Security firm warns of Java vulnerability in Mac OS X

Posted:
in macOS edited January 2014
The version of Java that Apple currently includes with Mac OS X contains a critical security vulnerability that has gone unrepaired for months and may put Mac OS X users at risk, Mac security software developer Intego said Wednesday.



The firm says that Java, which can be used to write standalone applications that run across multiple platforms or applets that are embedded in web pages, has a serious flaw that could allow local code on a user's Mac to be executed remotely.



"This can lead to 'drive-by attacks,' where users are attacked simply by visiting a malicious web site and loading a web page," the firm said.



The exploit could allow a third-party to execute code, access or delete files, or run applications on the compromised machine. Combined with other exploits, hackers could even potentially run system-level processes and gain total access over the affected Mac.



Since the vulnerability relies solely on Java, with no native code required, it theoretically exists in all browsers on all platforms that have not been patched. This is the case with Mac OS X 10.5.7 and earlier, meaning the vulnerability affects even the update released just a week ago.



The firm claims that Apple has been aware of the exploit for at least five months, when it was publicly disclosed and fixed by Sun, but has yet to issue a security patch. It was first discovered by Landon Fuller, who has released a proof of concept exemplifying the security hole.



Intego says it has not found any malicious applets in the wild thus far, but the publicity around this vulnerability may entice hackers to target the exploit before Apple issues a security update. The firm's VirusBarrier X5 already blocks potential malware but unless users are sure they trust the site they're viewing, simply disabling Java in the browser may provide the best protection while Apple works on a fix.







To do this, launch Safari, choose Safari > Preferences, click the Security tab, and uncheck Enable Java if it is checked. In Firefox, this setting is found on the Content tab of the program’s preferences. It is safe to leave JavaScript activated, since the vulnerability only affects Java applets.
«13

Comments

  • Reply 1 of 54
    Considering that I have noscript installed in Firefox in addition to having Java disabled browser-wide unless I need it for a specific website, I should be fairly safe for a moment.



    Also, "the Apple" sounds much better, as long as you disregard grammar.
  • Reply 2 of 54
    lakorailakorai Posts: 34member
    Quote:
    Originally Posted by bobmarleypeople View Post


    Considering that I have noscript installed in Firefox in addition to having Java disabled browser-wide unless I need it for a specific website, I should be fairly safe for a moment.



    Also, "the Apple" sounds much better, as long as you disregard grammar.



    The issue with Java on the Mac wouldn't surprise me as the Mac version of Java is FAR behind the windows version (no JavaFX support yet, Apple is still on J2SE, version 5.x, when Windows, Linux and Solaris has had Java 6.x for quite a while now). Apple barely updates Java for Mac; they don't seem to be on top of it. They seem to update certain technologies only when they really feel like it.



    Case in point:

    Java

    Apache

    SAMBA

    mySQL

    Wiki server



    all have received only security and bug fix updates since Leopard came out. The one real exception is Safari, but Apple has been pretty lax with keeping Safari updated compared to Firefox, Chrome and Opera. It's nice they didn't require 10.5 or Intel macs for Safari however.



    etc. Apple only seems to majorally update these components with new OS releases. SAMBA on OSX is signficantly far behind SAMBA for FreeBSD, SOLARIS and Linux releases.
  • Reply 3 of 54
    btitusjrbtitusjr Posts: 53member
    Oh well. Java sucks anyway and has been turned off for quite some time. I suggest everyone never turn java on again!!
  • Reply 4 of 54
    I followed that link, then ran the example exploit; sure enough the java applet executes usr/bin/say and your mac talks to you in it's default voice... but from the command line. So it is capable of running commands.



    Note that it can't do a sudo rm -f / (which wipes everything from your drive) because it would need to know your password. But it could do less dangerous things, such as deleting things from your home folder, or uploading your files somewhere online maybe. Not nice anyway.



