Security firm warns of Java flaw in Mac OS X
Updated 12:30 p.m. PDT with Apple comment
Macintosh security consulting firm SecureMac.com on Tuesday issued a critical warning for what it says is an unpatched Java security vulnerability in Apple's Mac OS X.
According to the man credited with discovering it, Landon Fuller, the Java flaw even affects the latest version of Mac OS X, 10.5.7, released just a week ago. Fuller has gone so far as to release a proof of concept for the security hole.
The vulnerability could be used to perform what SecureMac refers to as "drive-by-downloads," or the ability to infect a computer by simply visiting a Web page. Fuller explains that the flaw allows malicious code to run commands with the permissions of the current user.
In a post on his Web site, Fuller clearly seems upset and mystified that the vulnerability remains unpatched in the latest versions of the operating system.
"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said on his site. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."
"We are aware of the issue and we are working on a fix," Apple spokeswoman Monica Sarkar said. She could not give a time frame for the fix and declined to comment further.
Fuller's demonstration runs on "fully patched" Intel and PowerPC Macs.
The only workaround for the vulnerability is to disable the use of Java applets in your Web browsers and turn off the preference to "Open safe files after downloading" in Safari, he said.
Jim Dalrymple has followed Apple and the Mac industry for the last 15 years, first as part of MacCentral and then in various positions at Macworld. A guitar player for 20 years, Jim also writes about the professional audio market, examining the best ways to write and record songs on a Macintosh with Logic Pro and Pro Tools. Jim is a member of the CNET Blog Network and is not an employee of CNET. 
Before the flamewar starts.....I'd just like to say:
Why flame? Every system has holes and always will.
Where is this understanding when the flaw is a third-party problem on Windows?
NOT.
Microsoft's ads are just as full of it. They are ads. Ignore them.
Windows has plenty of exploitable flaws, some around for several years.
@pentest:
So does OS X. Do a query for each version of OS X at the National Vulnerability Database. In a lot of cases, you'll find the exact same number of vulnerabilities year after year for each version. This indicates that there are vulnerabilities that have pervaded the product line for some 7-8 years. But not very many have been found yet, because not very many people are looking. M$ has more manpower than Apple, and most of the programmers in the open source community are focusing on Linux, rather than BSD.
You'll find articles on the Web that have quotes such as "OS X is easy pickings for bug finders. That said, it really doesn't have the market share to interest most serious bug finders." You'll find a quote from Charlie Miller during an interview, after being asked why he chose to hack OS X at CanSecWest. He replied, "It's the easiest one of the three. We wanted to find as little time as possible coming up with an exploit, so we picked OS X."
@myles taylor:
The reason Microsoft generally releases updates once a month is for a couple of reasons. First, they are giving network administrators a predictable cycle to follow for deployment. This is one of their ways to meet demand, which Apple may not be as familiar with since most businesses use Windows (except for servers, although Windows server is gaining ground), and since because obscurity means almost no ItW malware for Apple.
Second, MS has to test each patch on multiple versions of each operating system, as well as its effect on various popular third-party applications. One thing you could blame Microsoft for is making so many different versions, but you can't blame them for the fact that all software and hardware are developed first for Windows; that comes with the territory. The fact that Windows has become the standard is a success for Microsoft, not a blunder.
Sorry, I meant "per year," not "year after year."
Does the app warning still apply to Java code? Will the Mac OS still inform you that you are downloading an application?
For those of you who don't understand drive by downloads, these downloads happen without any user interaction and there is no warning that it occurred due to an exploit that is abused. Your OS has no idea it just downloaded and installed something since Java is flawed and the OS gives Java rights to do things and if incorrectly coded could allow it to exploit. The more programs that Apple gets in its system that it does not have complete control over the more exploits will arise, which is why Windows has so many issues to begin with.
Anyone else find it vaguely amusing that Apple chooses to label its installation files as .dmg? Out of all the 3 letter extensions that exist, this is what they come up with.
