According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune.Let's take a moment to note, before frantically shutting down all the garbage mashers on the detention level, that this is an unreleased exploit and there is no expectation of it going wild; it's in the care and feeding of the Zero Day Initiative now and notification to Apple, Sun (Java) and other affected parties will be handled professionally. The only real-world risk is if some clever soul manages to find the same unpublished vulnerability that Dai Zovi did and pairs it with a malicious payload. Personally, I use Java for a couple of work purposes, but I can presumably leave it on in one browser for those specific pages and do my general browsing with another, Java-disabled browser... that is, I would, if I was paranoid.
There are plenty of other ways to improve your Mac security, most listed via this post. Top three: turn on the firewall, run as a normal user, and turn off wireless (at least, turn off automatic connection to open networks). Apple's guide to Tiger security is also available as a PDF here.
Reader Comments (Page 1 of 1)
4-23-2007 @ 11:19AM
FamousPete said...
Kudos on the reference to "A New Hope." Well done.
Reply
4-23-2007 @ 12:47PM
AeronPrometheus said...
...and once again common sense prevails, just be smart online and you'll be fine. Just because I use a Mac. That doesn't mean that I click on every YOU'VE JUST WON AN IPHONE OR FIVE RINGTONES banner that I see. :P
Reply
4-23-2007 @ 1:06PM
Nick said...
Wow, gee, isn't Michael Rose a hard case? I'm so admiring of him. He must had 'nads like watermelons.
He leaves Java on all the time even though no-one uses the stuff. I bet he's got "Open safe files" enabled, too. If only all of us could be so daring as Michael Rose.
Reply
4-23-2007 @ 1:11PM
Michael Rose said...
#2, sensible but in this case it wouldn't necessarily help -- suppose you got a "Check out this link" email that appeared to be from a friend or business associate...
#3, more like cantaloupes actually, but thanks for overestimating. :)
Reply
4-23-2007 @ 2:53PM
register said...
"this is an unreleased exploit and there is no expectation of it going wild"
Unfortunately, as anyone knowledgable about computer security could tell you, it probably will, and sooner than you expect. If nothing else, just knowing that "Java" is involved is enough to make this exploit much, much easier to find for a competent attacker. And if you can get a command shell, you're a huge step closer to completely compromising the machine.
Reply
4-24-2007 @ 1:22AM
guns said...
Just so everyone is clear, it's a javascript exploit, not Java. Though they may sound similar, but they actually have nothing to do with each other. Netscape just named it javascript because Java was the hot new language of the time.
I've heard it was a cross-site scripting exploit, which can platform and browser agnostic. In this case, someone was able to gain shell access through the browser, which doesn't seem that big of a stretch, since your browser already runs unverified code without much fuss. Steve Gibson's podcast Security Now recently did a couple articles about browser scripting exploits, if you want to know more. Just look it up in the iTunes directory.
Using Firefox with the Noscript extension is probably the best solution, as someone suggested.
Reply
4-24-2007 @ 6:56AM
Michael Rose said...
#6 -- Guns, the characterization of the exploit as a Javascript flaw is incorrect.
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-affects-win32-apple-code/
It's a QuickTime bug that's exposed via the QT Java hooks. It is cross-platform if the target Windows machine has iTunes/QT and the JVM installed.
I know there's a lot of temptation to speculate on this story. Let's try to stick to the announced facts as much as we can.
Reply
4-24-2007 @ 9:09PM
keithws said...
I've always disabled Java in my browsers because it can really slow down my older machines and I rarely actually want the applets to run. 90% of the java applets I would run across were scrolling marqee text.
Reply
4-28-2007 @ 7:34PM
mike said...
For everyday use: Firefox + "NoScript" + "JavaScript Options" + "Flashblock" + Java turned off + no animated GIFs.
For stubborn sites only: Safari with Java.
"JavaScript Options" ensures that even if I trust the site with "NoScript", it can't do things I don't want it to. http://www.oxymoronical.com/web/firefox/jsoptions
"Flashblock" is similar since I don't necessarily want to see all the Flash on a trusted site.
Reply