

I tried this and nothing happens. I'm using Safari 4.0 beta 2 (build 5528.17). The java app never finishes loading - I just get "This is the applet" and the java logo continuously spinning where the app should appear, I guess. And there's no process called "say" running either. Both Java and Javascript are enabled. <shrug>

 

[ghostface147]

For all the good that Apple does, they still can't touch Microsoft's reliability when it comes to fixing vulnerabilities in a timely fashion. Sure there have been times that MS failed to deliver a patch for a very long time, but that seems to be in the past now. We know every month we are getting updates in one form or another for Windows, and yet we just hope that we get an update from Apple in some random timeframe that only they know about. They've been working on 10.5.7 for a few months before they released it and didn't bother fixing Java? What is that? Windows is a security nightmare for many, but at least MS makes an attempt to patch as quick as possible. I know I can disable Java and will probably not miss it, but that's not the point here.

 

[roger6106]

The day has already been and passed. OS X has vulnerabilities... and they get patched. It's unfortunate that this one is there yes, but there's probably more than just this one right now waiting to be found.

I will however be curious to see how long it takes them to fix this now that it's more widely talked about.

The big problem is that this vulnerability has been known about for a while. Apparently it's been known about for 6 months. Other companies have already patched it, but Apple hasn't done anything about it.

 

[sd2009]

I tried this and nothing happens. I'm using Safari 4.0 beta 2 (build 5528.17). The java app never finishes loading - I just get "This is the applet" and the java logo continuously spinning where the app should appear, I guess. And there's no process called "say" running either. Both Java and Javascript are enabled. <shrug>

Well that's your problem since it runs just fine here.

Yeah because Java exploits is something new...

Yeah man, java has been exploited before, so we're safe.

 

[lukin]

This reminds me of how I don't like the fact that Apple has to release java on it's own to begin with...

 

[Corrosive vinyl]

wait wait wait... so those 8 or so java updates were for what?

 

[OrganMusic]

You'd think that given all the virus-free trash talk in Apple ads lately that it won't be long before someone writes a really good OSX or java virus. Which could turn into a bit of a PR problem...

 

[Westside guy]

Hopefully this'll get patched soon, now that it's being widely acknowledged. But it did serve as a good reminder for me to turn off Java.

I think it's more important that Mac users learn to stop running as an admin by default! There's no good reason for doing that, since OS X makes it brainless (and transparent) to invoke an admin username/password when necessary. If you're not running as an admin, the worst an exploit like this could do is hose stuff in your own account. That's still very bad; but it's less likely to allow installation of something like a keylogger, trojan or spyware without your knowledge. Besides, you all have current backups don't you?

 

[mac jones]

Why don't you just draw the hackers a diagram?

 

[SydneyDev]

The first thing I do when I install any browser is disable Java Applets. The thought of having such a powerful programming environment available to all and sundry is scary. Javascript itself is bad enough.

When you browse around the web these days, you are not just viewing this URL and viewing that URL, you are running this program and running that program. Hundreds of programs one after the other and you often know nothing about who wrote them. People are so careful about what they install, but then just browse any old where.

 

[Prenvo]

Never noticed anything missing on the web without it. At all.

The only Java I've ever used is on Facebook. Unless I'm not leaving the confines of my oak table enough these days, I can't think of a single other website which uses Java :\

 

[o0samotech0o]

Sounds sad, but I would do anything to keep the Mac community safe from Viruses. This shouldn't be the time that viruses come in mass for Macs.

If your in Safari 4, go tell Apple about it. I clicked the bug button

They probably know, but oh well. Still do it

 

[dejo]

You'd think that given all the virus-free trash talk in Apple ads lately that it won't be long before someone writes a really good OSX or java virus. Which could turn into a bit of a PR problem...

After 8 years of waiting, it's gonna happen any day now, right?

 

[DELLsFan]

Sounds like we'll be having at least one more update before Snow Leopard.