Best way to fix having the installation of drive by programs is to not allow users to be administrators when they are using their machines. Linux has basically everything beat in this regard, but requiring a mac user to type in a password is a joke since they believe obfuscation is a valid form of security.
You are forgetting one thing... if we are smart enough to buy a computer that's made with better software and hardware under stricter manufacturing guidelines, we are certainly smart enough to know how to avoid the OCCASIONAL issues that arise with our choice of system?
And don't forget... 7 updates means consistency in keeping their operating system at it's maximum ability to function is not a problem for me, downloads and updates take all of about 10 minutes. Big deal. Got anything else I can poke holes in?
LOLOLOLOL
The OP made a lot of sense in a biased way and even admitted to having a bias towards Mac computers. There was no name calling, no claims to superiority beyond having made a good choice in her own personal opinion.
In fact, no negativity beyond a "holier than thou" attitude shown by the OP was shown and I've seen much worse than that shown by so many Windows "enthusiasts". Perhaps you saw something in her words that spoke as something too true from your own personal experiences?
I used to use Windows, I had issues with viruses and malware, had to maintain the system beyond a "reasonable" amount. I switched to Linux and don't have those problems now. I still see Windows "enthusiasts" trying to claim those issues don't happen or, worse, that those issues are always the fault of the user.
The OP didn't claim that these issues don't happen with OSX, didn't claim that when they do happen, it's the fault of the user and gave the benefit of the doubt to most Windows users that they actually handle them when they arise.
Then comes in shootfirst who claims the OP is ignorant of what a drive-by download is and then makes fun of the .dmg extension. ballmerisanape actually commended shootfirst for a "good post" though it was anything but that and Charleston Charge comes in last by taking the response from the OP completely out of context. Sarcasm is fine but when you do it in a non-productive way, it shows just how ignorant you are and how poor an argument you would have made otherwise.
shycelticwitch: a typical clueless comment that shows how little you know about Windows. I don't have to worry about security in Vista, I am well protected and I have my piece of mind, I don't have to deal with near 500 MB updates every point update. Vista comes with ASLR (while OS X has a lousy implementation), Protected Mode in IE, InPrivate Mode, Windows Firewall with Advanced Security and many more advanced security investments that allow me to just focus on doing my work instead of downloading patches for my OS every day. OS X is a broken promise, get use to it, not to mention the hardware defects in the MacBook and iMac.
Please explain. I am not aware of any drive-by download that works on Vista, not even Conficker or Mebroot. OS X, on the other hand, is a sitting duck. Add the fact that Leopard comes with the firewall turned off, and you become a potentially tasty target (and not because apples are juicy and delicious). Imagine Olivia Munn or J-Lo wearing a bikini in a dark alley in west L.A. or east Oakland at night.
I am a service tech; I deal with Vista machines five days a week. I'm still waiting to find an infection too serious to remove. Actually, most of the Vista units people bring in for "viruses" turn out to have no infections at all; they just have 25 icons in the system tray and three or four different antivirus programs that the customer tried out (and didn't remove). And virtually ALL units that turn out to have infections are running LimeWire or FrostWire (and again, nothing serious).
I run autosurfs in Firefox all day everyday, 20 tabs at a time. Nowadays, I always run them on a cloud computer, to save processing power and bandwidth on my equipment; but I've done it in XP with a locked kernel and no antivirus, and Vista with no antivirus and Windows Defender turned off (I always leave UAC enabled). Total infections: ZERO. And there's a big difference between you and me; I'm not just hiding from the bad guys, I'm actually blocking their attacks.
When the Russians figure out how to write the code for drive-by attacks on OS X (and they will eventually), you won't be able to do that on the Mac. You'll have to see if there is a way to lock down OS X like I do XP and 2K, or install some kind of sandbox. And keyloggers can still run inside a sandbox.
; )
Hi, I am a Mac, I am so easy to use that I can install applications withouth any user interaction at all...
