backtop


Print 41 comment(s) - last by mmcdonalataocd.. on Jun 17 at 11:51 AM

Fortunately no serious damage was done during the meantime

With close to 75 million OS X distributions reportedly in the wild, triple the number two years ago, Apple has to start taking security more seriously.  Fortunately for Apple users, while security researchers regularly demonstrate OS X exploits, the Black Hat community remains rather apathetic to attacking the Mac community.

The latest highlight in a growing picture that OS X may not be as secure as some think came in May when security firm Intego, which makes security software for Macs, warned users of a Java flaw in the OS X Java distribution which could allow Java applets to execute malicious code.  Intego complained, "Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue."

The flaw, was originally found by Sami Koivu, who reported it to Sun Microsystems on August 1st 2008.  The vulnerability also affected OpenJDK, GIJ, icedtea and Sun's JRE, which share the same core classes with Apple's Java SE and J2SE.  A patch was issued by Sun on December 3rd 2008, with most of these distributions quickly incorporated it.

Months went by with no action from Apple, though.  Programmer Landon Fuller aired proof-of-concept code of how to use the exploit to attack Apple OS X installs in May.  Still, Apple did not incorporate the patch.  States Mr. Fuller, "Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated.  Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."

Now a month later Apple has finally released a patch for Java on OS X 10.5 Leopard (the latest version) and 10.4 Tiger.  Describes Apple, "Java for Mac OS X 10.5 Update 4 delivers improved reliability, security, and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X v10.5."

The patch for OS X 10.5 can be found here, while the patch for OS X 10.4 can be found here.

This is not the first serious door that Apple has left open.  Last September a researcher going by the pseudonym "Securfrog" published code to crash Apple's QuickTime video player after Apple ignored a glaring flaw for months.  Similarly, a DNS flaw discovered by Dan Kaminsky was only fixed months later.

In Apple's defense, Microsoft also occasionally is slow to patch issues -- such as the recent patch of a long-standing Microsoft Office bug.  However, when it comes to security flaws in web accessible content -- such as QuickTime, Java, or Safari -- Microsoft's track record is much better than Apple's.  These are the types of content most frequently exploited to attack machines over the web.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

It's all about perception
By corduroygt on 6/16/2009 9:22:50 AM , Rating: 5
Windows has a bad reputation when it comes to security earned from 98 and Pre-SP2 XP days, and although MS has been doing a good job when it comes to fixing vulnerabilities. I've even heard from an Apple fanboy that because Apple releases fewer security patches compared to Microsoft, its OS must be more secure!!!! Same idiotic perception also applies to GM and Ford, I find their later models to be just as good or better than Honda's and Toyota's. However, the public doesn't think so, and your resale goes in the crapper.




RE: It's all about perception
By Bender 123 on 6/16/2009 9:41:53 AM , Rating: 5
The answer to your comment is this:

quote:
Fortunately for Apple users, while security researchers regularly demonstrate OS X exploits, the Black Hat community remains rather apathetic to attacking the Mac community.


The reason why Apple has a good name is because Haxors just don't care about it...Not enough user base to bother.

Security through Obscurity...


RE: It's all about perception
By MrPeabody on 6/16/2009 10:42:56 AM , Rating: 3
I've wondered a bit about this. Apple stereotypes include (a) an excess of disposable income, (b) an active indifference toward computer security, and (c) demonstrably insecure computers.

You'd think some enterprising young black hat out there would try to exploit this apparently-untapped "market". Yes, the Apple user base is comparitively small, but so is the competition for ill-gotten gains.

This is not to advocate any illegal tomfoolery by any means. I'm just a bit surprised.


RE: It's all about perception
By TheSpaniard on 6/16/2009 10:45:33 AM , Rating: 3
apparently there is some porn virus running around now that targets macs...


RE: It's all about perception
By Cappadocious on 6/16/2009 2:08:31 PM , Rating: 2
http://www.youtube.com/watch?v=se1WuJcNP00

"Whatever those keys are made of, they are non-stick"

I know it doesn't add anything more then humor to the discussion, but I thought it was appropriate. Gotta love Dave Chappelle.


RE: It's all about perception
By nycromes on 6/16/2009 12:40:25 PM , Rating: 2
It is the same thing that companies do with certain marketing techniques. Send out mass mailings and you might only get 5% response. Thats 5% of whatever group you target, so do you target a group of 200,000 or a group of 20,000,000? Obviously, its the latter.

