Forgot your password?
typodupeerror
Java OS X Security Apple

Apple Nabs Java Exploit That Bypassed Disabled Plugin 97

Posted by timothy
from the heading-them-off-before-they-head-you-off dept.
Trailrunner7 writes "Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn't quite enough to protect users of some versions of OS X."
This discussion has been archived. No new comments can be posted.

Apple Nabs Java Exploit That Bypassed Disabled Plugin

Comments Filter:
  • Re:Java and flash... (Score:5, Interesting)

    by eksith (2776419) on Friday March 15, 2013 @11:58PM (#43188637) Homepage
    The problem with flash are the developers. ActionScript can do a lot of things... that doesn't mean those things should have been done. Of course if sandboxing was foolproof, things would have worked better for both technologies. Hopefully HTML5 can fill the gap for both and we can finally do away with both plugins.
  • So... (Score:3, Interesting)

    by Molochi (555357) on Saturday March 16, 2013 @12:28AM (#43188729)

    If the Apple Safari browser on Apple OSX had Java disabled it let it run anyway? Glad they fixed that.

    Such an hero.

  • Re:Java and flash... (Score:5, Interesting)

    by GoodNewsJimDotCom (2244874) on Saturday March 16, 2013 @12:36AM (#43188765)
    Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.
  • Re:Not a bug? (Score:4, Interesting)

    by _xeno_ (155264) on Saturday March 16, 2013 @01:46AM (#43188965) Homepage Journal

    It's only not a bug in that it was by design.

    Basically Mac OS X has a list of "safe" files that don't bring up an "are you sure you want to open this file?" dialog after it's been downloaded. The idea is that if you download a text file, you won't get a dialog warning you that the file is insecure when you try and open it.

    JNLP files were put in that list, presumably based on the assumption that Java was "secure." (Bad assumption!)

    The fix was to remove them from the safe list, so now you'll get an "are you sure?" dialog from the OS itself rather than assuming Java is secure.

  • Re:Java and flash... (Score:4, Interesting)

    by drinkypoo (153816) <martin.espinoza@gmail.com> on Saturday March 16, 2013 @11:23AM (#43190867) Homepage Journal

    E.g. you can changeroot the process and then it can't do anything.

    chroot is a big help, but it doesn't preclude gaining access to memory, and if you have enough access to that then you can write files using other processes' permissions. You really need to virtualize to even claim to have a sandbox which is useful from a security standpoint. Even then it's not impossible to exploit a virtual driver and gain access to the underlying hardware indirectly.

Make headway at work. Continue to let things deteriorate at home.

Working...