I think John C Divorak (lover of all things Macintosh...LOL) said it best on the latest TWIT. " After a mac update the machine nearly always performs better, but after a PC update the machine feels slower," check it out http://www.twit.tv
True, there are no bona fide "viruses" for OS X. But that's only because viruses are targeted, usually at politicians or high-profile clergymen, who are usually running Windows. The viruses are usually delivered by e-mail, and spread when the message is forwarded.
However, about 70% of all malware are Trojans, which DO exist in the wild for Mac OS X (iBotnet, anyone?). And you can bet that drive-by downloads are in the works, since Russian bot herders are well aware of what has been happening at CanSecWest. Vista (Me II) might not ever replace XP as the market leader, but I'd be willing to bet that Windows 7 will. And as XP's user base downsizes, hackers will be in tough times. Sooner or later, they'll move on to the next easiest target, which is OS X.
No, antivirus is not just to be courteous to your e-mail contacts. I'd suggest you read up and get current on this stuff.
You know what if a Mac person wants to go spend more money than they can. Consumer reports show they tend to last longer anyway and hold better resell value. PC's are good at lasting about 3-4 years and are generally used more because they are cheaper and just do what needs to get done at a lower price. Macs are the same thing they just have a different OS and they are built a bit better.
Ive had the same dell desktop since 2001 and it still does everything I need it to do just fine. I have an iMac and a Macbook Pro as well for my business and an HP HDX 16 laptop for gaming and my Zune. All my machines each serve a purpose and all do what they have to do. Whats the issue here? There is none.
After 3-4 years, technology has most likely increased significantly and one may likely want to take advantage of that new technology for the faster applications and peripherals that it brings about. But, as you state, your 8 year old DELL machine is still doing its job just fine, so I'm really at a loss as to why someone would want to pay sometimes as much as $1000 more for a computer that doesn't necessarily do $1000 worth of more work than the competition?
Yes, I am a PC user and have been for quite some time. I read all of the news stories from both camps just to try to understand if there is really something SIGNIFICANTLY better about Macs than PCs. In all honesty, there doesn't seem to be. I keep my machine patches up to date like any good computer user (either Mac or PC), and I haven't experienced anything near the type of chaos that the media would lead one to believe exists on all Windows PCs. I don't catch viruses left right and center, and I don't get crashing every other day, so, I would say that my computer using experience is quite satisfying.
So, again, it just doesn't make economic sense to me to want to pay more for something that doesn't necessarily do a better job. Does it?
That said, Firefox is my primary browser in Windows XP, but for a very different reason. I secure Windows by locking down the kernel. I use Firefox because it supports all the tools I use, including Xmarks and SiteAdvisor. If you're going to use your browser as your security apparatus, then I'd recommend Google Chrome. It doesn't support add-ons, but at least it has a sandbox. Cheers!
The problem with the Java vulnerability is that it has been fixed for the version of Java that Sun Microsystems distributes 5 months ago. Apple, for whatever reason, decided not to apply that same fix to the version of Java that they distribute. This means there's a critical vulnerability that they could have patched with a moderate amount of integration and testing. This is unacceptable
The reason that Windows is considered less secure out of the box is that for legacy reasons it allows the user to run as administrator out of the box, whereas it's nearly impossible to run as an administrator on OS X. Having said that, users who are careless will mindlessly enter their administrator password on OS X the same as users who will continue to run as administrator on Windows.
Any operating system can be made secure if the user practises safe computing.
"Root" is the Unix version of an "administrator" in Windows, such that you are able to make system-wide changes.
@w0rdwarri0r:
One of the biggest problems on the Web right now is established, legitimate Web sites being "pwned" in cross-site scripting attacks. Not only does it save time to attack a preexisting Web site, but it also means more hits from the site's established patronage. This is why Granny gets infected as well, not just the people who use warez, porn, and P2P.
