dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1153
share rss forum feed

daveinpoway
Premium
join:2006-07-03
Poway, CA
kudos:2

[Security] Mac Security: New Java Driveby Appears, Protect Yours

"Better safe than sorry. There is a powerful new Java exploit available that can be used to attack and take over Windows, Linux and Mac computers. Yet, there are simple things you can do to protect yourself. Step inside for full details on this latest Mac security threat and how not to be a victim.":

»www.tapscape.com/mac-security-ne···appears/



Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1

Re: [Security] Mac Security: New Java Driveby Appears, Protect Y

Java is awful.

Film at 11.



JohnInSJ
Premium
join:2003-09-22
San Jose, CA

said by Mike:

Java is awful.

Film at 11.

I'm wondering what exactly this gets you on a non-admin account on a machine behind a decent firewall. Not much would be my guess.
--
My place : »www.schettino.us


Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1

1 edit

If it's a true exploit it can elevate itself.

Just look at how hard IE gets raped on "limited" accounts if you follow any security forums.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS
reply to daveinpoway

Don't you actually have to go to Oracle to get Java 1.7?

If you go to a page that needs Java and OS X prompts for the DL and everything, it's 2012-004 which is 1.6.0.33 isn't it, not the 1.7.0.6 that you get from Oracle.

So very few OS X users would have 1.7 installed (and this exploit only works with 1.7).



howardfine

join:2002-08-09
Saint Louis, MO
reply to Mike

said by Mike:

If it's a true exploit is can elevate itself.

Just look at how hard IE gets raped on "limited" accounts if you follow any security forums.

You can't compare IE or Windows to Unix which OSX is. And IE is not a modern browser either.

And elevate permissions? How is that even possible on OSX?


Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1

I'm not a programmer.

Was mac defender a pure drive-by? Did that hit Standard accounts too?



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

Mac Defender was user installed malware. Users were tricked into thinking it was valid security software, would download it and install it. It required user intervention and user credentials to install.



howardfine

join:2002-08-09
Saint Louis, MO
reply to daveinpoway

»www.theregister.co.uk/2012/08/27···exploit/

quote:
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

Which means no method has been found that involves Linux or Mac. And while they claim it "could" happen "given the appropriate payload", they don't define what any of that means which DOES mean...they don't know.


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to Mike

said by Mike:

If it's a true exploit it can elevate itself.

Just look at how hard IE gets raped on "limited" accounts if you follow any security forums.

user elevation would have to be via a separate exploit, which would have to be zero day if its unpatched. So again, I wonder what this actually does beyond open a connection to a download site and download the actual infection payload (which you have to be vulnerable to...)
--
My place : »www.schettino.us


JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to howardfine

said by howardfine:

»www.theregister.co.uk/2012/08/27···exploit/

quote:
In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

Which means no method has been found that involves Linux or Mac. And while they claim it "could" happen "given the appropriate payload", they don't define what any of that means which DOES mean...they don't know.

Yep, the more I hear about this the less sky is falling it seems to be. Sure, Java is a gaping security hole, and has been forever. So, what else is new?
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
reply to daveinpoway

Been patched

»www.oracle.com/technetwork/java/···363.html



haroldo

join:2004-01-16
united state
kudos:1
reply to daveinpoway

On behalf of the lurkers and other folk that may not understand all the implications, may I ask a few questions...

If I disable or remove Java, will [ all, most, many, some or only few ] ... web sites not work properly?
Without disabling Java, how do I know if a web site needs Java?
Is it easy to disable/enable or do I need to uninstall? If so, how?
Is this something that I can turn it off for most sites, but turn back on for the few sites that require it?
What type of sites typically require Java? (video? banking? games? adult? etc.)
Can I disable it for one user account and enable it for another?
Will this correcting update show up with Software Update... (pre-ML) or App Store/Updates (post ML), or will I need to go to Java/Oracle's site to get the update?
I'm very confused with the various products at Java's site...what is the product that the average user would need (assuming they need it for sites that they must visit).

Thanks!



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

4 edits

1 recommendation

I'm not a programmer but it seems the difference to note is understanding the difference between java and javascript. Logic says that javascript is just a subset of Java but it isn't. While sharing the same name they're about as similar as toy and Toyota. They're completely different animals.

Java is the biggie, a runtime that allows a java program to run like any other program on the system. You can sort of think of the Java runtime as a mini-operating system able to run Java programs. This can make Java very powerful but also is significant security risk. If Java is enabled in the browser, I think it can allow a stand alone execution of a java program that can get "out of the browser" via the runtime....I think. Basically a vulnerability in the runtime is the hole a hostile java program uses to get control of the system.

This is different than javascript which can only run within the browser which these days is typically sandboxed so anything running IN the browser can't get OUT of the browser. There is no access to the system, no bridge between the browser and system like the one created by Java runtime.

