Apple Nabs Java Exploit That Bypassed Disabled Plugin

Trailrunner7 writes "Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn't quite enough to protect users of some versions of OS X."

Java and flash...

[sdsucks]

Incredibly, still the biggest shit on the internet.

Too bad, as a language I actually like Java. Flash is crap though, always was, always will be.

Re:Java and flash...

[eksith]

The problem with flash are the developers. ActionScript can do a lot of things... that doesn't mean those things should have been done. Of course if sandboxing was foolproof, things would have worked better for both technologies. Hopefully HTML5 can fill the gap for both and we can finally do away with both plugins.

Re:Java and flash...

[GoodNewsJimDotCom]

Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.

Re:

[sdsucks]

Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too.

You have a lot more faith in sandboxing than you should. Sandboxing is more like a fence than it is a wall.

Re:

[angel'o'sphere]

Depends on the way how sand boxing is done.

E.g. you can changeroot the process and then it can't do anything.

On Macs a lot of stuff is getting more and more sand boxed. E.g. PDF rendering in Safari is done in a separate sandboxed process.

Re:Java and flash...

[drinkypoo]

E.g. you can changeroot the process and then it can't do anything.

chroot is a big help, but it doesn't preclude gaining access to memory, and if you have enough access to that then you can write files using other processes' permissions. You really need to virtualize to even claim to have a sandbox which is useful from a security standpoint. Even then it's not impossible to exploit a virtual driver and gain access to the underlying hardware indirectly.

Re:

[angel'o'sphere]

You are right if your OS is buggy, is it not, you can neither access other processes memory nor explot drivers.

Re:

[drinkypoo]

You are right if your OS is buggy, is it not, you can neither access other processes memory nor explot drivers.

Your fucking comment has a bug, you expect an operating system not to?

Re:

[angel'o'sphere]

Yes I do :)

Albeit knowing that this is rare.

Re:

[PDF]

On Linux and probably some other unices, chroot is not intended for use as a security mechanism. See http://it.slashdot.org/story/07/09/27/2256235/when-not-to-use-chroot [slashdot.org] and also man 2 chroot.

If you can take the performance hit, a VM of some kind (emulated bytecode, virtualization or JIT compilation) is much better for security. Unfortunately, security is more difficult than it seems at first glance, so it doesn't always get the attention it needs. Hence we have gaping holes in Java applets. This is why we

Re:

[PDF]

Actually, we get gaping holes in the Java environment that the applets run on. But I think you get the idea.

Re:

[angel'o'sphere]

A non priviledged process can not break out of its rot directory assigned to him by chroot.

I don't know if that was intended as a security feature, but imho it increaes security greatly. E.g. if your web server is running in a chroot environment ....

Ofc your other points are valid.

Re:

[sjames]

chroot is NOT a security API. Because of that, there are a few clever ways to escape a chroot, particularly if you can run with elevated privilege or get help from another (possibly unprivileged) process outside the jail.

It can be helpful, but since you're using the call for an unintended purpose, you have to be really careful with it.

Re:

[angel'o'sphere]

Sure, there is always a trick to circumvent something.
Howeve, for what exactly was chroot invented if nott for security? Otherwise I see no reason for it at all.

Re:

[sjames]

It is useful for debugging, protection from simple bugs, and system repair. It can also be used to run multiple instances of a system service designed to have a single instance per machine. In other words, it is a namespace utility.

The point is that the kernel developers do not make an effort to prevent circumventing chroot in several ways because it's not meant to be resistant to circumvention.

Re:

[angel'o'sphere]

That is an intersting point: not ment to be resistant.

OTOH most of your examples (wikipedia mentions them as well) could be done with proper setup of PATH and LDPATH as well, but perhaps it is easier to have a kind of "second system" where you can chroot to.

In fact most chroot systems I encountered where for emulation purpose. E.g. having a certain linux variant as host environment and having another one (chrooted) for development purpose. Some simple stuff like copy/paste not reliable working via X windows

Re:Java and flash...

