“According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune,” Michael Rose reports for TUAW.
Full article here.
“The vulnerability affects Firefox as well as Safari,” Matasano Chargen reports.
Full article here.
[Thanks to MacDailyNews Reader “Adam W.” for the heads up.]
MacDailyNews Take: The story clarifies. As it always seems to do after the damage is done in the media (meanwhile, Mac users continue to surf the Web unaffected). So, that’s some Mac OS X “hack,” huh? Ten grand and a MacBook Pro for that? Pfft. We await InfoWorld’s next hysterical headline regarding this developing story with bated breath.
MacDailyNews Note: To protect yourself from this unreleased-in-the-wild, yet extremely over-publicized scourge, in Safari’s Preferences, uncheck “Enable Java” in the “Security” tab. In Firefox’s Preferences, uncheck “Enable Java” in the “Content” tab.
Related articles:
InfoWorld publishes false report on Apple Mac security – April 21, 2007
CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari – April 20, 2007
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
and also stay away from unknown sites that may contain the malicious code.
Before I get 10,000 phone calls from people, won’t turning off Java affect how some web pages function?
In what way will turing off Java impact my usage of Safari?
Microdaft fanboys are the world’s best believers in George Orwell’s “doublethink.” In their addled minds Five Years = Six Months, Zune = iPod, and 1 = 100,000. Gawd, how I wish I could think like that sometimes.
It’s too late for a clarification.
I already ingested the poison and I’ll be gone in a matter of minutes.
Important to note: there was no OS hack. that was day 1 challenge.
I just looked at the number of cookies. Unbelievable!
99.9% of the websites you visit won’t be impacted by Java being disabled. With Flash taking over, Java isn’t used much anymore for web-based stuff…
Turning off Java will not affect stuff like rollovers, scripted stuff – thats Javascript, which is completely different. Java is used for applets and online Java apps and so on. You should barely notice that it is turned off.
Magic Word = remember.
Remember, Java and Javascript are two different, unrelated technologies (loosely used term…)
I have the same question as dergolem. Also, would we have to uncheck “Enable Javascript” as well as “Enable Java” in Safari’s Preferences?
BTW, The Register published a snarky article called:
Safari zero-day exploit nets $10,000 prize
Pwn’d in 12 hours
By Dan Goodin in Vancouver
A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple’s Safari browser that allowed him to remotely gain full user rights to the hacked machine…The exploit means that Dino Dai Zovi is the rightful owner of the 2.3Ghz 15-inch MacBook Pro and a $10,000 prize offered by Tipping Point, which runs the Zero Day Initiative bug bounty program… More importantly, his work effectively throws cold water on tired claims from Apple and its many lackeys that the Mac is all but immune from the kind of security attacks more regularly perpetrated against Windows-based machines…The ease Dai Zovi found in pwning the machine was all the more remarkable, given an update Apple pushed out yesterday patching 25 Mac security holes.”
My understanding was this hack did not allow someone “to remotely gain full user rights” as the article states. Is that correct?
Javascript is called Javascript because when Netscape invented it Java was the hot up-and-coming language that was going to take over the world, and they wanted a buzzword-bingo-esque name for it.
The two have absolutely nothing to do with each other.
REGARDLESS
Safari and Mac OS X should have safeguards against other programs or code doing things they are not supposed to do.
FYI: Java, and Javascript are not made by Apple.
With this exploit, just by clicking a link the entire contents of my user folder could be deleted.
What’s REALLY alarming is
That with Intel based Mac’s, there is a EFI firmware accessable partition on the hard drive that can be accessed by programs to install DRMware, monitorware, drivers etc.
EFI loads and runs, accesses the internet and downloads EVEN BEFORE THE OS HAS!!!
So basically the OS is not in charge anymore, it’s what one installs via third party programs.
Scary huh?
Look here for info.
http://refit.sourceforge.net/
I’m not turning off JAVA, give me a break.
@Islandgirl
Your understanding is correct. The hacker did not get root access.
Therefore if anything, the contest proved how the organisaers totally underestimated how secure OSX actually is.
Islandgirl, the way I understand it, Zovi gained access to one user account but not root access so he would have been only be able to do things in that one account.
Btw, I wonder if the Java hole he found also effects IE in windows….
@WiserGuy
So if this is the case, I’ll just make a toggle switch so that my computer boots with no net connection, and when its finished booting up I’ll hit the switch.
I use java for my online banking and so does alot of people in Sweden. it would be nice to be able to enable java for a select few sites and disable it for the rest.
And I am assuming the hack came from some Sun employee who understands the exploit all to well…
Nice contest. Not!
Look, if someone can’t hack the system so be it. But to go changing rules on the fly because it can’t be done, thus cannot create a nice rack up of web hits, please…
I’m betting running as a limited user avoids this exploit.
Running as a limited user is a piece of cake in OS X. It takes a few seconds to set up (and you rarely have to escalate once your mac is set up). Just make an admin account (don’t forget the login and password) and uncheck yourself as an admin user.
It is just another way to protect yourself (with little hassle).
If you think EFI is vulnerable to attacks, you might want to look into BIOS (which virtually every Windows PC out there uses). It’s far more vulnerable to different types of attacks than EFI is.
o if this is the case, I’ll just make a toggle switch so that my computer boots with no net connection, and when its finished booting up I’ll hit the switch.
That all sounds fine and dandy, but EFI sits between the OS and hardware, running all the time.
You install a program and won’t run unless the program in EFI contacts the internet.
Right now Apple is shipping EFI Mac’s with the partition empty, but that might not remain that way once people start installing programs.
What’s funny is EFI is not controlled by Apple, but by the UEFI.
http://www.uefi.org/home
So just like Java and Javascript, any bug or exploit in EFI is totally out of Apple’s control.
Remember the pop-unders you see here at MDN? Well that’s a Javascript exploit that was never fixed. Apple just makes the pop-under disappear after it’s done rendering. That’s not a fix, just a bypass, the exploit is still there.
If you think EFI is vulnerable to attacks, you might want to look into BIOS (which virtually every Windows PC out there uses). It’s far more vulnerable to different types of attacks than EFI is.
But EFI is much more powerful, when the bugs start appearing in EFI, Mac OS X security won’t mean much and Apple can’t do squat about it.
Much like Apple can’t do squat about Java and Javascript exploits.
Third party companies really don’t care about a computers security.
95% of exploits are application exploits. That’s amazingly high.
Turn off Java and Apple.com won’t work, I tried it earlier today.
So does this mean Mac users are getting paranoia about security.?
I hope not. There is nothing in the wild, and this exercise demonstrates how pointless it is for hackers to even bother.
Midlothian wrote, “Microdaft fanboys are the world’s best believers in George Orwell’s “doublethink.” In their addled minds Five Years = Six Months, Zune = iPod, and 1 = 100,000. Gawd, how I wish I could think like that sometimes.”
They also think 74 Microsoft Points = $1.