Unpatched OS X Java Vulnerabilities Drawing Attention

[*LTD*]

Doesn't this bug affect ALL platforms, and the core vulnerability STILL exists on all platforms? Sun only fixed a small piece of it. It really should read "All computers vulnerable to 6+ month old Java flaw."

http://blog.cr0.org/2009/05/write-once-own-everyone.html

No? yes?

 

[NickHansen]

No one uses Java, why waste time fixing something you don't use.

Not true. Back in the early days of OSX Apple used to actively sell the tight integration of the OS with Java. Used to be you could write near-native mac apps in Java--and if you were decent at abstracting you could really fulfill the write-once, run anywhere concept that makes Java attractive to begin with.

As a sometimes Java developer the fact that Jobs is purposely train-wrecking Java on OS X is almost enough to stop me from buying Apple products..And don't even get me started on the extremely stupid binning of QT4J that Apple has been quietly doing for the past five years (or so).

Circling back to the topic though, it is completely negligent that Apple has left this dangling for so long. It is criminal they way Apple treats Java. If I were a paranoid person I'd begin to think that Apple is waiting for an exploit so they have grist for the "Java is unsafe, we need to make a clean break" campaign Steve has filed away. But I'm not. So I just chalk this up to malcompetence.

 

[*LTD*]

If I were a paranoid person I'd begin to think that Apple is waiting for an exploit so they have grist for the "Java is unsafe, we need to make a clean break" campaign Steve has filed away.

That's a very interesting point. I think it merits some further discussion. Apple is, after all, known for is disdain of certain technologies, then waits patiently until the rest of the industry takes note and follows suit or at least aknowledges the wisdom (used loosely) of Apple's position. It's a bit of a muddy issue, but it provides some food for thought.

 

[joelovesapple]

I clicked on that link and the voice read out to me that it had ran some process. I am running as a Non-Admin but at the time I had Java turned on.

Am I at risk?

 

[Riemann Zeta]

So I guess they are just going to ignore this one and hope it goes away on its own?

 

[Cole Slaw]

Apple really ought to get off their arses on this. They've had plenty of time to patch this, but since the problem is not related to the iPhone I guess it has a low priority.

 

[*LTD*]

I'm sure they'l get to it. It isn't exactly a catastrophe, and apparently, it isn't like someone will actually be affected by this in the wild. They certainly can, but the chances are slim to zero. Every year we get one vulnerability or another and nothing serious ever comes of it. There's really nothing to protect against at this point.

It gives rise to complancency, but those who want to make waves have had years and years to do it. Why is it taking so long? I mean, the first two years, I understand. It's still new, right? But by year 5 or 6, by say, 2007 - at least when Apple was well entrenched in Intel archtecture, one would finally think that the so-called big tide of malware would finally come crashing down. Where is it?

You'd think someone would have written an effective virus for OS X by now and we would have seen it spreading in the wild. I mean, they've had nearly nine years to do it. 35-40 million Mac users by now. Not one person, not a one, has done it. What's the holdup, already??? Don't tell me no one has cared enough to do it. I mean, spare time, weekends, a pet project. Something! And OS X is an allegedy easy target. Or is it?

Either OS X is a difficult nut to crack or people have simply blanked out when it comes to OS X viruses. It's a strange situation, really. It makes no sense. At least let's get ONE out there.

Think about it. Give it a few more months and we're in 2010. OS X was relased in March 2001. From March 2001 up to now, we've had virus free, firewall-free, unhindered surfing. No malware, no viruses, nothing. And we enjoy the same internet as everyone else. That in itself is amazing. But we're talking millions upon millions of OS X Macs. The whole OS X platform has been white-hot in popularity for years now. A Mac has been on plenty of wishlists. Amazons's top 10. Record sales, etc. By all rights there should be a thousand or so viruses in the wild by now. But not even a 100. Not even 10 or 5. Just a couple of Trojans that don't really go anywhere. So a couple of little Trojans in nearly nine years. Do we need to wait another nine for two more? LOL, what is going on here??

 

[sd2009]

Long post........PRAISE APPLE PRAISE APPLE!

Yawn. I don't think you understand. I could edit the java example in less than 10 minutes and put it on my site, and by just viewing my site you would lose everything in your home folder. Or I could do absolutely anything else. Probably not delete system files, but hey, that should be the least of your worries. I would have the same access to your computer that you yourself have right now.
I could read all your files and documents and whatever else you have. It would be EASY, and you wouldn't need to accept or click on anything.
You can't just have the attitude that OS X is completely safe and continue parroting marketing crap from Apple because if you then one day it is going to bite you in the ass.
The fact is, this is a MAJOR security risk and Apple ignored it for MONTHS, while this has been patched on Windows for MONTHS.
The chances are not slim to zero. Like I said, anybody with even the smallest knowledge of java could exploit this very easily and very quickly.
This COULD very easily be a catastrophe and this apologist "Oh I'm sure they'll get to it, no big deal" BS is ridiculous. Please listen to yourself because your post is pathetic and embarrassing to other Mac users.

 

[*LTD*]

Yawn. I don't think you understand. I could edit the java example in less than 10 minutes and put it on my site, and by just viewing my site you would lose everything in your home folder. Or I could do absolutely anything else. Probably not delete system files, but hey, that should be hte last of your worries. I could read all your files and documents and whatever else you have. It would be EASY, and you wouldn't need to accept or click on anything. You can't just have the attitude that OS X is completely safe and continue parroting marketing crap from Apple because if you then one day it is going to bite you in the ass.
The fact is, this is a MAJOR security risk and Apple ignored it for MONTHS, while this has been patched on Windows for MONTHS.
The chances are not slim to zero. Like I said, anybody with even the smallest knowledge of java could exploit this very easily and very quickly.
This COULD very easily be a catastrophe and this apologist "Oh I'm sure they'll get to it, no big deal" BS is ridiculous. Please listen to yourself.

I don't doubt that YOU could do some serious damage. But do you think your little modification will appear in the wild and wreak havoc? Apparently no one will care to exploit it to that degree. Maybe get some coding buddies together to do it? Take a weekend, order pizza. Spread the word, etc. Start something to shut me up, and others like me. Let's see how you do. People have only had, oh, nearly 9 YEARS to do it. You seem to be sitting on quite a goldmine there. Care to do something about it? If it's that easy, then hell, it's your claim to fame. Can't guarantee your legal safety, but I'm sure there are any number of creative ways you could cover your ass.

I've been waiting for years for something to "bite me in the ass." Would you please make it happen not just for me, but for all of us?

It's perfectly valid to wonder why ONE, at least ONE hasn't happened yet. I understand OS X isn't really on corporate networks, and I'm familiar with the whole low market share argument (even though we're easily in the tens of millions, and have been for a couple of years now), but by all rights, there should at least, at the very least, be a few hundred by now. It's perfectly reasonable to wonder why it just isn't happening, and why it's probably not going to happen tomorrow or the day after. But you ignored this entire question.

Yeah, and I'll continue parroting "marketing crap." Because with each month that passes, and with every virus writer or coder out there NOT DOING ANYtHING about OS X (or perhaps unable to), that "marketing crap" is proven true. Each and every time. Yeah, that big tide of malware is just around the corner, right? Anytime now . . . LOL.

So will you be parroting this same doom-and-gloom crap three years from now, too, if nothing happens? Will you be around in five years to do it again? At what point do you begin to sound insane? I think 8 or so years is a pretty good number. But maybe it takes 11. At some point we'll hit the lifespan of OS X as we understand it today - and it's certainly probable that it will still be virus-free. What'll people like you say then?

Where's the beef, Nostradamus??

(As for your creative quoting of my post . . . PRAISE APPLE, etc . . . you're damned right I do. Every time I turn on my Macbook Pro, rest assured, I praise Apple for the computing experience I'm about to have. Virus free, worry free (for YEARS now), running the Gold Standard of operating systems on some nice hardware. Seems pretty good to me. those who have been running OS X since 2001 must be laughing themselves silly by now, having gotten away with murder in this virus-infested Windows world. Love it!!)

 

[uwbadger]

I don't doubt that YOU could do some serious damage. But do you think your little modification will appear in the wild and wreak havoc? Apparently no one will care to exploit it to that degree. Maybe get some coding buddies together to do it? Take a weekend, order pizza. Spread the word, etc. Start something to shut me up, and others like me.

I'm not going to unleash malware on the world just to prove you wrong, but I've already modified (and tested on my machine) Fuller's applet to that it can delete arbitrary files. This took me less than 10 minutes, and could be done by anyone with a decompiler and a basic understanding of Java. This applet could wipe out your home directory (and your Time Machine backups!), or upload all of your data (pictures, browsing history, private documents, etc.) to the web. If you're running as an admin, then it's probably possible to do even more damage. If you don't understand the implications of this, then you're either stupid or ignorant.

 

[*LTD*]

If you're running as an admin, then it's probably possible to do even more damage. If you don't understand the implications of this, then you're either stupid or ignorant.

I'll understand the implications when it hits the wild full force. Until then I'll happily be using my Mac not caring, as I have been since owning a Mac (quite a while now.)

Enjoy your new toy malware, thanks for the show and tell session (yet another one that will remain a basement lab test.)

If the day ever comes when OS X will be a Windows-like experience when it comes to malware, I'll happily come back and tell everyone how right you were and how clever you are. Until then you're kinda SOL.

 

[sd2009]

I'll understand the implications when it hits the wild full force. Until then I'll happily be using my Mac not caring, as I have been since owning a Mac (quite a while now.)

Enjoy your new toy malware, thanks for the show and tell session (yet another one that will remain a basement lab test.)

If the day ever comes when OS X will be a Windows-like experience when it comes to malware, I'll happily come back and tell everyone how right you were and how clever you are. Until then you're kinda SOL.

Sigh, and I used to wonder why people thought Mac users were so ignorant.

 

[dmelgar]

I'll understand the implications when it hits the wild full force. Until then I'll happily be using my Mac not caring, as I have been since owning a Mac (quite a while now.)

Enjoy your new toy malware, thanks for the show and tell session (yet another one that will remain a basement lab test.)

If the day ever comes when OS X will be a Windows-like experience when it comes to malware, I'll happily come back and tell everyone how right you were and how clever you are. Until then you're kinda SOL.

Guess that answers the question about stupid or ignorant...
I guess he leaves the door to his house unlocked and keys in the car. Hasn't seen anyone try to open the door or drive away. Must not happen.

 

[*LTD*]

Sigh, and I used to wonder why people thought Mac users were so ignorant.

Ignorant of what? What doesn't exist?

It's been nearly nine years of worry-free surfing. Mac users have chosen the safest, most reliable platform. Others have chosen Windows KNOWING it's exactly the opposite and KNOWING that it'll take extra work and time to maintain it. Because it (unlike OS X) actually needs maintenance. NOW who is ignorant?

Call me all the names you like. At the end of the day, chances are, I'll be surfing worry free tomorrow, and the day after that, and the day after that.

By the way, you still haven't answered my question about WHY, after nearly 9 years and all the time and opportunity in the world, with tens of millions of Mac users, has there been nothing in the wild save a couple of little trojans? Why is it that we don't have (based on that old market share argument) at least say, a few hundred viruses? Why not even 20? Or 10? Using the ridiculously conservative number of 150,000 threats for Windows and ONLY Windows, the market share numerology suggest that that an OS with a 5% share could have up to 7500 threats. 7500! Go global and a 2% share could net you 3000. There had to have been at least ONE enterprising individual out there over the course of almost a decade! You can take the whole "But OS X doesn't run on corporate networks" argument into consideration as well. That still leaves us with plenty of oppourtunity to have achieved something in the double digits at least, which is a very conservative estimate.

Any explanation?

 

[sd2009]

Ignorant of what? What doesn't exist?

It's been nearly nine years of worry-free surfing. Mac users have chosen the safest, most reliable platform. Others have chosen Windows KNOWING it's exactly the opposite and KNOWING that it'll take extra work and time to maintain it. Because it (unlike OS X) actually needs maintenance. NOW who is ignorant?

Call me all the names you like. At the end of the day, chances are, I'll be surfing worry free tomorrow, and the day after that, and the day after that.

By the way, you still haven't answered my question about WHY, after nearly 9 years and all the time and opportunity in the world, with tens of millions of Mac users, has there been nothing in the wild save a couple of little trojans? Why is it that we don't have (based on that old market share argument) at least say, a few hundred viruses? Why not even 20? Or 10? Using the ridiculously conservative number of 150,000 threats for Windows and ONLY Windows, the market share numerology suggest that that an OS with a 5% share could have up to 7500 threats. 7500! Go global and a 2% share could net you 3000. There had to have been at least ONE enterprising individual out there over the course of almost a decade! You can take the whole "But OS X doesn't run on corporate networks" argument into consideration as well. That still leaves us with plenty of oppourtunity to have achieved something in the double digits at least, which is a very conservative estimate.

Any explanation?

Firstly, I'm not debating that using OS X has been safe for the past 9 years, and I also don't need to be flooded with statistics about the popularity of Macs and gains in marketshare and such. I'm not a stockholder and you're not Steve Jobs, so please, calm down a little.

Basically, this is your argument: OS X has been safe for 9 years therefore it will be safe forever.

This argument is clearly flawed.

The fact is, regardless of OS X's safety up until now, most OS X users are now at serious risk with this exploit. It is possible, it is easy to exploit, and it's so simple that a 12 year old could do it.

Did you disable Java in Safari?

 

[AidenShaw]

Did you disable Java in Safari?

No, and I never use condoms.

 

[0x4E75]

Ignorant of what? What doesn't exist?

By the way, you still haven't answered my question about WHY, after nearly 9 years and all the time and opportunity in the world, with tens of millions of Mac users, has there been nothing in the wild save a couple of little trojans? Why is it that we don't have (based on that old market share argument) at least say, a few hundred viruses? Why not even 20? Or 10? Using the ridiculously conservative number of 150,000 threats for Windows and ONLY Windows, the market share numerology suggest that that an OS with a 5% share could have up to 7500 threats. 7500! Go global and a 2% share could net you 3000. There had to have been at least ONE enterprising individual out there over the course of almost a decade!

Any explanation?

As someone with the capability to write such a thing, if I were to choose to do so, I would engage in targeted attacks against specific users for maximum gain with minimum exposure, rather than deploying a wide-spread attack that would garner media attention, result in the vulnerability in question being disclosed and fixed, and potentially trigger an investigation into the source of the malware.

Botnet authors, on the other hand, operate almost entirely offshore, aren't concerned with targeting specific users, and benefit entirely from indiscriminately adding machines to the botnet. The more hosts compromised, the more valuable their botnet. With a vast number of Windows machines available, there has been very little value in investing in Mac OS X support for their malware "products". The vulnerabilities they target are the ones you actually get read about in the paper.

Would you know if I compromised your machine? What if this post leveraged a cross-site scripting attack to include an applet exploiting this latest security issue? How would you know your machine hadn't been compromised so that you could continue to claim it still hasn't occurred in 9 years of computing?

The answer is: you can't really know. You have to take Apple's commitment to security on trust.

 

[BongoBanger]

By the way, you still haven't answered my question about WHY, after nearly 9 years and all the time and opportunity in the world, with tens of millions of Mac users, has there been nothing in the wild save a couple of little trojans?

Because no-one cares. Macs market share globally has been 3-5% for years.

 

[celtikmind]

Apple really ought to get off their arses on this. They've had plenty of time to patch this, but since the problem is not related to the iPhone I guess it has a low priority.

My main annoyance with Apple these days. Mac hardware gave them money and the platform to develop the iPhone and they're just not careful of that. Allowing it to slip so they can say 'We've decided to let Mac go, since it's no longer safe/moneymaking/too much effort to keep it up."

Because no-one cares. Macs market share globally has been 3-5% for years.

...and they're not big in the corporate business where the money is. Hackers are like one man corporations - they target value and money.

 

[*LTD*]

Because no-one cares. Macs market share globally has been 3-5% for years.

Sorry, I dont buy that. Nine years, millions and millions of OS X installs, lot of allegedly smug behaviour by Mac users, and NO ONE cared. Right.

