Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Unpatched OS X Java Vulnerabilities Drawing Attention
- Thread starter MacRumors
- Start date
- Sort by reaction score
No, the exploit can run any application that you have the rights to.
Including for example, the terminal command 'rm -rf ~' which will happily delete your entire home folder.
Without warning.
Turn Java off until this is fixed, unless you want to run the risk of a random Mac-hater putting this exploit on their site for ***** and giggles.
Okay, I'm not very Java savvy, but in Safari preferences I unchecked Enable Java but left the Enable JavaScript box checked.
This okay until Apple supplies a security fix?
Thanks!
This okay until Apple supplies a security fix?
Thanks!
Alternative Workaround
Disclosure: I work in IT for a big networking equipment company - so big all of you will get it in one guess probably...
FYI Did you know that due to parsing vulnerabilities on input even sites you trust can have embedded JavaScript in them occasionally if they allow comments/posts from users - it comes down to how good your programmers are at the website. So you don't even need to go to a nefarious website, hackers can occasionally get to you from a good website too... That makes vulnerabilities like this all the more scary!!!!
Workaround: Not "endorsed" by my company because we don't have browser favoritism, but I know lots of engineers who use it:
Install Firefox (www.getfirefox.com), add plugin called noscript.
Any scripts which run on any site explicitly require your permission to run from that point on - this is the safest way to browse. You can see what scripts are being attempted and where they are from - to prove it, I tested this in Safari (vulnerable) and Firefox with this enabled - that killed this script outright in it's tracks.
Take this website for example, it has scripts from:
google-analytics.com
quantserve.com
doubleclick.net
google.com
macrumors.com
And noscript allows me to select which ones I want to run.
Disclosure: I work in IT for a big networking equipment company - so big all of you will get it in one guess probably...
FYI Did you know that due to parsing vulnerabilities on input even sites you trust can have embedded JavaScript in them occasionally if they allow comments/posts from users - it comes down to how good your programmers are at the website. So you don't even need to go to a nefarious website, hackers can occasionally get to you from a good website too... That makes vulnerabilities like this all the more scary!!!!
Workaround: Not "endorsed" by my company because we don't have browser favoritism, but I know lots of engineers who use it:
Install Firefox (www.getfirefox.com), add plugin called noscript.
Any scripts which run on any site explicitly require your permission to run from that point on - this is the safest way to browse. You can see what scripts are being attempted and where they are from - to prove it, I tested this in Safari (vulnerable) and Firefox with this enabled - that killed this script outright in it's tracks.
Take this website for example, it has scripts from:
google-analytics.com
quantserve.com
doubleclick.net
google.com
macrumors.com
And noscript allows me to select which ones I want to run.
Disclosure: I work in IT for a big networking equipment company - so big all of you will get it in one guess probably...
FYI Did you know that due to parsing vulnerabilities on input even sites you trust can have embedded JavaScript in them occasionally if they allow comments/posts from users - it comes down to how good your programmers are at the website. So you don't even need to go to a nefarious website, hackers can occasionally get to you from a good website too... That makes vulnerabilities like this all the more scary!!!!
Workaround: Not "endorsed" by my company because we don't have browser favoritism, but I know lots of engineers who use it:
Install Firefox (www.getfirefox.com), add plugin called noscript.
Any scripts which run on any site explicitly require your permission to run from that point on - this is the safest way to browse. You can see what scripts are being attempted and where they are from - to prove it, I tested this in Safari (vulnerable) and Firefox with this enabled - that killed this script outright in it's tracks.
Take this website for example, it has scripts from:
google-analytics.com
quantserve.com
doubleclick.net
google.com
macrumors.com
And noscript allows me to select which ones I want to run.
So, what you are saying is this vulnerability is not only related to Java but JavaScript as well? Contrary to what others said? Anyone else now completely confused?
Who cares? Well, all OS X users should care since java applets can run on any page and with this exploit they will be able to run any command on your computer without you having to accept anything.
But hey, continue being ignorant and in denial.
Well I have the same setup as you do and I can assure you that it DOES work. Is some something like I am now executing and innocuous user process ...
It's a shame that Apple insists on providing their own JVM yet they fail to patch it on time. Plus now that Java is open source I would really like to know what gives Apple? And yes there are quite a few mac users who use Java programs on a daily basis ( me being one ).