Also, running with limited privileges is not as secure as it seems. I watched SQL Slammer and Stack Bot barge through firewalls and limited user privileges back in September and October of 2006 to install IRC Flood, just before McAfee did a complete overhaul of their security software and introduced ScriptScan (which had previously been reserved for their Enterprise product line). And last fall, I watched Mebroot get through limited user privileges once more and infect the MBR.
Then there's Conficker (which I believe is written by the same people), which also escalates privileges. I'm taking a class in MS Office 2007 to get familiar with the new Ribbon and such, and have seen the school ban the use of flash drives, and then shut down the entire network for a day from a Conficker strike. And all of these machines have limited accounts. I told the technician to disable AutoPlay for all drives, but he's a grouchy old man who won't listen to me. And even if he would, he doesn't have control over the district, who issued the ban on flash drives.
Just so you know, Conficker and Mebroot both use rootkits. You can be infected and never know, because your antivirus won't detect them, and because they don't bog down machines like some of the older malware from a few years ago. You might run GMER, and make sure you don't have a copy of the MBR on sector 62. Then do a Google search for "Conficker eye chart," and make sure you can see all six logos.
That said, OS X is just as vulnerable as XP with a limited user account (not as prone, due to obscurity; but just as vulnerable). Security researchers have been able to gain complete control over the Mac using remote exploits (including drive-by downloads) for the past three years, while Vista couldn't be touched until the third day, using an Adobe bug. Now that Vista is the Windows product on store shelves, experts agree unanimously that OS X is the most vulnerable operating system on the market.
The problem with the Java vulnerability is that it has been fixed for the version of Java that Sun Microsystems distributes 5 months ago. Apple, for whatever reason, decided not to apply that same fix to the version of Java that they distribute. This means there's a critical vulnerability that they could have patched with a moderate amount of integration and testing. This is unacceptable
The reason that Windows is considered less secure out of the box is that for legacy reasons it allows the user to run as administrator out of the box, whereas it's nearly impossible to run as an administrator on OS X. Having said that, users who are careless will mindlessly enter their administrator password on OS X the same as users who will continue to run as administrator on Windows.
Any operating system can be made secure if the user practises safe computing.
Java or JavaScript?
What's Sun's fault? That they invented a technology and have decided to promote it? I guess there's a long list of companies that are guilty of the same thing:
Microsoft
Apple
Adobe
Oracle
IBM
etc...
The security flaw is at least partially Sun's fault. I'm with you on the usefullness of Java. It was one of the first languages we learned to program in when I was an undergrad and some of my favorite apps are written entirely in Java.
Do not provide your administrator password willy-nilly.
Try reading the article.... "The only workaround for the vulnerability is to ... turn off the preference to "Open safe files after downloading" in Safari, he said."
So, it can't run on its own folks if you've turned this pref off... which EVERYONE should do (if it isn't already the default).
Maybe this article is in error then.... wouldn't it need to download a file to execute? The test site might just be showing you one-half of the vulnerability. I don't know Java well enough... but was just going by the article (and site it referenced).
Java applets ARE downloads. Do you know how a browser works? Everything that is displayed on your screen is HTML and a bunch of scripts. Every time you load a page, your browser is downloading and opening files.
CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.
"...merely by visiting a web page hosting the applet." This is called a drive-by download.
Yes I realize that, but didn't know if the two were linked until now. It appears they are independent.
Yep, I agree on yikes... this is certainly the real deal.... now we'll see if someone puts it to use before Apple patches it.
(And just in case you're wondering... I still rather be on OSX many times over than on Windows.)
You better get over there and help these guys then....
(Malware knocks out U.S. Marshals Service network)
http://www.networkworld.com/news/2009/052109-marshall-malware.html?netht=rn_052209&nladname=052209dailynewsamal
Once again, I'm not saying OSX is perfect... but I'm much rather be here than over there in the real world at the moment.
A risk yes, but not a big one in my books. Plus Sun has a fix for this issue, Apple just hasn't incorporated it into their OS yet. It will come soon. In the mean time, make sure you don't have that checkbox checked and you should be fine. And ignore the winblows trolls, who are reveling in the fact that a flaw has been discovered in an OS other than winblows. Misery loves company.
