Apple, Java, and the Ravenous Bugblatter Beast of Traal

The Ravenous Bugblatter Beast of Traal, as fans of Douglas Adams know, is a creature so mind-bogglingly stupid that it assumes that if you can't see it, then it can't see you. They are natives of the planet Traal, but on Earth are often found in Cupertino, address One Infinite Way. (Leave it to an RBB to name its lair after a programming error.)

On Traal, one fends off attacks of the Ravenous Bugblatter Beast by wrapping a towel around one's own head. As nearly as I can tell, that's Apple's actual security strategy. How otherwise would you explain the company's non-response to CVE-2008-5353, known these past nine months and patched by everyone but Apple?

CVE-2008-5353, which is a client-side arbitrary remote code execution vulnerability, was one of the more interesting holes discussed at CanSecWest's Pwn2Own this year. Discovered by Sami Koivu in August, it was patched by Sun in late 2008 in Java 6 Update 11. It was later exploited by Koivu and Julian Tinnes (who writes most engagingly about it on his blog) to own up the Pwn2own Mac on the first day of competition (a feat disallowed for competition, by the way, because Koivu and Tinnes had already done the right thing and warned Sun and Apple; no good deed goes unpwnaged).

Here's the cool and special thing about this vulnerability: It's pure Java. It doesn't care what operating system you're running; if you're able to run Java -- and the overwhelming majority of browsers do, often by default -- you can be pwned if you haven't been patched. Windows users are patched. Linux folk are patched.

That leaves the snarling hulk with the towel around its head.

Sun took, according to Koivu's records, 122 days to issue a patch for CVE-2008-5353. But it's done, and before the word got out at CanSecWest in February. Apple, on the other hand, not only hasn't updated the JRE in even its latest security update or in the Safari patch it pushed to my MacBook this morning, it hasn't warned its userbase that there's any problem whatsoever -- and hasn't suggested that, at the very least, users should disable Java in their browsers.

(The Mac's high price explained: Free towel with every purchase.)

The vulnerability lies in Java itself, and there will be the odd fanboi who insists that this means that Apple's products are still not at risk from security problems. This is what sociologists would describe as a case of technical virginity, only we've already debunked that concept too. The users who think that recent PC/Mac commercial actually means a Mac will be secure do not want to hear that their machines were busted into via a technicality.

Tinnes, who appreciates a beautiful thing even when it's poisonous, has tested the exploit he wrote on Firefox, IEs 6 through 8, Safari, Mac OS X, Windows, Linux and OpenBSD, and it works everywhere. He calls CVE-2008-5353 "close to the holy grail of client-side vulnerabilities." It's not easy to patch -- Java generally isn't -- but that's no excuse for pretending it's not there.

Microsoft's Security Development Lifecycle blog team has a little list, oh yes -- they're keeping track of function calls that are seriously more trouble than they're worth from a security standpoint. The latest addition to their just-don't list is memcpy(), a nasty piece of work that's made for vulnerabilities in DirectX, Outlook Express, Messenger Service, and many other programs over the years. The blog post by Steve Lipner recommends that programmers deprecate the function, along with RtlCopyMemory and CopyMemory, in their own code starting immediately and use instead buffer-friendly memcopy_s(). ("I wonder when Larry, Steve and Linus will start banning strcpy() in their products?" he snarks at the end of the post -- oh, snap.)

Some commenters were skeptical. "Sure, this sounds good, but I'm not convinced memcpy_s will really help. It's only checking consistency between 2 of the arguments, which means that all 4 can still be wrong," wrote user "t-scotmc." And user "nelsonchandler" has a broader vision for solving C's myriad problems: "Are we ever going to see Microsoft Ada? It can do everything C does, but in a much safer way." (And if you might have made that comment yourself, I recommend a side trip today to James Iry's A Brief, Incomplete, and Mostly Wrong History of Programming Languages.)

Be advised that Sophos, like James Iry, is having more fun than you are. They've got a page up right now for Klingon Anti-Virus from Sophos, which promises to shut down the usual adware, malware, Betazoid sub-ether porn diallers, Tribbles, zero-day threats and the like. The program was developed to honor the memory of a brave Product Marketing team who made the mistake of making their product pitch on Qo'noS without sufficient training in bat'leth techniques. They will be missed.