[JDG1980]

Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.

The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security model, though it was undermined by the need for backwards compatibility forcing regular users to run as administrator (UAC was a belated attempt to fix this). But this also means that NT needs a faster processor and a lot more RAM than 9x. The first home version of Windows based on the NT kernel was XP, and people were all up in arms about its "outrageous" system requirements back in 2001.

Nowadays, you can usually get away with running as a limited user and escalating only when installing or updating a program from a trusted source. I agree that sandboxing could be more sophisticated than it is on Windows, but this isn't a unique flaw; in fact, it's a result of copying the outdated Unix security model, which assumes that the program is the user and would do roughly what the user wanted (maybe true in the 1970s on shared university systems, but obvious nonsense now).

Re:

[DKlineburg]

even if you sandbox, does the average user know when to click yes run, vs no don't? But I want to see cute kittens playing with yarn!

Re:

[penix1]

The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security mod

Re:

[dreamchaser]

Only the 32 bit version of Windows 7 can run old 16 bit code for DOS or Windows, so you're half right since about half the people running Win 7 are using the 64 bit edition.

Re:

[drinkypoo]

Only the 32 bit version of Windows 7 can run old 16 bit code for DOS or Windows

Even in XP Mode? Not that I'm choked up about XP Mode, lots of software doesn't run in it at all.

Re:

[fredprado]

XP Mode is XP installed in a virtual Machine. You can run pretty much whatever you want in a virtual Machine. With the same argument you could say that Windows runs OS X and Linux applications.

Re:

[drinkypoo]

So was Classic. Except it was Mac OS.

XP Mode won't run Civ 2 on amd64.

Re:

[fredprado]

XP Mode runs on Virtual PC a MS virtualization solution, which is similar to VirtualBox and VMWare, if not as polished. Civilization 2 can be run on Virtual PC as long as the OS you decide to install in it is compatible with Civ 2. Windows XP is not.

Re:

[drinkypoo]

Civilization 2 can be run on Virtual PC as long as the OS you decide to install in it is compatible with Civ 2. Windows XP is not.

Civ 2 runs fine on XP. Even better with an idle mode patch. It doesn't run on XP Mode with or without it. It runs fine in vmware on the same machine. Your argument is offensively stupid bullshit both because it is wrong and because it is a Microsoft apology.

Re:

[fredprado]

The original release of Civ 2 (from 1996) does not run on XP. The new release of Civ 2 from (2002) runs on XP AND on Windows XP Mode too. You probably forgot to disable XP Mode integration features, which is required for it to run most games. If you don't know how to use XP Mode, the problem is certainly you, not XP Mode.

Re:

[drinkypoo]

Civ 2 Multiplayer Gold does not run in XP Mode on Win7 on amd64, or at least, it didn't for me. And I didn't forget to enable anything, it just doesn't work. I know precisely how to use XP Mode. Delete that piece of shit, and install XP in VMware Player, which is dramatically superior software, and costs me just the same amount as XP Mode. Even better, I can run it on something that isn't Windows, where it not only provides superior performance but also doesn't involve me running Windows on my bare hardware

Re:

[fredprado]

I have Windows 7 64 bits installed and I happen to have Civ 2 Gold Edition (2006) too. It works just fine for me on XP mode. I also have both VMWare and Virtualbox installed and it works in both well too.

Don't take me wrong. I don't like MS either, but XP Mode and Virtual PC are not part of the reasons why I do.

Re:

[fa2k]

the outdated Unix security model, which assumes that the program is the user and would do roughly what the user wanted (maybe true in the 1970s on shared university systems, but obvious nonsense now).

It's a good thing that it evolved this way, because insecurity also makes it easier for the programmer. If malware and cyber* was as rampant in the late 1990s as it is now, we would have some horrible locked down computers which only did ~6 things that were blessed by the manufacturer. Today is a good time to start making systems more secure, but there also needs to be an open-ended environment where small programs can share data without any restrictions.