I see what you mean about easy targets, but I don't agree about your point (a). Many of the people that I know that are Apple fans don't have an excess of disposable income. They just choose to spend their money on Apple products.

Either way, that will not last forever. Eventually someone will write something really nasty for OSX if not for any other reason than that they can. I hope that people on both sides become more security concious. Neither OSX nor Windows is secure, especially when the user base consists of any users that aren't careful.


RE: It's all about perception
By GodisanAtheist on 6/16/2009 3:36:45 PM , Rating: 4
You and I are thinking alike.

People keep saying, over and over, that the Mac community is too small to write a virus for, oh would you rather infect billions or ten and the same rhetoric over and over. But the Mac community really isn't THAT small, that those guys are smug enough for the other 90% that use PC's and just accept viruses as a part of life.

So what people are effectively saying is that there are no enterprising hackers out there that want to make a real name for themselves being "The Scourge of Jobs" or just to take satisfaction in laying low some folks with a real superiority complex?

We're in trouble if even our hackers rely on windows welfare to get by... where's the entrepreneurial spirit guys?


RE: It's all about perception
By misuspita on 6/17/2009 2:45:44 AM , Rating: 2
I've got a brand new Conspiracy Theory!

What if all the virus writers are actually Jobs Holy Armada to crush the Empire of Windows? Paid to do damage to the Enemy! I mean, that could be the exact answer as to why the apples don't get any worms (sic!) or viruses, only Windows machines do.


By mmcdonalataocdotgov on 6/17/2009 11:51:32 AM , Rating: 3
It is not that the market size is so small, or medium-sized etc, so much as the fact that the virus will need to travel on compatible operating systems. It would be like pond scum breaking out in one of your neighbor's pools. Unlikely to spread to your pool since they are not connected. Now if it broke out in the ocean (oh-chin) then it could travel whereever it wants.

The disconnected Mac community just cannot propagate viruses well. The connected MS community can.


RE: It's all about perception
By xti on 6/16/2009 11:26:16 AM , Rating: 3
its funny how much people dont understand the simple point that you pointed out.

a hacker...going out of his way and risking w/e risks there are, can write malicious code to affect:

a bajillion PC users
all 14 mac users.

bang for a buck, and all that jazz.


RE: It's all about perception
By xti on 6/16/2009 11:27:06 AM , Rating: 2
meant hacker/scripter/etc, in before the nit-picking.


By deltadeltadelta on 6/16/2009 5:47:14 PM , Rating: 3
Ah yes, security by obscurity. I have had endless debates with colleagues and friends about whether Mac OS X is fundamentally better or more secure or harder to infect with a virus. The answer is no! It's just not as targeted because as Windows:
1) More hackers use PCs and are more familiar with their development tools, scripting, etc.
2) Any OS could be compromised. It's about knowledge of how and the aforementioned market share of Windows. Sure, are you less likely to get infected with an exploit today on a Mac--you bet, but not because it is "better" but because it is a less-appealing target (right now).


RE: It's all about perception
By rudy on 6/16/2009 1:30:41 PM , Rating: 2
The mass ignorant public is always extremely slow to catch on to a company improvement, dumb publications like consumer reports do not help. This is however normal. Look at how long it took the average joe to respect AMD, by the time they caught on that AMD was a good company AMD was ending the life cycle of the X2 its most dominant processor and intel was now back in the drivers seat. And all that could be purchased was the inept phenoms. I expect that when AMD catches up again the mass public will finally be talking about how bad AMD is and miss the boat once again.


Java patches....
By solgae1784 on 6/16/2009 9:47:26 AM , Rating: 2
This is really a great disadvantage Apple has to other platforms, in that Apple chose to implement Java by themselves. But let's get into the reality here.

I've seen many people or organizations that hasn't bothered updating Java for almost an eternity, and, at least from what I saw in the Windows side, Sun chose to leave all the prior releases alongside with the newer releases until around Update 13, when they finally started uninstalling prior releases before installing a new one. Also, many organizations just doesn't seem to put Java updates as much priority as the Windows updates. The average Joe is even worse, often just flat-out ignoring the Java update messages that has been there for months. To me, not knowingly patching the vulnerabilities is just as worse as not releasing them.

One good reason why you don't want to update Java, though, are compatibility reasons. I had MATLAB stopped working on me once when I updated Java, and I know some other programs that refused to work correctly with certain later releases of Java unless I go back to the earlier release. This forced me to remain on the earlier Java release until either Sun or the App developer released an update.