This may be PoC, but it is a demonstration of the inherent insecurity of your platform. Personally, I simply disable write-access to system32 in Windows, and get on with my life. I don't get viruses either, yet I get to use the standard and have my options wide open for software and peripherals as my needs grow. I get to have my cake and eat it too. And now, so do Vista users (as long as their systems are fast enough to run Vista, and such machines are cheaper than Macs with equivalent features, even when buying the SSD separately).
A troll is a person who frequents the forums with the very purpose of starting flame wars. One of the ways to spot a troll is to look for fiction; the only thing that remains is to determine whether the suspect is simply uninformed, or outright religiously subjective. You have been corrected countless times, and brought fully up to speed, yet you continue to follow the obsolete, anti-MS memes. "You spot it, you got it," that's what they say.
It's because of brainwashing that Muslims are willing to blow themselves up to say "Screw you!" to the country that allowed them to cross its borders and work toward obtaining citizenship. You're demonstrating a blindness of faith that isn't far removed from this behavior. You might want to take a look at that.
You might have the skills to secure your system as you say, but 99% of the Windows user-base does not. An OSX user could also update some of the underlying unix modules where these problems are being discovered and then be extremely safe. But, again, in the real world, for the average user... OSX is a MUCH safer place to be. And, as the case now is, it is quite easy to open browser prefs and just uncheck Java for a few days or weeks till Apple updates this. For users that aren't paying attention (the majority of Windows and Mac users), this is potentially dangerous, yes, but they are still far safer with OSX than Windows.
re: vista - the problem is that the majority of windows users aren't using Vista. Many of the people I know using Windows either aren't willing or don't have the hardware to update to Vista... many of them thought they were getting a better deal on their computer purchase.... saving hundreds over the Mac... as they have never considered the low specs of that 'bargain' PC. Now it is time to buy a new system if they want Vista. Maybe Win7 will have better luck. Also, judging by the popularity of 'turn off your UAC' articles, I wonder how many have turned it off?
re: fortify OS X - Well, for this one you just uncheck that box in prefs.... I've done it to our Macs and those of people around I know... so they are all safe. As for some universal way.... I suppose something like you're doing to... but I don't know the effects it would have (on apps and such)... and like I said earlier, the OS is so trivial to re-load on OSX, I'm not sure it would be worth it. If OSX got infected with any kind of system level issues, and you have a backup... you simply re-load your OS... plug in the backup.... tick the 'load from previous Mac/backup' option... and in a hour or two, you're back to a perfectly clean system. OSX doesn't have files scattered all over the world like WIndows.
>>>>For those who don't want Vista, and will stick with XP, there's Invincible Windows. Not everyone has seen it, but those who do can benefit, as well as those they share the info with. At least give me some credit for all the work.
re: UAC, the answer is not many. I'm estimating that I see one system a month with UAC disabled. And again, I don't recall ever having seen Mebroot or Conficker on Vista. Understand that I deal with almost ten machines in a day, and it's been three years. But as far as I can remember, it's all been spyware, browser toolbars, and Trojans (not to be confused with drive-by exploits). And when I find a Trojan, I almost always find LimeWire, and an original culprit file in its downloads folder.
"re: fortify OS X - Well, for this one you just uncheck that box in prefs.... I've done it to our Macs and those of people around I know... so they are all safe."
>>>>Like you mention in the sentence that follows this one, I was looking for a universal method. This fix for Java is only one fix for one attack vector. Unless you can harden the attack surfaces themselves, you'll be playing the same cat and mouse game that antivirus vendors are playing as your platform chips away at MS' market share, and criminal syndicates in Russia and China get more familiar with the shell.
"If OSX got infected with any kind of system level issues, and you have a backup... you simply re-load your OS... plug in the backup.... tick the 'load from previous Mac/backup' option... and in a hour or two, you're back to a perfectly clean system. OSX doesn't have files scattered all over the world like WIndows."
>>>>Files scattered all over the world? I don't understand.
9 million PCs is a lot of PCs. But it pales in comparison with 1 billion. Although the percentage of minor infections might be higher on Vista units than on Macs, I think that of botnet infections may actually be lower. And if it's not, betcha it will be before too much longer. More and more people are attacking the Mac (some are building Mac botnets now), and at least four drive-by exploits have been demonstrated (one publicly). ItW drive-by's are surely on the way. You can be reactive, and make changes AFTER you get infected (and it will probably be a long time before you find out, because modern worms like Conficker and Mebroot do not slow your system down, and because you apparently never scan it); I'll be proactive, and take measures now to make darned sure it doesn't EVER happen.
"Files scattered all over the world? I don't understand."
In OSX, all the important files are in user areas... apps are in 'packages'... the OS can literally be easily replaced. I've not worked on Vista much, but unless it is extremely different than its predecessors, this is not the case with Windows. Apple even has a utility that any person could easily use to re-load the OS, then just plug in their backup and click a button.... back to a clean system..... not DLLs scattered all over the place and registry changes, etc. Most Mac apps don't have or need un-installers or install wizards... you just toss the app in the trash to un-install, or drag it from the install image to your application folder.
Also, I have scanned my Mac and others here and there, just out of curiosity. I refuse to install any of the active scanning apps unless things get bad, as they do more damage than they are worth. I've never found anything on any OSX system I've ever scanned (I did find a couple things on System 7 one time, many years ago).
>>>>For a clean uninstall, I use Revo. There's System Restore, which is actually better in Vista than in XP. On my XP systems, however, I can't use System Restore at all (locking system32 cripples it; of course a virus would too). I use Acronis True Image. If I have a problem, it takes all of five minutes to restore some 9 GB of OS, registry hives, DLLs, etc. And as far as data files go, I have more than one copy. Even if I never made changes to my hard drive (and I seldom do), I know it will fail one day.
"Also, I have scanned my Mac and others here and there, just out of curiosity. I refuse to install any of the active scanning apps unless things get bad, as they do more damage than they are worth. I've never found anything on any OSX system I've ever scanned (I did find a couple things on System 7 one time, many years ago)."
>>>>I'm with you on this; I don't use active monitors. Did you use any rootkit scanners, or just plain, old AV/AS scanners?
To answer your question, Apple is solely responsible for patching this vulnerability since Sun already gave them the code to fix it, and Apple has not yet distributed this fix.
It means the user visits a website and it does it all without the user knowing about it. So much for the perception of Mac's being immune to these kind of things.
[CNET editors' note: Prohibited content deleted.]
Actually, you're mistaken. Java programs don't always require a user decision. I don't know if the Mac does this, but have you ever seen the Java icon suddenly appear in the system tray in Windows? This means a Java program has started. According to ballmerisanape, the PoC sample is in fact a drive-by download (it doesn't require user interaction). And just so you know, security researchers have been successfully infiltrating the Mac with remote exploits and taking complete control three years in a row at CanSecWest. In case you weren't aware after two years, security researchers are agreeing unanimously that OS X is the most vulnerable operating system on the market (XP isn't "on the market" anymore; it doesn't count).
CVE-2008-5353 allows malicious code to escape the Java sandbox and run arbitrary commands with the permissions of the executing user. This may result in untrusted Java applets executing arbitrary code merely by visiting a web page hosting the applet. The issue is trivially exploitable.
"...merely by visiting a web page hosting the applet." "...merely by visiting a web page hosting the applet." "...merely by visiting a web page hosting the applet." Read it and weep.
A similar example is the Windows "Auto Play" feature
- by gggg sssss May 20, 2009 5:21 PM PDT
- why is Java still around? Dead language from a dead company.
- Like this Reply to this comment
-
Showing 1 of 2 pages (110 Comments)