Apple Nabs Java Exploit That Bypassed Disabled Plugin 97
Trailrunner7 writes "Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. There have been a slew of serious vulnerabilities in Java disclosed in the last few months, and security experts have been recommending that users disable Java in their various browsers as a protection mechanism. However, it appears that measure wasn't quite enough to protect users of some versions of OS X."
Java and flash... (Score:4, Insightful)
Incredibly, still the biggest shit on the internet.
Too bad, as a language I actually like Java. Flash is crap though, always was, always will be.
Re:Java and flash... (Score:5, Insightful)
Windows could have been sandboxed too making it impossible to edit system files, access files outside the installation directory too. Also autobooting at start should be something only the user can choose and can't be automatically checked. This would have rendered most viruses useless. This should have been done circa 1995-98 when the Internet was just going mainstream.
The problem is that circa 1995-98, the average home PC simply wasn't powerful enough to handle this kind of sandboxing while maintaining acceptable performance. Windows 9x basically ran on bare metal (one bad app could easily bring the whole system down) and there was no such thing as security. It was crude, but it was the best you could do on a Pentium 100 with 8 megs of RAM (16 if you were lucky). A modern smartphone leaves these old systems in the dust. The Windows NT series has a Unix-style security model, though it was undermined by the need for backwards compatibility forcing regular users to run as administrator (UAC was a belated attempt to fix this). But this also means that NT needs a faster processor and a lot more RAM than 9x. The first home version of Windows based on the NT kernel was XP, and people were all up in arms about its "outrageous" system requirements back in 2001.
Nowadays, you can usually get away with running as a limited user and escalating only when installing or updating a program from a trusted source. I agree that sandboxing could be more sophisticated than it is on Windows, but this isn't a unique flaw; in fact, it's a result of copying the outdated Unix security model, which assumes that the program is the user and would do roughly what the user wanted (maybe true in the 1970s on shared university systems, but obvious nonsense now).
Re:Why is the browser launching anything? (Score:2, Insightful)
Hello? Why is a web browser launching other applications without explicit user consent? Ever?
This was the classic Microsoft security hole - executing anything that came in which could possibly be executed - Word documents, spreadsheets, autoplay files, Universal Plug and Play. Microsoft has now turned most of that off. Apple is replicating a classic Microsoft mistake here.
It doesn't, or it shouldn't - that was the point. Safari *does* explicitly ask for consent before launching apps downloaded from the internet, but one script type was whitelisted by accident/oversight. This has now been fixed.
Re:Java and flash... (Score:2, Insightful)
All other operation systems running on similar hardware but having strict security and privileges proof you wrong. Even Linux existed at that time already and ran happily on that hardware.
No, he is completely correct. Linux of the time did not "run happily" on that hardware with the same level of GUI complexity as Win9x. Either Linux had no GUI at all, or a simple window manager like TWM or FVWM.
This is also doubly wrong in claiming that all other operating systems at the time had proper security. The biggest competitors to MS at the time were even simpler and less secure OSes. For GUIs there was MacOS which didn't have protected memory and could barely multitask, along with having no security model. On the server side the biggest at the time would have been Novell, which did have a security model, but still had no protected memory and much simpler multitasking than even Win9x.