RSSApple, Java, and the Ravenous Bugblatter Beast of Traal
By Angela Gunn | Published May 20, 2009, 3:38 PM
The Ravenous Bugblatter Beast of Traal, as fans of Douglas Adams know, is a creature so mind-bogglingly stupid that it assumes that if you can't see it, then it can't see you. They are natives of the planet Traal, but on Earth are often found in Cupertino, address One Infinite Way. (Leave it to an RBB to name its lair after a programming error.)
On Traal, one fends off attacks of the Ravenous Bugblatter Beast by wrapping a towel around one's own head. As nearly as I can tell, that's Apple's actual security strategy. How otherwise would you explain the company's non-response to CVE-2008-5353, known these past nine months and patched by everyone but Apple?
CVE-2008-5353, which is a client-side arbitrary remote code execution vulnerability, was one of the more interesting holes discussed at CanSecWest's Pwn2Own this year. Discovered by Sami Koivu in August, it was patched by Sun in late 2008 in Java 6 Update 11. It was later exploited by Koivu and Julian Tinnes (who writes most engagingly about it on his blog) to own up the Pwn2own Mac on the first day of competition (a feat disallowed for competition, by the way, because Koivu and Tinnes had already done the right thing and warned Sun and Apple; no good deed goes unpwnaged).
Here's the cool and special thing about this vulnerability: It's pure Java. It doesn't care what operating system you're running; if you're able to run Java -- and the overwhelming majority of browsers do, often by default -- you can be pwned if you haven't been patched. Windows users are patched. Linux folk are patched.
That leaves the snarling hulk with the towel around its head.
Sun took, according to Koivu's records, 122 days to issue a patch for CVE-2008-5353. But it's done, and before the word got out at CanSecWest in February. Apple, on the other hand, not only hasn't updated the JRE in even its latest security update or in the Safari patch it pushed to my MacBook this morning, it hasn't warned its userbase that there's any problem whatsoever -- and hasn't suggested that, at the very least, users should disable Java in their browsers.
(The Mac's high price explained: Free towel with every purchase.)
The vulnerability lies in Java itself, and there will be the odd fanboi who insists that this means that Apple's products are still not at risk from security problems. This is what sociologists would describe as a case of technical virginity, only we've already debunked that concept too. The users who think that recent PC/Mac commercial actually means a Mac will be secure do not want to hear that their machines were busted into via a technicality.
Tinnes, who appreciates a beautiful thing even when it's poisonous, has tested the exploit he wrote on Firefox, IEs 6 through 8, Safari, Mac OS X, Windows, Linux and OpenBSD, and it works everywhere. He calls CVE-2008-5353 "close to the holy grail of client-side vulnerabilities." It's not easy to patch -- Java generally isn't -- but that's no excuse for pretending it's not there.
Notes from all over
Microsoft's Security Development Lifecycle blog team has a little list, oh yes -- they're keeping track of function calls that are seriously more trouble than they're worth from a security standpoint. The latest addition to their just-don't list is memcpy(), a nasty piece of work that's made for vulnerabilities in DirectX, Outlook Express, Messenger Service, and many other programs over the years. The blog post by Steve Lipner recommends that programmers deprecate the function, along with RtlCopyMemory and CopyMemory, in their own code starting immediately and use instead buffer-friendly memcopy_s(). ("I wonder when Larry, Steve and Linus will start banning strcpy() in their products?" he snarks at the end of the post -- oh, snap.)
Some commenters were skeptical. "Sure, this sounds good, but I'm not convinced memcpy_s will really help. It's only checking consistency between 2 of the arguments, which means that all 4 can still be wrong," wrote user "t-scotmc." And user "nelsonchandler" has a broader vision for solving C's myriad problems: "Are we ever going to see Microsoft Ada? It can do everything C does, but in a much safer way." (And if you might have made that comment yourself, I recommend a side trip today to James Iry's A Brief, Incomplete, and Mostly Wrong History of Programming Languages.)
Be advised that Sophos, like James Iry, is having more fun than you are. They've got a page up right now for Klingon Anti-Virus from Sophos, which promises to shut down the usual adware, malware, Betazoid sub-ether porn diallers, Tribbles, zero-day threats and the like. The program was developed to honor the memory of a brave Product Marketing team who made the mistake of making their product pitch on Qo'noS without sufficient training in bat'leth techniques. They will be missed.
Pure propaganda. Mac OS X is not exploitable. This is why Apple could care less about patching this. If you're running Mac OS X you have nothing to worry about. If you're running Windohs, that's another story...
Score: -2
|no worries.. Mac users really don't do more then photos and surf the internet..
maybe they would get one of those Mystery computer virus the FBI and U.S Marshal got today....
Score: 1
|If you are running Mac OS X, you have nothing to worry about. Your OS is secure out of the box. This exploit won't work anymore.
Score: -6
|...and you're so full of **it, flies swarm you wherever you go.
Score: 2
|I do believe him being full of s*** is the point of his posts. Captain Obvious, and all that.
Score: 0
|I just wish he'd read the fine article, which explains that it's not. But that's where the towels come in...
Score: 2
|I love your writing style. Fantastic.
Score: 2
|But that nice guy in the commercial said Macs don't have viruses or security updates...
Score: 2
|Good job at putting words in his mouth. I think you need to go back and re-watch the commercial, he never said anything about security updates.
The UNIX core of Mac OS X will always make it far more secure than Windohs.
Score: -5
|*laughing*
...and once again, *you* are the punch-line.
"he never said anything about security updates. "
Of course he didn't say anything about security updates... *what* security updates?
From TFA:
"patched by everyone but Apple?"
Score: 3
|I forgot to mention how hot Angela Gunn is. ;)
Score: 2
|@extremely funny
let's hope she doesn't decide to write erotica, otherwise you will likely be her biggest fan (or a little one - depending on your stature)
Score: 0
|*laughing my a** off*
You have *got* to publish your reading list one of these days. The wonders that must reside in there.. ;)
------
Hell, I can understand wanting the 3rd party dev of the product in question to fix the problem, but from the article, it looks like that has happened and Apple *still* hasn't updated. Am I reading it wrong?
To be fair, Windows 7 doesn't quite play nicely with Java at the moment either. I know of at least 2 other people for whom Java simply doesn't *work* in Win7. (crashes, failed installs, etc)
...but at least Win7 still has the crutch of being unreleased... ;)
Score: 1
|nice
Score: 0
|It's very obvious the tide is a changing, and Microsoft products will very soon be PROVEN (by any scientific/industry standard) more secure (by default settings) than Apple's s*** or Firefox (with their billion turn changes and random code adders off the street) or OpenOffice etc etc.
It's not magic - it's a matter of having 5000x the "disposable income" of, say, Apple. You throw enough money on ANY problem, let some more time pass to kill backward-compatibility constraints, and the problem WILL go away. You don't have to be smart yourself - you buy the smartest people/companies on the planet cuz EVERYONE has a price.
Score: 1
|interesting....
perhaps, you are the jk rowling for geeks?
Score: 1
|