Botton line is, the issue isn't so cut-and-dried. While Apple do need to get their act together on the security side, there's more that's going on than what you read in the news.




RE: Java patches....
By mfed3 on 6/16/2009 10:18:33 AM , Rating: 2
totally agree about the prior release versions of java sitting there ready to be exploited.

java is so bad security wise that i dont keep it on any of my family members' pcs or trust them to update it.

jusched.exe = fail.


RE: Java patches....
By vbNetGuy on 6/16/2009 10:58:06 AM , Rating: 2
Some applications rely on older versions of Java as well since there are quite a few backwards compatibility issues. If i update to Sun Java 1.5 Update 13, some of the software that is required on users PC's will not work because they require 1.5 Update 10. This also leaves a huge security hole for PC's that require these older versions.


RE: Java patches....
By inighthawki on 6/16/2009 12:42:10 PM , Rating: 2
Not that it's not true or that i don't believe you, but can you name some? I don't think I've ever run into a situation where a java program didn't work because of the wrong version (though being completely honest, i haven't used many java apps before). I'm just curious is all...


RE: Java patches....
By HotdogIT on 6/16/2009 1:33:16 PM , Rating: 2
Enterprise eTime.

I have no idea how wide spread it is used, but I know for a fact that we load up client PCs with version 1.4.2_12, and nothing else. Some of the 1.5 versions work, but any of the newer versions totally fail to function.


RE: Java patches....
By GaryJohnson on 6/16/2009 4:13:04 PM , Rating: 2
Sun should seperate out the version of Java used for applications from the version used for Applets. Applets are where the risk is and they should only run with the latest version. If they break, too bad. Applications are typically what you see being used for Enterprise/Commercial software and those need backwards compatability.


RE: Java patches....
By SoCalBoomer on 6/16/2009 4:56:25 PM , Rating: 2
Just FYI - it seems to have been fixed (that's what I've been told, anyway. . .) and you could put a new version of Java on the computers as long as you had 1.5.13 (the specific version we needed) on the machine. Right now, we have 1.5.13 and the latest 1.6 build and it works fine.


RE: Java patches....
By MamiyaOtaru on 6/16/2009 7:03:20 PM , Rating: 2
I don't remember the program name (fail) but the app the hospital here uses for viewing radiology reports over the network is limited to some old version.

When we put in a bunch of new PCs for the exam rooms and forgot to turn off updates it wouldn't run. Had to uninstall and reinstall whatever specific java version it was and nail it there.

At least they are planning on rolling out a new version next month that will let us turn java updates back on :-/


Javascript != Java
By lukasbradley on 6/16/2009 9:36:40 AM , Rating: 5
End of line.




RE: Javascript != Java
By Natfly on 6/16/2009 10:24:08 AM , Rating: 2
What? Where was javascript ever mentioned?


RE: Javascript != Java
By amanojaku on 6/16/2009 10:35:19 AM , Rating: 3
The OP is correct. The original line read:
quote:
The latest highlight in a growing picture that OS X may not be as secure as some think came in May when security firm Intego, which makes security software for Macs, warned users of a Javascript flaw in the OS X Java distribution which could allow Java applets to execute malicious code.
Don't rate him into oblivion just because the article was edited, people.


RE: Javascript != Java
By inighthawki on 6/16/2009 12:38:29 PM , Rating: 2
Makes sense, though maybe he shouldve clarified what he was referring to (a quote perhaps?) so that this exact thing didnt happen...


Doesn't Matter
By brshoemak on 6/16/2009 9:48:04 AM , Rating: 5
quote:
In Apple's defense, Microsoft also occasionally is slow to patch issues -- such as the recent patch of a long-standing Microsoft Office bug.


That's not a defense. It doesn't matter who is worse at security issues. All companies that are aware of outstanding, demonstrable security risks and don't take adequate measures to fix those issues are to blame. Yes, researching, creating and testing patches takes time and resources but it should be a necessary and expected expense that companies factor into their bottom line. No one gets a free pass when it comes to security.




RE: Doesn't Matter
By chick0n on 6/16/2009 11:05:50 AM , Rating: 2
thats like saying

A: You're overweight, go exercise.
B: Why? Im ONLY 300 lbs at 5 foot. Look at C ! He is 400 lbs with 4"11 ...

