Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Unpatched OS X Java Vulnerabilities Drawing Attention
- Thread starter MacRumors
- Start date
- Sort by reaction score
Don't install suspect software from torrents and you don't have anything to worry about.
The whole point of this Java exploit is that it doesn't require you to directly download or install anything. It can be implemented via the browser and you don't need to be looking at nefarious things at all. For example, someone could implement the exploit into the Java code for a online graphing calculator applet. It isn't unreasonable for someone to Google for a graphing calculator and when the applet loads up you can be compromised. The applet may even be a fully functional graphing calculator so you could never tell what else it is doing. You don't need to be doing shady activities or downloading pirated software to be affected by some vulnerabilities.Don't install suspect software from torrents and you don't have anything to worry about.
True. But manhattanboy was complaining about the trojan he infected himself with. One that I'm betting came from a torrent.
Register for an ADC Free Developer Account. I'll leave it at that and for you to do the rest.
So you are comparing the few bullet holes on a Mac to the swiss cheese of windows? Why would Apple jump at this issue? Plus, really who uses Java daily (or at all)? I was using one java app for a web based ftp client. I recently downloaded cyber duck to do the same thing. Alternatives are available in most cases. Java allows too much remote access to the system, with or without vulnerabilities. I think this vulnerability just further demonstrates that fact.
Microsoft, pounce on this!!!!!!
I seriously don't understand why Microsoft doesn't use a rare Mac security patch requirement to prove to the world that the Mac isn't all that perfect. It has flaws. Yes, yes a HELL of a lot less than Microsoft, but you don't want the world going on believing that Mac = 100% secure always and Windows = security flaw-riddled all of the times, like the smug, sanctimonious, hypocritical pretentious, elitist, well-worn ad have you believe. At least saying say, "3%" (for example) vulnerability knocks them off their high horse and makes them say: "Well, yeah, but 3% is better than 67%!"
Microsoft's making it TOO easy for Apple. Those I-can-buy-a-power horse-for-under$600 don't help; ridiculous comparison!
I seriously don't understand why Microsoft doesn't use a rare Mac security patch requirement to prove to the world that the Mac isn't all that perfect. It has flaws. Yes, yes a HELL of a lot less than Microsoft, but you don't want the world going on believing that Mac = 100% secure always and Windows = security flaw-riddled all of the times, like the smug, sanctimonious, hypocritical pretentious, elitist, well-worn ad have you believe. At least saying say, "3%" (for example) vulnerability knocks them off their high horse and makes them say: "Well, yeah, but 3% is better than 67%!"
Microsoft's making it TOO easy for Apple. Those I-can-buy-a-power horse-for-under$600 don't help; ridiculous comparison!
Well, yes, there is a difference tell your friends
Nearly every other day I get a ZDNet email (or MS-NZD as I call 'em)of some new problem in Windows or IE
Microsoft had 5 bug/security exploits discovered each day;
Sometimes they have to PATCH a PATCH! I mean, CAN YOU BELIEVE THAT!?
Apple has what? 5 per year
Many Windows bugs make the system unstable-or can bring business to their knees costing millions of dollars in downtime as we have seen
And Windows, via IE, seems to be connected to their own exclusive 'streaming virus channel'
Ive only heard of one or two "On the loose" Mac bugs in the past 20 years
And they did little if anything at all
The rest have always been proof of concept ie: Theoretical;
Do they hire complete idiots at MS? nevermind im an idiot to even ask the obvious. Ill bet they get thier help from groups waiting from freeway underpasses, around oil drum fires to keep warm.
"Yo!-Yeah you-operate a calculator? Good-get in!" (to the about town recruit bus-straight to developing programming & code writing at $20/hr
And has anyone actually hacked into a Mac under normal conditions?
Not set up JUST RIGHT to guarantee success like the dolts a PWN2OWN did;
I seem to remember a $10,000 prize to anyone who did it under normal conditions-still unclaimed at some University...think of the interest!
Not from behind the firewall fergawdsakes
Actually what they probably did was sit down at a machine that had not been logged out and BINGO! they "hacked" into it
If I bought a car that had to go back to the dealer for constant fixing;
Id soon drive the damn thing through their showroom window, and hand them the keys.
Windows users seem to relish PAYING to be continually screwed up the ying yang by MS-and Gates wont even bring the KY!-its YOUR worry;
And like abused wives, defend their sore butts as "Theraputic" and then diss Apple while they have to sit on a water cushion - or take a Zitz bath and a dose Metamucle
Hows that for 'American know-how'?
