Six months ago, a certain security flaw in Java was fixed by Sun. This flaw was present in OpenJDK, GIJ, icedtea and Sun’s JRE, but it got fixed in those. There’s one important shipping Java implementation that still has not been fixed to remove this security flaw: Apple’s Java.
This bug is pretty old, first reported to Sun in August last year. While most operating systems have mostly been patched by now, because they use Sun’s JRE or any of the other fixed implementations, Apple’s impementation still hasn’t been fixed (not even in last week’s 10.5.7 update).
Now, we have to take a closer look at just how serious this flaw is. It can be used to create a “write once, exploit everywhere” exploit, assuming you do not have applied a fix for this one yet, which at this point comes down to just Mac OS X users. Google employee Julien Tinnes details on his blog just how dangerous this security flaw is for Mac users. After a lot of technical talk about how to exploit it, he concludes that it’s pretty special.
“This one is a pure Java vulnerability. This means you can write a 100% reliable exploit in pure Java. This exploit will work on all the platforms, all the architectures and all the browsers!” he warns, “Mine has been tested on Firefox, IE6, IE7, IE8, Safari and on MacOS X, Windows, Linux and OpenBSD and should work anywhere. This is close to the holy grail of client-side vulnerabilities.”
He then goes on to say that:
So MacOS X users, please disable Java in your web browser. Others: make sure you have updated Java and still disable it in your web browser: it’s a huge attack surface and it suffers from many other security vulnerabilities.
Moreover, even without taking into consideration Java vulnerabilities themselves, since the Java plugin allocates all memory as RWX and doesn’t opt-in for randomization, a Java applet can be used to bypass ASLR and non executability (DEP on Windows) in browser exploits.
A harmless proof-of-concept was made by Landon Fuller, where visiting this web page with a Java applet will invoke
/usr/bin/say with your current permission level.
Apple has often been criticised for being quite lax when it comes to fixing known bugs in its operating system. For instance, Mac OS X has a history of shipping with outdated versions of various open source tools, leaving the operating system wide open to known attack vectors.
“In general Apple has been a little slower to apply upstream security updates in Java,” said Dino Dai Zovi, an independent security researcher and co-author of The Mac Hacker’s Handbook, “Whenever basically they’re lagging behind a vulnerability that’s out and known, it’s pretty significant. Potential hackers don’t have to discover anything new; they can use a vulnerability that’s already released.”
For now, the best idea is to disable Java while on Mac OS X, and wait for Apple to get its act together on this one.