    How many Mac users run without ANY password? If you know any, pass on that they need to have a password set, anything will do, because if and when a vulnerability / exploit exists in the wild, it might just try deleting things using nothing as the password, as in my experience a lot of mac users don't use a password.
  • Reply 5 of 54
    mactrippermactripper Posts: 1,328member
    Also do this (in addition to turning off Java)



    1: Turn off Safari's "Open Safe Files" in preferences.



    In addition to disabling Java support, Safari's 'Open "safe" files after downloading' must also be disabled to prevent websites from automatically loading a Java WebStart application via a JNLP file



    2: If you are running the original user set up with the machine, it being a Admin user and all (not good)



    Create another Admin User (lets call it #2) and log into that, change the original Admin to Standard by unchecking "Let this users Administer this computer"



    Now log back out and into your regular (now Standard) user. It will require you to enter the Admin 2 name and password to make certain changes. It offers a substancial layer of security.





    The reason for this is the Java exploit only has the powers of the user being exploited. So if it's a Admin, your rootable (via application alteration using your requested password.) If a Standard user, then just your files.



    One is worse than the other and something like this is bound to happen again. So by being a Standard user, at least you don't get rooted (using sudo)





    And last of all, SHAME ON YOU APPLE!!!



    6 months and you did nothing! What you waiting for Snow Leopard?



    Ok, I'm finished.
  • Reply 6 of 54
    monstrositymonstrosity Posts: 2,234member
    Quote:
    Originally Posted by btitusjr View Post


    Oh well. Java sucks anyway and has been turned off for quite some time. I suggest everyone never turn java on again!!



    agreed
  • Reply 7 of 54
    brucepbrucep Posts: 2,823member
    evil java
  • Reply 8 of 54
    weebullweebull Posts: 2member
    Quote:
    Originally Posted by MacTripper View Post


    The reason for this is the Java exploit only has the powers of the user being exploited. So if it's a Admin, your rooted. If a Standard user, then just your files.



    Admin is not root. Admin is a normal user who is a member of the admin group.

    As far as I can tell, that gives two extra privileges:



    1. Admins can write to the /Applications folder, so malware in an admin account can wipe that, or install itself into it.

    2. Admins can 'sudo', but this requires the user's password, so as long as the user isn't a monkey that types in their password without knowing why, that should be fine.



    It is still not possible to write to any of the system directories as admin. This is a big difference to windows security. On Windows, Admin is root and you can do anything (as I understand it)



    Installing itself into an App is probably the nastiest thing that a piece of malware can do as admin, that it can't do as a normal user. Unfortunately the most precious thing on my Mac (to me) is my data. That is vulnerable to malware whether I'm an admin or not.
  • Reply 9 of 54
    Yeah, you'd have to travel back in time to the 90s when anybody actually used Java in order to be affected by this exploit. Apple should still be ashamed of themselves for letting it go this long without a fix, just for principle's sake and for their increasingly tarnished reputation, but I can see why they might not care.



    On the other hand, this and other such reports are indicative of a bigger problem: Apple is letting the ball drop on security, just when more people are learning of the Mac and its legendary safety (at least compared to the rusted-out sieve known as Windows). As a commenter on another site mentioned, they have $20 billion or so laying around ? would it kill them to hire on a team of security experts to tighten up the platform properly?
  • Reply 10 of 54
    rnp1rnp1 Posts: 175member
    Quote:
    Originally Posted by brucep View Post


    evil java



    OH, I AM TERRIFIED!!!

    I guess I better use Windows, it is so safe in general!

    Did I just say I'd do Windows? Wait....That's stolen software!

    Thou Shalt not steal!

    "I don't do Windows"
  • Reply 11 of 54
    solipsismsolipsism Posts: 25,726member
    Let’s not forget that the iTunes Store uses Java and WebObjects.
  • Reply 12 of 54
    macxpressmacxpress Posts: 5,420member
    Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.
  • Reply 13 of 54
    jasonxjasonx Posts: 17member
    Quote:
    Originally Posted by macxpress View Post


    Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.