Re:

[tepples]

If malware and cyber* was as rampant in the late 1990s as it is now, we would have some horrible locked down computers which only did ~6 things that were blessed by the manufacturer.

That's exactly what we have had since 1985 with the lockout mechanisms in the video game consoles that displaced Commodore computers.

Re:

[angel'o'sphere]

This is not insightful, if at all it is informative :D Because it is half wrong.

The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky).
All other operation systems ru

Re:

[washu_k]

All other operation systems running on similar hardware but having strict security and privileges proof you wrong. Even Linux existed at that time already and ran happily on that hardware.

No, he is completely correct. Linux of the time did not "run happily" on that hardware with the same level of GUI complexity as Win9x. Either Linux had no GUI at all, or a simple window manager like TWM or FVWM.

This is also doubly wrong in claiming that all other operating systems at the time had proper security. The biggest competitors to MS at the time were even simpler and less secure OSes. For GUIs there was MacOS which didn't have protected memory and could barely multitask, along with having no

Re:

[angel'o'sphere]

I had linux installed on a 486 with 16MB and 32MHz.
It run superb and was much faster than Win 95/98 on a Pentium 2.
Also I don't recall that windows had any fancy thing in its windows manager that costs more cpu power than X did.
On top of that, you seem not to know much about computing history.
The OSes I refer too are Sun BSD (Sun OS 4) the early Sun Solaris, HP Ux, Dec Ultrix, Vax VMs, and there are dozens more, SGI, Apollo etc.
So no, you and your parent are wrong. You are wrong on the simple fact: security

Re:

[fredprado]

Virus developers adapt. No system is 100% secure as this very article shows, and a single exploit is all that is needed. From the security perspective, being mainstream is the greatest problem Windows always faced, not any inherent security issues.

On the other hand, far from me saying Windows is a good OS. From the usability and stability perspectives, of course, Windows has always been bad.

Re:

[angel'o'sphere]

Flash was a nightmare on Macs untill recently.

After a day or so you always had a flash process running that ate one of your CPUs for 98% or more.

For some reason flash was unable to "not animate" all hidden windows etc.

I switched to Chrome for only one reason: the Taskmanager window. Here you can kill the flash process without harming the open tabs. (Well every flash widget gets a "sad eye": oh! flash is gone!"

This is the reason why iOS does not support Flash natively.

I believe Safari runs Flash now in a sep

Re:

[drinkypoo]

The problem with flash are the developers.

Yes, the developers writing malware. Wait, what? If the system permits you to write malware, and part of the purpose of the system is sandboxing, then clearly the system is the problem. Do you mean the developers of flash? We don't really care why the software has holes in it, whether it's developers or physics or aliens. We care about the holes. The programmers are not the direct problem for the user unless they're coming into their house and eating their cheeseburgers.

Re:Java and flash...

[casab1anca]

Flash is crap though, always was, always will be.

Flash may be crap now but for a long time, it (and Shockwave before it) was the only practical way of displaying interactive multimedia content in the browser.

Re: Java and flash...

[Anonymous Coward]

You're right, but as they added features they always treated security as an afterthought.

If security isn't part of the foundation and framework of your products then you're always going to be playing catchup as you ship vulnerabilities to your customers.

Re:

[sdsucks]

In a web development project, I consider both Java and Flash unusable for that reason.

Re:

[sdsucks]

C and C++ applications are typically not embedded in web pages, and no web browser would execute them if they were.

Flash and Java are both commonly embedded in web pages, and execute automatically if the user has the plugin installed.

Re:

[TwilightXaos]

http://noscript.net/ [noscript.net]

Maybe.

Re:

[Psychotria]

Server-side C or C++ work fine. But then there is the problem that the server is executing the code so most website servers wouldn't be able to handle the load. The alternative is for the client to do the processing which is fraught with danger. It's one of the reasons that I've always been averse to client-side execution from the start but, pragmatically, there is no way around it. Web-browsers these days are more like virtual machines than anything else.

Re:

[sproketboy]

Er, Java and Flash are written in C or C++.

Re:

[angel'o'sphere]

I guess you never heard about ActiveX ;D

Re:

[Stupendoussteve]

Or Google's Native Client.

Re:

[sdsucks]

Regardless of the "Flamebait" modding, the reality is that Flash and Java alone are responsible for far more than their fair share of actively exploited vulnerabilities.

Re:

[Clsid]

I don't feel sorry for Java, on the contrary I'm quite happy that Java is going away. Java was like a hippie ideal for peace, neat idea but so much bs going on around it.

I have always felt that using languages that wasted so many CPU cycles like Java were making our hardware obsolete before time. I still remember when on a Pentium 100 you could do wonders. Even Visual Basic, which was also inefficient, was pretty fast and it was perfect for business applications, until they started doing the Java thing with

So...

[Molochi]

If the Apple Safari browser on Apple OSX had Java disabled it let it run anyway? Glad they fixed that.

Such an hero.

Re:

[Stupendoussteve]

Kind of.

The issue was not Java applets embedded in webpages, they were still disabled. It has to do with a (stupid) feature in Safari, "Open 'Safe' files after downloading." Apparently the Java web start files were on the safe list and would auto-execute.

Re:

[Kyusaku Natsume]

Since Safari 2 or 3 that "Open safe files after downloading" as been the worst design decision by the Safari team. It is the first thing I disable when I do a new install of OS X.

Not a bug?

[subanark]

A webstart link is simply a jnlp file, which is an xml file, that if opened with javaws will start up the Java application (in a sandbox or warn the user it won't). This does not attach to the web browser and runs in its own frame. When you install Java it should associate jnlp files with javaws so that when you click with a browser it shouldn't launch the javaws program unless you choose to always open with it when you click it.

From the article this seems to be a bug with the way the Mac handled scripts in an unexpected way.

Re:Not a bug?

[_xeno_]

It's only not a bug in that it was by design.

Basically Mac OS X has a list of "safe" files that don't bring up an "are you sure you want to open this file?" dialog after it's been downloaded. The idea is that if you download a text file, you won't get a dialog warning you that the file is insecure when you try and open it.

JNLP files were put in that list, presumably based on the assumption that Java was "secure." (Bad assumption!)

The fix was to remove them from the safe list, so now you'll get an "are you sure?" dialog from the OS itself rather than assuming Java is secure.

Re:

[_xeno_]

Java Web Start itself can also bring up an "are you sure?" dialog, which is different from the OS dialog. There's a generic universal "you downloaded this file off the Internet, are you sure you want to open it?" dialog that is shown in Mac OS X by Finder for all "non-safe" files.

The Java Web Start one I think only got triggered if your app was signed and requested not to run in the sandbox. If it was unsigned and didn't request to run outside the sandbox, I'm pretty sure JWS has always just launched the ap

Re:

[drinkypoo]

Do you have an Active Directory domain set up?

Ah yes. I can see how much easier Windows is to administer, I have to have a domain before I can do anything sensible with it. Of course, I'd better have a backup domain controller. In a small office you might have four PCs, now I need two more and each on their own UPS to make sure that I don't have a failure that prevents work from being done.

At least for Adobe Reader you can just leave it out and install Foxit instead. I wish there was an available alternative to Java.

I am able to run what few Java things I try to run on my Linux system with the available alternative. When it gets updated automatically along with my OS updates, I

Re:

[devent]

That's the fault of the operating system (i.e. Windows).
I have Windows 7 for gaming and every time I start it to do some games, a few popup will come up, sometimes my screen will get black with a UAC dialog. That one time, Windows 7 just terminates my game and do a restart (for updates).

