Home » Learning Curve
Java Should Be FunSo why isn't it fun?
Apropos the Apple Java scandal Ted Landau wrote as most: 'turn it off'. But he also added 'the real world risk is very very low' and 'play it safe and disable Java for now even though it probably won't matter whatever you do'.
But that's probably before it became known what Landon Fuller had done.
Koivo & Tinnes, Czerniak & Fuller
Credit for discovery of the pernicious bug goes to Sami Koivo; credit for definitive work on it goes to Google security researcher Julien Tinnes; so how did Landon Fuller get involved? Easy: Jeffrey Czerniak told him about it.
Two and a half years ago Fuller made quite the name for himself by taking on the Month of Apple Bugs project single-handedly (with only a bit of help from Unsanity's Rottweiler and definitely without approval from Apple) to fight Apple bugs with - get ready - Unsanity APE haxies.
And Czerniak made an even bigger name for himself by postulating the people running Rixstep were none other than MOAB's Kevin and LMH because of their 'shared contempt' of haxies.
And that worked out really well.
So what did the duo do this time? Fuller published a proof of concept applet to demonstrate just how nasty this bug is. Of course he didn't bother obfuscating the source code of the app so by now every haxor on the planet has it.
What's really funny is how he's denying he ever exposed the code.
And so now the 'real world risk' that was supposed to be 'very very low' is a bit higher again. So make sure you have Java turned off.
Never attribute to malice that which may have been done by Jeffery Czerniak and Landon Fuller.
I have not posted source code or instructions on how to exploit the vulnerability. - Landon Fuller at Security Fix Landon was nice enough to leave the .class files non obfuscated for those of you that missed it. - 'KF' at Daily Dave
See Also The Technological: Landon Fuller The Technological: Pandora's Box Industry Watch: APE Bites Leopard The Technological: MOAB 8 Fallout The Technological: Jeffrey Czerniak The Technological: Not Easy But Cool Learning Curve: Apple Users: Turn Java Off Apple Fun: The Canary Trap, the Leak, and the Mole Industry Watch: A Totally Unsane Privilege Escalation Industry Watch: A Fortnight of Apple Bugs (and Fixes) Learning Curve: Don't Let APE Monkey with Your System The Technological: The Canary Trap, the Leak, and the Mole
|