Filed under: Security
More on the CanSecWest exploit and Java
According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune.Let's take a moment to note, before frantically shutting down all the garbage mashers on the detention level, that this is an unreleased exploit and there is no expectation of it going wild; it's in the care and feeding of the Zero Day Initiative now and notification to Apple, Sun (Java) and other affected parties will be handled professionally. The only real-world risk is if some clever soul manages to find the same unpublished vulnerability that Dai Zovi did and pairs it with a malicious payload. Personally, I use Java for a couple of work purposes, but I can presumably leave it on in one browser for those specific pages and do my general browsing with another, Java-disabled browser... that is, I would, if I was paranoid.
There are plenty of other ways to improve your Mac security, most listed via this post. Top three: turn on the firewall, run as a normal user, and turn off wireless (at least, turn off automatic connection to open networks). Apple's guide to Tiger security is also available as a PDF here.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
keithws said 9:09PM on 4-24-2007
I've always disabled Java in my browsers because it can really slow down my older machines and I rarely actually want the applets to run. 90% of the java applets I would run across were scrolling marqee text.
Reply
FamousPete said 11:19AM on 4-23-2007
Kudos on the reference to "A New Hope." Well done.
Reply
AeronPrometheus said 12:47PM on 4-23-2007
...and once again common sense prevails, just be smart online and you'll be fine. Just because I use a Mac. That doesn't mean that I click on every YOU'VE JUST WON AN IPHONE OR FIVE RINGTONES banner that I see. :P
Reply
Nick said 1:06PM on 4-23-2007
Wow, gee, isn't Michael Rose a hard case? I'm so admiring of him. He must had 'nads like watermelons.
He leaves Java on all the time even though no-one uses the stuff. I bet he's got "Open safe files" enabled, too. If only all of us could be so daring as Michael Rose.
Reply
Michael Rose said 1:11PM on 4-23-2007
#2, sensible but in this case it wouldn't necessarily help -- suppose you got a "Check out this link" email that appeared to be from a friend or business associate...
#3, more like cantaloupes actually, but thanks for overestimating. :)
Reply
register said 2:53PM on 4-23-2007
"this is an unreleased exploit and there is no expectation of it going wild"
Unfortunately, as anyone knowledgable about computer security could tell you, it probably will, and sooner than you expect. If nothing else, just knowing that "Java" is involved is enough to make this exploit much, much easier to find for a competent attacker. And if you can get a command shell, you're a huge step closer to completely compromising the machine.
Reply
guns said 1:22AM on 4-24-2007
Just so everyone is clear, it's a javascript exploit, not Java. Though they may sound similar, but they actually have nothing to do with each other. Netscape just named it javascript because Java was the hot new language of the time.
I've heard it was a cross-site scripting exploit, which can platform and browser agnostic. In this case, someone was able to gain shell access through the browser, which doesn't seem that big of a stretch, since your browser already runs unverified code without much fuss. Steve Gibson's podcast Security Now recently did a couple articles about browser scripting exploits, if you want to know more. Just look it up in the iTunes directory.
Using Firefox with the Noscript extension is probably the best solution, as someone suggested.
Reply
Michael Rose said 6:56AM on 4-24-2007
#6 -- Guns, the characterization of the exploit as a Javascript flaw is incorrect.
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/
It's a QuickTime bug that's exposed via the QT Java hooks. It is cross-platform if the target Windows machine has iTunes/QT and the JVM installed.
I know there's a lot of temptation to speculate on this story. Let's try to stick to the announced facts as much as we can.
Reply
mike said 7:34PM on 4-28-2007
For everyday use: Firefox + "NoScript" + "JavaScript Options" + "Flashblock" + Java turned off + no animated GIFs.
For stubborn sites only: Safari with Java.
"JavaScript Options" ensures that even if I trust the site with "NoScript", it can't do things I don't want it to. http://www.oxymoronical.com/web/firefox/jsoptions
"Flashblock" is similar since I don't necessarily want to see all the Flash on a trusted site.
Reply