Home » Learning Curve
Apple Users: Turn Java OffThen wait for the fix. And be patient.
All users of Apple's OS should immediately disable Java on their systems and only use it with the greatest discretion. The fix for a long-standing and easily exploitable bug in Sun's Java has yet to be propagated to Mac OS X.
The bug - rather the security hole - has been now widely reported in the media. All hyperlink references eventually lead back to Sami Koivo who originally discovered it and Julien Tinnes who further elaborated on it.
Write Once, Own Everyone
'I've been wanting to talk about this for a while', writes Google security researcher Tinnes. 'I was holding off while Apple were working to patch this vulnerability. Unfortunately it is still not patched in their latest security update from just a few days ago [http://support.apple.com/kb/HT3549 2009-05-14]. I believe that since this vulnerability has already been public for almost 6 months, making Mac OS X users aware that Java needs to be disabled in their browser is the good thing to do.'
The fact that exploits can be written solely in Java means they'll work on any platform at all.
'This one is a pure Java vulnerability', writes Tinnes. 'This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers! Mine has been tested on Firefox, IE6, IE7, IE8, Safari and on Mac OS X, Windows, Linux, and OpenBSD and should work anywhere.'
'This is close to the holy grail of client-side vulnerabilities.'
Apple aren't the only slackers here. Sami Koivo reported seven 'bugs' to Sun in the past year; as of 27 April 2009 only two have been remedied. The fastest Sun reacted was four months and one day.
| Reported | Fixed | Description | | 2008-05-11 | 2008-12-02 | FileSystemView allows read access to file system structure | | 2008-05-11 | | Undisclosed vectors allow folder creation | | 2008-08-01 | 2008-12-02 | Calendar.readObject allows elevation of privileges | | 2008-08-18 | | Read access to System Properties | | 2008-10-19 | | Undisclosed vectors allow elevation of privileges | | 2008-10-26 | | Undisclosed vectors allow directory listing and file renaming/moving | | 2008-11-02 | | Generic security architecture problem |
But Apple are several versions more behind. 'mrstevenman1' comments.
So if any OS X user wants this fixed they have to wait for Apple who is constantly slow to react, patches the OS in huge nondescript blobs in 3-4 month intervals, and refuses to be open at all with their own users. They probably won't even comment on this.
They just aren't that good at managing an operating system and this is a case where Apple has decided they either no longer care (this is why 32-bit Intel still only uses Java5 3 years after Java6 was released) or are just slow and stupid or both. Not only that - the Java5 they ARE using appears to be multiple releases behind the last official one.
Doesn't sound good at all. Any hopes on the horizon? Yes actually.
California Fruit Vendor Security Czar
'I work on core security for a California fruit vendor', writes Croatian Ivan Krstić who began at Apple one week ago. Krstić formerly worked with the One Laptop per Child project. 'I enjoy breaking computers' writes Krstić. 'I enjoy making computers hard to break even more.'
Here's hoping Krstić gives the Apple UE engineers a swift kick and gets Mac OS X back on track.
|