Apple is just retarded.


RE: Doesn't Matter
By Smilin on 6/16/2009 6:16:29 PM , Rating: 2
+1 for that analogy.


Not a defense...
By Moishe on 6/16/2009 9:58:59 AM , Rating: 5
quote:
In Apple's defense, Microsoft also occasionally is slow to patch issues


Sorry, but saying "the other guy does it, too" is not a good defense. I don't care how crappy Microsoft has been or is at patching, Apple needs to take it seriously. If Apple neglects security, it could find itself in the same position that Microsoft was in. At least Microsoft has now seen the light and is paying attention to bloat and security issues.




By Cobra Commander on 6/16/2009 10:07:33 AM , Rating: 3
It was not discovered 6 months ago.
It was discovered 11 months ago.
It was merely patched by Sun 6 months ago.

http://blog.cr0.org/2009/05/write-once-own-everyon...




By smackababy on 6/16/2009 3:38:43 PM , Rating: 2
That is absurd! The title only says it was patched after nearly a year. Plus, if you had read the article, it was patched 6 months ago, after Sun knew about it for 5 months. I would reckon 11 months is closer to "nearly a year" than 6 months.


Same old game, eh?
By iFX on 6/16/2009 5:21:30 PM , Rating: 1
quote:
With close to 75 million OS X distributions reportedly in the wild


Bullshit.




RE: Same old game, eh?
By LeStuka on 6/16/2009 7:25:44 PM , Rating: 2
I think that must include every Mac ever sold with OSX on it.


RE: Same old game, eh?
By nitrous9200 on 6/16/2009 8:11:33 PM , Rating: 2
And every iPhone/iPod touch.


True Test
By Smilin on 6/16/2009 11:34:45 AM , Rating: 4
Its rare that you can get a good apples to apples comparison of security in products. Saying so and so issued X number of patches vs Y, or saying someone patched in X days instead of Y isn't very useful because of all the many platform and ecosystem differences.

Every once in a while a good test comes out and this is one of them. Same issue, multiple platforms. How does each handle it? Technically in this case Microsoft didn't have to handle it..Sun did it for them. Apple though gets a big fail on this one. It would have been an epic if someone had used the exploit.

Probably the BEST test of this was the recent DNS spec vulnerability. Every DNS server in the world had the vulnerability and all were notified at the exact same time. The Linux/Bind, Cisco, Microsoft etc servers were fixed immediately and were secure by the time it was announced to the public. Apple... yeah. Apple didn't get around to that one for months.

Microsoft is on the path (not a destination) to security by virtue of being armored in a hostile environment.

Apple is standing in a field of daisies with no hostility whatsoever and their security relies on the hope that criminals just don't like daisies.




its all lies - all lies!!11!!1
By linuxgtwindos3gtmucs on 6/16/2009 10:11:11 AM , Rating: 1
The führer never said any such thing!

DailyTech is full of lies and mac haters.

If the führer didn't say so then we cannot believe.
Our fearless leader would have warned us.

The führer loves each of us even though he historically was a dead beat dad.

The führer loves each of us even though he has never done any charity work.




RE: its all lies - all lies!!11!!1
By TomZ on 6/16/2009 10:24:11 AM , Rating: 2
Take your medicine, people!


Hmm...
By StevoLincolnite on 6/16/2009 9:47:25 AM , Rating: 2
I should pitch this as an idea for TV advertisement for Microsoft...




By ggordonliddy on 6/16/2009 8:05:46 PM , Rating: 2
The following sentence is incoherent; please remove the first comma to avoid further calamity:
quote:
The flaw, was originally found by Sami Koivu, who reported it to Sun Microsystems on August 1st 2008.




Big Mac Attack?
By Alexvrb on 6/16/2009 10:14:01 PM , Rating: 2
quote:
Fortunately no serious damage was done during the meantime
Well that's kind of a given, isn't it? I mean after all, damage done to Macs can never be counted as serious.




By ltcommanderdata on 6/16/2009 12:29:40 PM , Rating: 1
An interesting side observation from this update is that Apple is still providing free support for Java 1.4.2 for Mac users with Update 21. In constrast, Sun no longer offers free updates to Java 1.4.2 beyond Update 19 and requires a paid support contract. It probably doesn't matter for most users but it's still nice to know.




"Nowadays you can buy a CPU cheaper than the CPU fan." -- Unnamed AMD executive














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki