More on the CanSecWest exploit and Java
According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune.Let's take a moment to note, before frantically shutting down all the garbage mashers on the detention level, that this is an unreleased exploit and there is no expectation of it going wild; it's in the care and feeding of the Zero Day Initiative now and notification to Apple, Sun (Java) and other affected parties will be handled professionally. The only real-world risk is if some clever soul manages to find the same unpublished vulnerability that Dai Zovi did and pairs it with a malicious payload. Personally, I use Java for a couple of work purposes, but I can presumably leave it on in one browser for those specific pages and do my general browsing with another, Java-disabled browser... that is, I would, if I was paranoid.
There are plenty of other ways to improve your Mac security, most listed via this post. Top three: turn on the firewall, run as a normal user, and turn off wireless (at least, turn off automatic connection to open networks). Apple's guide to Tiger security is also available as a PDF here.
Share
Categories
According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to...
Add a Comment
For everyday use: Firefox + "NoScript" + "JavaScript Options" + "Flashblock" + Java turned off + no animated GIFs.
For stubborn sites only: Safari with Java.
"JavaScript Options" ensures that even if I trust the site with "NoScript", it can't do things I don't want it to. http://www.oxymoronical.com/web/firefox/jsoptions
"Flashblock" is similar since I don't necessarily want to see all the Flash on a trusted site.
#6 -- Guns, the characterization of the exploit as a Javascript flaw is incorrect.
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/
It's a QuickTime bug that's exposed via the QT Java hooks. It is cross-platform if the target Windows machine has iTunes/QT and the JVM installed.
I know there's a lot of temptation to speculate on this story. Let's try to stick to the announced facts as much as we can.
Just so everyone is clear, it's a javascript exploit, not Java. Though they may sound similar, but they actually have nothing to do with each other. Netscape just named it javascript because Java was the hot new language of the time.
I've heard it was a cross-site scripting exploit, which can platform and browser agnostic. In this case, someone was able to gain shell access through the browser, which doesn't seem that big of a stretch, since your browser already runs unverified code without much fuss. Steve Gibson's podcast Security Now recently did a couple articles about browser scripting exploits, if you want to know more. Just look it up in the iTunes directory.
Using Firefox with the Noscript extension is probably the best solution, as someone suggested.
"this is an unreleased exploit and there is no expectation of it going wild"
Unfortunately, as anyone knowledgable about computer security could tell you, it probably will, and sooner than you expect. If nothing else, just knowing that "Java" is involved is enough to make this exploit much, much easier to find for a competent attacker. And if you can get a command shell, you're a huge step closer to completely compromising the machine.
#2, sensible but in this case it wouldn't necessarily help -- suppose you got a "Check out this link" email that appeared to be from a friend or business associate...
#3, more like cantaloupes actually, but thanks for overestimating. :)
Wow, gee, isn't Michael Rose a hard case? I'm so admiring of him. He must had 'nads like watermelons.
He leaves Java on all the time even though no-one uses the stuff. I bet he's got "Open safe files" enabled, too. If only all of us could be so daring as Michael Rose.
...and once again common sense prevails, just be smart online and you'll be fine. Just because I use a Mac. That doesn't mean that I click on every YOU'VE JUST WON AN IPHONE OR FIVE RINGTONES banner that I see. :P
April 23 2007 at 12:43 PM Report abuse Permalink rate up rate down ReplyKudos on the reference to "A New Hope." Well done.
April 23 2007 at 11:12 AM Report abuse Permalink rate up rate down ReplyI've always disabled Java in my browsers because it can really slow down my older machines and I rarely actually want the applets to run. 90% of the java applets I would run across were scrolling marqee text.
Hot Apps on TUAW
Deals of the Day
more deals- Altec Lansing Octiv Duo iDock for $48 + free shipping
- Used Apple iMac 17" Core 2 Duo 1.83GHz for $430 + $28 s&h
- Lounge Deluxe Stand for iPhone / iPod touch for $28 + $8 s&h
- Brookstone Surround-Sound Earbuds for $14 + $7 s&h
- Refurbished Skullcandy Tokidoki Smokin' Buds Mic'd Headset for $5 + $2 s&h
- Stitchway Backup Battery for iPod / iPhone for $5 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
9 Comments