About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve

Java Should Be Fun

So why isn't it fun?


Buy It

Try It

Apropos the Apple Java scandal Ted Landau wrote as most: 'turn it off'. But he also added 'the real world risk is very very low' and 'play it safe and disable Java for now even though it probably won't matter whatever you do'.

But that's probably before it became known what Landon Fuller had done.

Koivo & Tinnes, Czerniak & Fuller

Credit for discovery of the pernicious bug goes to Sami Koivo; credit for definitive work on it goes to Google security researcher Julien Tinnes; so how did Landon Fuller get involved? Easy: Jeffrey Czerniak told him about it.

Two and a half years ago Fuller made quite the name for himself by taking on the Month of Apple Bugs project single-handedly (with only a bit of help from Unsanity's Rottweiler and definitely without approval from Apple) to fight Apple bugs with - get ready - Unsanity APE haxies.

And Czerniak made an even bigger name for himself by postulating the people running Rixstep were none other than MOAB's Kevin and LMH because of their 'shared contempt' of haxies.

And that worked out really well.

So what did the duo do this time? Fuller published a proof of concept applet to demonstrate just how nasty this bug is. Of course he didn't bother obfuscating the source code of the app so by now every haxor on the planet has it.

What's really funny is how he's denying he ever exposed the code. And so now the 'real world risk' that was supposed to be 'very very low' is a bit higher again. So make sure you have Java turned off.

Never attribute to malice that which may have been done by Jeffery Czerniak and Landon Fuller.

I have not posted source code or instructions on how to exploit the vulnerability.
 - Landon Fuller at Security Fix
Landon was nice enough to leave the .class files non obfuscated for those of you that missed it.
 - 'KF' at Daily Dave

See Also
The Technological: Landon Fuller
The Technological: Pandora's Box
Industry Watch: APE Bites Leopard
The Technological: MOAB 8 Fallout
The Technological: Jeffrey Czerniak
The Technological: Not Easy But Cool
Learning Curve: Apple Users: Turn Java Off
Apple Fun: The Canary Trap, the Leak, and the Mole
Industry Watch: A Totally Unsane Privilege Escalation
Industry Watch: A Fortnight of Apple Bugs (and Fixes)
Learning Curve: Don't Let APE Monkey with Your System
The Technological: The Canary Trap, the Leak, and the Mole

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.