Nearly every other day I get a ZDNet email (or MS-NZD as I call 'em)of some new problem in Windows or IE
Microsoft had 5 bug/security exploits discovered each day;
Sometimes they have to PATCH a PATCH! I mean, CAN YOU BELIEVE THAT!?
Apple has what? 5 per year
Many Windows bugs make the system unstable-or can bring business to their knees costing millions of dollars in downtime as we have seen
And Windows, via IE, seems to be connected to their own exclusive 'streaming virus channel'
Ive only heard of one or two "On the loose" Mac bugs in the past 20 years
And they did little if anything at all
The rest have always been proof of concept ie: Theoretical;
Do they hire complete idiots at MS? nevermind im an idiot to even ask the obvious. Ill bet they get thier help from groups waiting from freeway underpasses, around oil drum fires to keep warm.
"Yo!-Yeah you-operate a calculator? Good-get in!" (to the about town recruit bus-straight to developing programming & code writing at $20/hr
And has anyone actually hacked into a Mac under normal conditions?
Not set up JUST RIGHT to guarantee success like the dolts a PWN2OWN did;
I seem to remember a $10,000 prize to anyone who did it under normal conditions-still unclaimed at some University...think of the interest!
Not from behind the firewall fergawdsakes
Actually what they probably did was sit down at a machine that had not been logged out and BINGO! they "hacked" into it
If I bought a car that had to go back to the dealer for constant fixing;
Id soon drive the damn thing through their showroom window, and hand them the keys.
Windows users seem to relish PAYING to be continually screwed up the ying yang by MS-and Gates wont even bring the KY!-its YOUR worry;
And like abused wives, defend their sore butts as "Theraputic" and then diss Apple while they have to sit on a water cushion - or take a Zitz bath and a dose Metamucle
Hows that for 'American know-how'?
Disclaimer: I used to be a Java guy (wrote my fair share of swing GUI)
The first thing I do with any browser : disable applets.
Just try living without Java on your browser for a week, you will see that the web works much better. Only a select few sites have legitimate Java use ; thank the Dude we're not seeing this stupid 'image droplets' applet as often as in 2005.
If you really need Java for a site, set an exception rule based on this site and this site only.
Java should really remain on the server-side of things, where it can really shine, not in your desktop where all it manages to do is sour the experience for its user.
Cheers,
Palad1
The first thing I do with any browser : disable applets.
Just try living without Java on your browser for a week, you will see that the web works much better. Only a select few sites have legitimate Java use ; thank the Dude we're not seeing this stupid 'image droplets' applet as often as in 2005.
If you really need Java for a site, set an exception rule based on this site and this site only.
Java should really remain on the server-side of things, where it can really shine, not in your desktop where all it manages to do is sour the experience for its user.
Cheers,
Palad1
You, sir, have no idea what you're talking about, and are a horrible representative of the Mac community.
It's been nearly 9 YEARS.
That's uninterrupted, worry-free, virus-free internet surfing since March 2001. And all we have are a couple of trojans. The vulnerabilities are there, but they either aren't being exploited at all, aren't being exploited correctly, or Apple keeps patching them before somethng happens.
OS X is either more secure than Windows or it's much safer. Whichever the case, it sounds like a pretty sweet deal to me. And in light of the way Apple prices Macs, that is, in light of what it costs to get into a Mac and OS X, the user base will remain characteristic of a premium-priced product, if you want to push the security via obscurity argument. Small enough to not attract attention, but big enough to make waves. I don't see Apple ever getting anywhere near MS' market share in our lifetime. So Windows will always be the main target.
35-40 million Mac users out there and still nothing.
But don't be so impressed with Microsoft. They're in this mess because of their own negligence.
Malware dominates Windows because Windows is poorly written non-sandboxed code with automated systems that run purely for Microsoft's pleasure. An OS that constantly writes to itself even when all you do is change your home page. They created a monster but we are supposed to pretend that it's not their fault, that they are a victim of their own success? Nonsense. If Microsoft spent as much time fixing their systems as they do trying to force users into their proprietary formats and systems (what's their latest WMA based failure?), the level of threats on Windows would be nowhere near what it is now. And people say the Mac OS X malware tide is just around the corner, anyday now, just you wait. More nonsense. Security "experts" and Microsoft flunkies have been saying that for the last 7+ years. What did we get? A couple of trojans. That's it.
At the very *least* there are over 150,000 malware/virus/trojan threats that affect Windows, only Windows and nothing but Windows. If this is a result of market share, then that numerology goes both ways. Using the ridiculously conservative number of 150,000 threats, the market share numerology suggests that that an OS with a 5% share could have up to 7500 threats. 7500! Go global and a 2% share could net you 3000.
What's the *reality*? there are no Mac OS X viruses in the wild, no notable malware and couple of trojans that the user has to install themselves, and which are incapable of transmitting themselves to other Macs.
I'm sure there is some pundit somewhere trying to furiously calculate the minimum safe market share for attention from virus attacks, but once they arrive at it, they'll just have to revise it upward at regular intervals.
Sounds pretty damned perfect to me . . . for now. But that's what we said four years ago. Looks like we'll go for another four. Hell, why not.
The fact remains that everybody has patched it except for apple. If apple really cares about security, and if there are so few vulnerabilities as everybody here seems to claim, then they should be able to patch them faster than anyone else, not slower.
The old ****** Win-Mac debate...
...all you guys talking this stuff down, hey, get a grip. Do you still have Java enabled? Just asking...
The sheer amount of Windows malware has a very simple explanation: There is barely no interesting corporate network utilizing Macs. Therefore no need to write something to spy there.
It's not a matter of installed user base. It's a matter of the target group. To understand this argument, go and google something like "Blackberry malware". Yes, they are out in the wild, and no, I don't think RIM is run by morons.
To bring that to another point, *if*, and that is a real big *if*, Apple ever really gets a hold in the enterprise market with either iPhone or Mac OS X, the amount of malware will explode.
So get off your high horse and remember:
Do you really know your system is clean?
I honestly don't know, as I'm not into digging out packages and don't have a clue about Unix. I think I wouldn't even realize, if a Java applet would copy, move or erase specified files on my disk.
...all you guys talking this stuff down, hey, get a grip. Do you still have Java enabled? Just asking...
The sheer amount of Windows malware has a very simple explanation: There is barely no interesting corporate network utilizing Macs. Therefore no need to write something to spy there.
It's not a matter of installed user base. It's a matter of the target group. To understand this argument, go and google something like "Blackberry malware". Yes, they are out in the wild, and no, I don't think RIM is run by morons.
To bring that to another point, *if*, and that is a real big *if*, Apple ever really gets a hold in the enterprise market with either iPhone or Mac OS X, the amount of malware will explode.
So get off your high horse and remember:
Do you really know your system is clean?
I honestly don't know, as I'm not into digging out packages and don't have a clue about Unix. I think I wouldn't even realize, if a Java applet would copy, move or erase specified files on my disk.
The inhabitants of Krakatoa had thousands of years of good living. Then it blew up and they died.
Don't let complacency make a fool out of you.
Totally unacceptable and inexcusable.
Agreed.
True, but given that Apple has built OS X's reputation on not being the MS swiss cheese of security, it is paramount to their business plan to be a lot more responsive than they have been. This isn't an isolated incident, but merely the latest example.
That's not surprising. Microsoft has had a lot more practice with fixing vulnerabilities. You tend to get really good at things that you have to do on a daily basis.
True, but for Apple, allowing any exploit to languish jeopardizes their business plan.
Exactly, and an interium security patch should have been issued 6+ months ago that made the default setting for Java to be disabled.
Particularly since their business plan relies on product differentiation based on having better security.
Bottom line summary:
Allowing any exploit to languish jeopardizes Apple's business plan.
Allowing any exploit to languish hurts Apple's consumers.
-hh
This needs to be patched, obviously. It's inexcusable to have a known unpatched vulnerability this long.
That being said, I haven't run FF or Safari with Java enabled for quite a long time, and really haven't missed it. I feel it's more secure to do things that way regardless of what known vulnerabilities are out there.
Then again I run NoScript on all my machines as well, so maybe I'm a little paranoid.
That being said, I haven't run FF or Safari with Java enabled for quite a long time, and really haven't missed it. I feel it's more secure to do things that way regardless of what known vulnerabilities are out there.
Then again I run NoScript on all my machines as well, so maybe I'm a little paranoid.
Right on.... I could rate Positive because the MR article tells me what I should do in order to avoid this vulnerability. But then, I could rate Negative because MR didn't tell me how to disable Java.