Use a real operating system like Linux and that stupid will go away. No more popups from 10 different applications informing you of an update, no more restarts to do updates (not even for a kernel update you need a restart).

Re:

[Stupendoussteve]

I don't think this was a flaw in that safe files list. It mentions it could be executed automatically, not that it was executed without warning.

Safari has the "Open 'safe' files automatically' option which is turned on by default. I think this is more likely the issue.

Re:

[girlinatrainingbra]

Scripts are executeables, too, eh? ;>) It took the mac-masses a while to notice. The problem with saying "there's a problem with java" and disabling java in the browser was leaving an attack vector open on the desktop by leaving java as a standalone. So if there's a known java explout and the recommended action is to disable java, then stopping the browser-plug-in is only part of the solution. Disabling the standalone java or jar execution system is also necessary.

Re:

[subanark]

Not entirely true. You simply want to disable automatic execution of Java code. There are many apps out there that people don't even know use Java to run (although many of them use a private JVM to run in). The same goes for flash.... you wouldn't want your flash app to stop working since you disabled it in your web browser.

I know that Ubuntu requires jars to have the executable set on them before you can use them with java. What the mac did will still allow this, as it marks files as to their original loca

Re:

[Molochi]

It's that thing that allows your users to access their web client at work.

Re:

[binarylarry]

Just Another Vulnerability Angle?

FYI Java is not an acronym.

how long?

[arbiter1]

Issue really is How long was the flaw known and How long did it take Apple to get off their ASS to fix it?

Why is the browser launching anything?

[Animats]

Hello? Why is a web browser launching other applications without explicit user consent? Ever?

This was the classic Microsoft security hole - executing anything that came in which could possibly be executed - Word documents, spreadsheets, autoplay files, Universal Plug and Play. Microsoft has now turned most of that off. Apple is replicating a classic Microsoft mistake here.

Re:

[Psychotria]

Even displaying a PDF (or rendering fonts for that matter -- they are code as well in most instances these days) is the browser executing something.

Re:

[Psychotria]

Actually I am pretty sure that font rendering under Windows is in kernel space, so conceivably simply displaying a font could be an effective attack vector; i.e. I don't think that an exploit relying at least partially the font rendering system is beyond the realm of possibility.

Re:

[jo_ham]

Hello? Why is a web browser launching other applications without explicit user consent? Ever?

This was the classic Microsoft security hole - executing anything that came in which could possibly be executed - Word documents, spreadsheets, autoplay files, Universal Plug and Play. Microsoft has now turned most of that off. Apple is replicating a classic Microsoft mistake here.

It doesn't, or it shouldn't - that was the point. Safari *does* explicitly ask for consent before launching apps downloaded from the internet, but one script type was whitelisted by accident/oversight. This has now been fixed.

Re:

[loufoque]

You clicked the link, that's explicit consent.

Re:

[tepples]

You clicked the link, that's explicit consent.

No, the advertisement on an unrelated web page redirected to the link.

Don't use computers, problem solved

[Anonymous Coward]

I solved the problem by:

1) Uninstalling Java
2) Throwing the computer in the trash

Problem solved.

Re:

[Psychotria]

I solved the problem by:

1) Uninstalling Java
2) Throwing the computer in the trash

Problem solved.

I have done this as well! I also don't use the internet.

Re:

[roman_mir]

You are doing it all wrong, arms. GET RID OF THE ARMS! Did you know arms were digital?

Qt Java

[dannydawg5]

I used to be a Java fan until I found Qt. I see no reason for Java except in very narrow cases.

http://dannagle.com/2013/03/qt-java/ [dannagle.com]

Re:

[gtall]

Except for the mountains of back end Java code which happily works just fine, surely you knew this, yes?

Re:

[tepples]

thanks to JIT compilation

How is JIT compilation compatible with strict W^X security?