Linux runs on corporate networks (lots of them), and has done so for years and years. And how many Linux viruses do we have? A handful maybe? Some have said only 7 since 1993. Others have said 20 or so. Take your pick. imagine that. Linux has been virtually virus-free since what, 1993. That's a lifetime in terms of computing. If we apply some more of that obtuse low-market share logic (discarding the obtuse corporate networks logic) then if Windows 7 is wildly successful, like some of the astroturfers around here claim it will be, then OS X users will have nothing to worry about. Our market share will probably drop a few points to pre-2006 levels and we'll continue our free and easy surfing. Right? :grin:

By that skewed "no one cares" logic, if Windows 7 is moderately successful, at least more successful than Vista - allowing MS to recapture some market share, then people *still* won't care enough, right? Ergo, more virus-free surfing for OS X users for years to come; the post-Vista Windows 7 climate will be even more comfortable for OS X users. Because apparently, there will be a veritable ocean of OS X users switching back to Windows! LOL Just take those astroturfer arguments and use them as they would. There are plenty of them around here.

My main annoyance with Apple these days. Mac hardware gave them money and the platform to develop the iPhone and they're just not careful of that. Allowing it to slip so they can say 'We've decided to let Mac go, since it's no longer safe/moneymaking/too much effort to keep it up."

Right. I suppose that's why there was a huge update to all the Macbooks at the close of last year and why they're pushing notebooks like it's going out of style. I suppose that's also why iLife and iWork received major updates, and why Pro apps are sheduled for updates as well within the coming months. And why Macs consistently rate highest in customer satisfaction across the board (even just recently.) Because they don't care. LOL, you do realize that Macs and OS X is *still* their biggest money-making division, right?

Would you know if I compromised your machine? What if this post leveraged a cross-site scripting attack to include an applet exploiting this latest security issue? How would you know your machine hadn't been compromised so that you could continue to claim it still hasn't occurred in 9 years of computing?

The answer is: you can't really know. You have to take Apple's commitment to security on trust.

I do. My machine is virus-free. My OS X installs have always been virus and malware free. If people don't care NOW, they certainly didn't care years ago, when that magical market share number was even smaller. Right? Just more of that obtuse low market share logic at work here . . .

Just run one of the *very few* virus/malware checkers out there for OS X. We have them. Lonely apps, they are. But they're available. Or just read the news. If I was infected there would be others as well (let's hope that nasty malware can actually propogate) and we'd be reading about it the next day. A week tops. Every little niggle, every issue with OS X, no matter how minor, is always reported with glee. OS X is usually under an insane amount of scrutiny.

A cross-site scripting attack? Do it! You'd be the first. Because apparently, NO ONE cared enough to do it for nearly nine years!

 

[BongoBanger]

Sorry, I dont buy that. Nine years, millions and millions of OS X installs, lots of allegedly "smug" behaviour by Mac users, and NO ONE cared. Right.

Yes, no-one cares. Reading through Black Hat's archives and the articles they publish through the likes of ZDNet, CNET and others it's apparent that there's little difference between OS X and Vista (and presumably W7 although I've not tried it so couldn't say) in terms of OS security. This seems backed up by recent demonstrations that have shown that both systems are sound in terms of remote attack but vulnerable to socially engineered hacking. At the moment one could argue that OS X is actually the easier to hack because it doesn't have any randomisation techniques.

So what we're left with is OS X - which has had a very small user base that has grown quite a bit in the last couple of years but which is still marginal in terms of overall market penetration (Apple still do not make the top 5 in terms of global PC manufacturing and sales) with a user base of perhaps 4.5% - against Windows which has been - and remains - dominant for years and for which all the pre-existing code shells have been written, the knowledge base exists and the opportunity pool is about 20 times higher than competing systems. The end result is that you get a constant stream of security threats against Windows - the vast majority of which are socially engineered - against a handful of trojans for OS X.

So, yes, no-one cares.

I don't use securityware on my Mac because I don't feel there's any need to at this moment in time. My internet connection is routed through a cable modem which has its own built in firewall and I'm careful enough in my browsing habits not to worry about script installation which since I have No Script enabled on FireFox isn't a worry anyway.

That said I'm not naive enough to believe that I'm invulnerable or that OS X is a particularly secure OS - although I do think it's harder to socially engineer than Windows on the basis you need to type a password in rather than just clicking a button which allows some measure of thought.

The best thing in my mind is to keep an eye on what's going on - and I have noticed that, although the volume is small, there are more reports of worms and trojans for OS X appearing - and act accordingly. Relying on past history and good fortune just strikes me as foolish and naive.