Javascript is a powerful scripting language and used for a lot of small features within websites like menus or popup features. Disabling javascript can and for me greatly degrades website functionality. Meanwhile, Java, can usually be disabled with no reduced functionality of web browsing. Some "applets" won't function like the DSLR speed test that is written using Java but those are getting rarer these days. Recently those Java type applets are now written in Adobe Flash (like the speedtest.net speed tests or the newer DSLR Flash speed test).

So for me, I disabled Java in the browser but do run javascript with no impact on my browsing.

In general, browsers these days are VERY secure. It seems it is always these 3rd party add ons that are the vectors for attack, Oracle Java (not Netscape javascript), Adobe PDF, Adobe Flash, Apple Quicktime, etc.



JohnInSJ
Premium
join:2003-09-22
San Jose, CA

said by skeechan:

Recently those Java type applets are now written in Adobe Flash (like the speedtest.net speed tests or the newer DSLR Flash speed test).

So for me, I disabled Java in the browser but do run javascript with no impact on my browsing.

Or html5. Java is great for a lot of things. Browser apps aren't one of them. Disable it. You will find everything works just fine.
--
My place : »www.schettino.us

reply to haroldo

If I disable or remove Java, will [ all, most, many, some or only few ] ... web sites not work properly?

I don't even have Java on my Mac, never had a problem. On my other Macs I have it disabled. The only site to give me a problem was this site trying to do a tweak test.



Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1

Something like Photoshop now requires Java. So some people are SOL.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

It does? While I have Java runtime 1.6 installed it's disabled in the java panel (term reports no java to invoke) and PS CS6 runs fine. But I don't have any 3rd part PS add ons just the add ons included with CS6.



Mike
Premium,Mod
join:2000-09-17
Pittsburgh, PA
kudos:1

OS X 10.7 and 10.8 will prompt you to install Java JRE when you launch PS 5.5 or PS 6.

I did it two times yesterday on two different machines.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
Reviews:
·Clear Wireless
·Cox HSI
·Verizon FiOS

No part of CS6 has JRE dependency including the installers. It's a "bug" in Lion and the workaround from Adobe at this time is to let it install. JRE can be disabled after install and CS6 apps will launch fine. An active JRE is not required for CS6 on the Mac.



howardfine

join:2002-08-09
Saint Louis, MO
reply to Mike

I'm surprised that PS would require Java, too.

One of the big differences is that Java has two places. One is for the web and one is for applications. Most people don't use Java for the web anymore (such as in applets) while Java is heavily used in programming applications, including those used to generate web pages.

This particular problem arrives through the web browser so the browser must have the Java plugin and obtain the infected page/picture/(I forgot what) and allow it to execute. If the browser does not have the Java plugin then this infection has no way of getting onto your system.

This is not a problem if your browser has Java disabled or uninstalled even if you use Java on your computer.



howardfine

join:2002-08-09
Saint Louis, MO

Furthermore, this is not a problem with *nix or Macs. Java is considered a trusted installed program that is given a lot of permissions to run on the system. If that trusted programming environment gets compromised, as in this case, then the infecting program may have the same access that Java has.

In another thread I dispute whether such a thing can still happen but I don't feel like taking the time to think it through. People bring up a lot of "what ifs" and "yeah buts" and things that require adjusting rabbit ear antennas to make me think any of this is possible on a Unix machine which is what OSX is.


jram

join:2003-08-06
Albany, NY

Java is considered a trusted installed program that is given a lot of permissions to run on the system. If that trusted programming environment gets compromised, as in this case, then the infecting program may have the same access that Java has.

Java does have permission to run on the system, but anything that is going to change the system you have to put a password in.



JohnInSJ
Premium
join:2003-09-22
San Jose, CA
reply to Mike

said by Mike:

Something like Photoshop now requires Java. So some people are SOL.

That still doesn't mean you need Java in your browser.
--
My place : »www.schettino.us


kjuh2d

@rr.com
reply to howardfine

It's called... "Social Engineering"



The Geezer
Premium
join:2004-12-28
43.3Á
reply to JohnInSJ

Really?

Try this: Disable Java and Javascript in Safari, then try and navigate to MacUpdate daily update page. It is totally blank! But as soon as Java is enabled, the page shows up properly.

Guess I for one am stuck with Java until something better comes along.
--
Rogers (Ericcson) Rocket Hub, Apple Intel iMac, OSX 10.6



JohnInSJ
Premium
join:2003-09-22
San Jose, CA

said by The Geezer:

Really?

Try this: Disable Java and Javascript in Safari, then try and navigate to MacUpdate daily update page. It is totally blank! But as soon as Java is enabled, the page shows up properly.

You just need javascript, not java for macupdate. Like most everything on the web. This is a java exploit.
--
My place : »www.schettino.us


skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2
reply to The Geezer

Remember that Java and javascript are two completely separate things.



skeechan
Ai Otsukaholic
Premium
join:2012-01-26
AA169|170
kudos:2

LOL
»www.macworld.com/article/1168382···rss_main



JohnInSJ
Premium
join:2003-09-22
San Jose, CA

Yeah they made it worse.