Don't forget about "sudo rm -rf /". Some people really are dumb enough that they'll put in their password if a random dialog box appears, even though it'll wipe out their ENTIRE FILE SYSTEM.
It's not related to this Java bug at all. I'm not sure if he doesn't know what he's talking about or if he's just trying to scare people. He's saying that comments on sites may contain malicious javascript by users (this is unlikely except on extremely poorly-coded sites, since preventing users to embed javascript and other "harmful" code is one of the most basic things when dealing with user input).
And besides, the worst some malicious javascript will really ever do is hijack your session or something, and even this is extremely unlikely. Javascript cannot harm your computer.
roscob's post was completely irrelevant and his post sounds like he just found out that javascript exploits were possible and wanted to tell everybody that he worked at a BIG NETWORKING COMPANY!
You may work for a big networking company, but you don't seem to know the difference between Java and Javascript.
Javascript has nothing (nada, nil, big fat round zero) to do with Java. This vulnerability is a Java issue.
...and although it's shameful that Apple has left an exploit unpatched for over six months (especially a remotely exploitable one that has a published fix available), Microsoft are not necessarily better. Yes, they bring out patches every month like clockwork, but some issues lie around for years.
Sometimes I think the only people who take security seriously are the open source people, like the BSD folk.
Sun wants to update Java for OSX, but they aren't allowed to because of a contract they signed with apple, who insists on making it themselves. This is apple's fault, not sun's, and it's the reason why apple is always behind schedule in Java updates.
It has always been major. A lot of factors go into determining the severity of a defect, but customer awareness is not one of them. Customer awareness does affect the priority. Plus, in any QA department that gives a flying hoot about security, a remote exploit is automatically considered of critical severity. Priority is still an open question, but six months is a bit long.
Sorry, the QA professional in me couldn't let that go.
It only matters to a content site that requires Java or part of your job where most likely you have an Intranet.
Otherwise, disable it in Safari until the update arrives.
Most people don't read macrumors, and most people have java enabled by default, that's what matters.
Bingo. The real reason that Java sucks so much ass on Mac OS is that Apple and Sun have a little feud going on, with 'hurt feelings' and pissiness on both sides. Apple could really learn from MS on this one: Microsoft gave up trying to make/bundle their own crappy JVM with Windows NT a long, long time ago. They just let Sun take over making the only JVM for Windows...and why not? Sun developed the language itself, logic would dictate that they know what to do with it. Apple needs to learn to let certain things go. Remember the little bitch-fest that Jobs had with ATi? We might all be running ATi cards (which historically have had better driver support on Mac OS than any NVIDIA option) today if it weren't for that feud.
Edit: So, do we know what happened to that ethereal Java 4 update that popped up for 1-2 people? There is no trace of it ever having existed out there. I installed the Beta version (called the JRE 1.5 r4 Dev Build) from Apple's dev website, might this address it?
Ok.
Chances of it actualy affecting anyone in the wild: slim to zero.
Even after nearly 9 years and with 35-40 million users, OS X still isn't a target. That's insane. And also true. And by the time this exploit would actually mean anything to anyone, Apple's already patched it.
That's the beauty about being an OS X user. Even when there's a hole, chances are you'll never fall into it. The only time Apple should really be concerned is when Windows ceases to exist. Gotta love the premium status and premium pricing of Apple products. It puts a healthy cap on its market, limiting the user base to a degree. Smart. Very smart. We'll always be much, much fewer than Windows users.
No, this one is real. I could upload a modified version of the applet to my web page, and any Mac user who visits will have their home directory wiped out (unless they've disabled Java). If they're running as an admin, then it would be possible to wipe the entire disk, or to install arbitrary software.
I won't do this, because I'm not a jerk. But it took me about 10 minutes to get from the proof-of-concept applet to a malicious one, and I'm sure I'm not the only one. I'd be surprised if there aren't already malicious versions of this in the wild. All you need to do is get someone to click on a link, and they're screwed.
The vulnerability existed on all platforms; Windows, OS X, Linux, and FreeBSD. The only thing that makes this situation unique in regards to security (or lackthereof) is that everyone else has patched their OS, while Apple has not.
whatever they are they are annoying as f*ck and are "infections" nonetheless.
I really don't care what you call it I just don't want to be infected, period.