 

[-hh]

Let Apple know via 'System Update' preference

The fact is, this is a MAJOR security risk and Apple ignored it for MONTHS, while this has been patched on Windows for MONTHS.
The chances are not slim to zero. Like I said, anybody with even the smallest knowledge of java could exploit this very easily and very quickly.
This COULD very easily be a catastrophe and this apologist "Oh I'm sure they'll get to it, no big deal" BS is ridiculous. Please listen to yourself because your post is pathetic and embarrassing to other Mac users.

I wholeheartedly agree that this is a major threat, regardless of how small the individual chance is.

There's really only a few things that I can see to personally do:'

1) Disable Java within Safari (browsers)

2) Reconfigure System Preferences to check for an Apple update 'DAILY'.

3) Mention #2 and suggest that everyone who's concerned about this do the same so as to "Send a Vote" to Apple every day to get this fixed ASAP.

I'd hope that someone at Apple might notice if their number of hits on their System Update servers were to suddenly triple.


-hh

 

[celtikmind]

I wholeheartedly agree that this is a major threat, regardless of how small the individual chance is.

There's really only a few things that I can see to personally do:'

1) Disable Java within Safari (browsers)

2) Reconfigure System Preferences to check for an Apple update 'DAILY'.

3) Mention #2 and suggest that everyone who's concerned about this do the same so as to "Send a Vote" to Apple every day to get this fixed ASAP.

I'd hope that someone at Apple might notice if their number of hits on their System Update servers were to suddenly triple.


-hh

I agree. In the meantime I think I'll stay in Windows 7 for now. Not that it might be safer but I haven't had the time to transfer my documents yet. And besides, it looks a lot more fresh so if my computer has to go, it can at least happen with me having fun with it.

 

[*LTD*]

Yes, no-one cares. Reading through Black Hat's archives and the articles they publish through the likes of ZDNet, CNET and others it's apparent that there's little difference between OS X and Vista (and presumably W7 although I've not tried it so couldn't say) in terms of OS security. This seems backed up by recent demonstrations that have shown that both systems are sound in terms of remote attack but vulnerable to socially engineered hacking. At the moment one could argue that OS X is actually the easier to hack because it doesn't have any randomisation techniques.

So what we're left with is OS X - which has had a very small user base that has grown quite a bit in the last couple of years but which is still marginal in terms of overall market penetration (Apple still do not make the top 5 in terms of global PC manufacturing and sales) with a user base of perhaps 4.5% - against Windows which has been - and remains - dominant for years and for which all the pre-existing code shells have been written, the knowledge base exists and the opportunity pool is about 20 times higher than competing systems. The end result is that you get a constant stream of security threats against Windows - the vast majority of which are socially engineered - against a handful of trojans for OS X.

So, yes, no-one cares.

I don't use securityware on my Mac because I don't feel there's any need to at this moment in time. My internet connection is routed through a cable modem which has its own built in firewall and I'm careful enough in my browsing habits not to worry about script installation which since I have No Script enabled on FireFox isn't a worry anyway.

That said I'm not naive enough to believe that I'm invulnerable or that OS X is a particularly secure OS - although I do think it's harder to socially engineer than Windows on the basis you need to type a password in rather than just clicking a button which allows some measure of thought.

The best thing in my mind is to keep an eye on what's going on - and I have noticed that, although the volume is small, there are more reports of worms and trojans for OS X appearing - and act accordingly. Relying on past history and good fortune just strikes me as foolish and naive.

A secure past is never a guarantee for a secure future. That's a truism regardless of what I think or what anyone else thinks. I can certainly respect that.

That "nine years and no one cares" anomaly still seems odd to me, BUT . . . I'm with you in hoping Apple does get this issue squared away as soon as possible.

I do have Java turned off. I run an admin account but I also have ClamXav running, and my router is set up correctly, my OS X firewall on, and stealth mode enabled, etc.

 

[Prsitic]

Over the past 14 years I've ran every possible version of Windows, various flavors of Linux, BSD, and now of course OS X. I've seen the worst, patched the worst and quite simply all I can say about this is chill out and disable java. Who uses java applets anymore anyhow? I worry more about the user than the OS. Phishing, scams, swine flu , etc etc etc.. Basically I don't see this becoming a problem, widespread or wild.