For those of you who use ARD and want to turn off Safari's java on your user's Macs, use this as the current user on the target machine:
defaults write com.apple.Safari WebKitJavaEnabled -boolean no
defaults write com.apple.Safari WebKitJavaEnabled -boolean no
I wish I could say I was shocked at the defense of Apple against this exploit in this thread but I cant.
I don't think you people understand how serious this really is.
Any website you go to can now easily gain access to your computer. You don't need to download anything, you don't need to enter your password, you don't need to click anything.
Somebody in this thread has proved already how easy it is to change this exploit to DELETE FILES (or run any other command). That's just the beginning. Anybody saying it's not a big deal needs a reality check. JAVA IS ENABLED BY DEFAULT IN SAFARI ON OS X and ANY WEBSITE CAN NOW EXPLOIT THIS *EASILY* and gain the same level of privileges on your computer that you have.
People are likely writing malicious code to exploit this right now. Any page you go to could delete all of your personal files, or WORSE. If you haven't already done so: DISABLE JAVA and tell every Mac users you know to disable Java.
I don't think you people understand how serious this really is.
Any website you go to can now easily gain access to your computer. You don't need to download anything, you don't need to enter your password, you don't need to click anything.
Somebody in this thread has proved already how easy it is to change this exploit to DELETE FILES (or run any other command). That's just the beginning. Anybody saying it's not a big deal needs a reality check. JAVA IS ENABLED BY DEFAULT IN SAFARI ON OS X and ANY WEBSITE CAN NOW EXPLOIT THIS *EASILY* and gain the same level of privileges on your computer that you have.
People are likely writing malicious code to exploit this right now. Any page you go to could delete all of your personal files, or WORSE. If you haven't already done so: DISABLE JAVA and tell every Mac users you know to disable Java.
holy grail
seriously wouldn't it bee the holy grail to know that you wrote the code to take down the mac world and everyone who says they aren't vulnerable?
think about it... everyone acts like oh they only go after winblows because everyone uses it. Its like a 10 year old acting like they don't like chocolate because you won't give it to them.
seriously wouldn't it bee the holy grail to know that you wrote the code to take down the mac world and everyone who says they aren't vulnerable?
think about it... everyone acts like oh they only go after winblows because everyone uses it. Its like a 10 year old acting like they don't like chocolate because you won't give it to them.
Three Things
a) The vulnerability is still NOT FIXED - I have no updates showing in the Software Updates application and I have 10.5.7 installed - the exploit on Landon's website still works
b) I saw some posts discrediting Landon Fuller who merely "revived the discussion" on this 6 month old vulnerability - he is doing the right thing to stir up discussion and alert Apple to their incompetence - they only people who see benefit in him not reviving this are the ones making the same mistake Apple keeps making - security through obscurity
c) There was some Microsoft bashing as expected - but people please keep in mind that next to the Open Source folks they handle security damn well - they have to if they are to stay afloat. It is the very basis of their business model. And 90+ % market share only makes things worse (60% in servers). The cost of laxity on Security front for Microsoft and its customers is far too much.
To that end Microsoft has lot more experience, tooling, mindset and manpower to successfully stay on top of security - check this URL out for some great details.
I don't want to defend Microsoft [I am a OSS proponent] but they should be credited for responding in their best capacity to the enormous security threat - if you subject Apple to the same threat they would be in deep trouble and they will do themselves a great favor by stepping up their security efforts real soon now.
a) The vulnerability is still NOT FIXED - I have no updates showing in the Software Updates application and I have 10.5.7 installed - the exploit on Landon's website still works
b) I saw some posts discrediting Landon Fuller who merely "revived the discussion" on this 6 month old vulnerability - he is doing the right thing to stir up discussion and alert Apple to their incompetence - they only people who see benefit in him not reviving this are the ones making the same mistake Apple keeps making - security through obscurity
c) There was some Microsoft bashing as expected - but people please keep in mind that next to the Open Source folks they handle security damn well - they have to if they are to stay afloat. It is the very basis of their business model. And 90+ % market share only makes things worse (60% in servers). The cost of laxity on Security front for Microsoft and its customers is far too much.
To that end Microsoft has lot more experience, tooling, mindset and manpower to successfully stay on top of security - check this URL out for some great details.
I don't want to defend Microsoft [I am a OSS proponent] but they should be credited for responding in their best capacity to the enormous security threat - if you subject Apple to the same threat they would be in deep trouble and they will do themselves a great favor by stepping up their security efforts real soon now.