    Yes, unfortunately you are way off base. Sun does not support Java on the Mac. It has to be done through Apple. Go to the java website yourself and try to download the updated version.
  • Reply 14 of 54
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by macxpress View Post


    Maybe I'm way off base here but why is it up to Apple to fix and issue with Java? I realize its an API in their OS layer, but still? Java is a Sun Microsystems technology. Microsoft isn't held responsible for issues with the Windows version of Java. Its up to the end user to download the latest version to fix any issues.



    I think the difference here is that Apple doesn?t let Sun just put Java on Macs. It comes through Apple?s Software Update app after Apple reworks it a bit. I don?t know too much about it but I hear people bitch about Apple?s Java implementation all the time.
  • Reply 15 of 54
    webfrassewebfrasse Posts: 147member
    Quote:
    Originally Posted by solipsism View Post


    Let?s not forget that the iTunes Store uses Java and WebObjects.



    Java Applets?
  • Reply 16 of 54
    dhkostadhkosta Posts: 150member
    I'm not a fan of Java either but it's still pretty widely in use, and it's inconvenient to have to enable it every time you need it. I typically defend Apple's choices, though their unwillingness to deal with this over such a long timeframe is totally unacceptable to me. And from a shareholder's perspective, Mac OSX would be much more difficult to market without it's impeccable reputation for security. Let's hope nobody makes wide use of this.
  • Reply 17 of 54
    solipsismsolipsism Posts: 25,726member
    Quote:
    Originally Posted by webfrasse View Post


    Java Applets?



    I have no idea, but I?m certain that it is not WebKit or HTML-based. I have tried to find detailed info about how the iTS portal works, but there just doesn?t seem to be any.
  • Reply 18 of 54
    macxpressmacxpress Posts: 5,420member
    Quote:
    Originally Posted by JasonX View Post


    Yes, unfortunately you are way off base. Sun does not support Java on the Mac. It has to be done through Apple. Go to the java website yourself and try to download the updated version.



    Which is kind of my point. It shouldn't be up to Apple to do this. This isn't an Apple technology. But I believe it has more to do with what solipsism said. Apple chooses not to let Sun just implement java for OS X. I'm sure Sun Microsystems would be glad to support Java for OS X if Apple would let them support it.



    In a way, this is sometimes a bad thing. Apple can't do everything even though it tries. They develop video drivers for the video chips, develop their own Java, etc. They should learn to let others do some of the work for them.
  • Reply 19 of 54
    mactrippermactripper Posts: 1,328member
    Quote:
    Originally Posted by Weebull View Post


    Installing itself into an App is probably the nastiest thing that a piece of malware can do as admin, that it can't do as a normal user.





    Like I said, if your running as Admin and get exploited it will get root.



    Maybe not right away, but the next time you run that app that demands a admin password...



    Hmm, I would target...Disk Utility! <evil grin>



    Does Apple do anything to check the interegty of OS X and apps from previous manipulations?



    I don't think so.





    Apple in my opinion doesn't do a heck of a lot of "what if, then what if, then what else" scenarios.



    Their self delusional eggshell security is finally cracked. (tough love
  • Reply 20 of 54
    ipilyaipilya Posts: 195member
    An interesting thing to note....



    The Mac ships with Java (yes an older version)

    Windows... as a result of the old Java lawsuit... does not ship with java

    Ubuntu... does not ship with java as a default install



    However.... we recently ran a large encompassing online event whereby we were able to ascertain specifically how many people were running java... for "normal" users. What that means is the mom & pops of this world along with more sophisticated computer users. The results were... ~37%.



    An interesting thing to see since Sun was claiming ~70% penetration. I honestly don't trust Sun's numbers...



    Java is evil and ugly on any OS since it never actually gives an OS integrated experience. That is IMHO one of its greatest downfalls.
Sign In or Register to comment.