Skip to main content

I Am Secure

Posted by editor on April 23, 2007 at 6:43 AM PDT


...well I thought I was

I grant that I have a pretty cavalier attitude about security, but frankly, I feel entitled to: I develop Java applications on Macs, and both Java and Mac OS X have well-thought-out, highly-regarded security schemes, particularly in comparison to the never-ending fiasco that is security on Windows.

So imagine my surprise when security researchers finally found a security exploit to hit a Mac through a hostile web page, and to do it by means of Java!

Truthfully, we don't know all the details yet, and more than a little speculation is involved, but the salient facts are these: Dino Dai Zovi and Shane Macaulay have won a security challenge (and a $10,000 prize) at the CanSecWest conference by gaining shell-level access to an up-to-date MacBook through use of a malicious web page. According to the Matasano Chargen blog page tracking the story, the current work-around to the security hole is to turn off Java in the browser, implying that the exploit uses Java in some way. Matasano also reports the attack affects Firefox as well. Specifics about the exploit are being publicly withheld, perhaps to give Apple a chance to fix them.

A MacCentral write has a few more details, such as nobody cracking the MacBook with no apps running in the contest's first few days, which led organizers to change the rules and allow "attackers" to send URL's to the target machine by e-mail.

This isn't the first time that a Mac OS X security issue has had a Java angle to it. A late 2006 security update addressed a combination of Quartz Composer and QuickTime for Java that could allow a malicious web page to gain access to the user's webcam without their permission (here's a full explanation, with code). The trick there was very orthoganal to Java -- QTJ ordinarily disallowed webcam access to unsigned applets, but approved Quartz Composer code without security checks, and while QC's access to the webcam usually consisted of rendering the image only, running it in QTJ allowed an untrusted applet to get to the rendered pixels and do whatever it wanted.

So it will be interesting to see what the Java angle ends up being in this case: whether it's an issue of applet security or some weird unanticipated side-effect that creates the security hole.


Also in Java Today,
Issue 118 of the JavaTools Community Newsletter is out, with news from around the web, including the release of version 1.1 of HDIV (the HTTP data integrity validator), announcements of new projects in the community and a graduation from the incubator (Rmic-Eclipse-plugin), and a Tool Tip on enabling GZIP compression on Tomcat.

Extending OpenSSO (Sun's open Web access management project based on Sun Java System Access Manager) with Windows CardSpace delivers a more secure authentication model than the traditional user name-password model. The SDN article Securing Site Access With CardSpace and OpenSSO: An Overview describes the benefits, basic architecture, and process flow of a lightweight implementation developed by ICSynergy International, by making use of the java.net-based OpenSSO.


Roberto Chinnici kicks off today's Weblogs by recapping his presentation on Phobos at the Web 2.0 Expo. "On Wednesday I presented a session on Scripting and the Java Platform at the Web 2.0 Expo in San Francisco. In my talk, I went over three key components: Phobos (the server-side framework and development environment), jMaki (the client side über-framework) and GlassFish v3 (the server platform). "

In Java on Fiesty Ubuntu - will anyone notice?, Calvin Austin writes:
"Java is now part of the Ubuntu Feisty Fawn repositories but will the average user or developer even notice?"

Finally, Roger Brinkley says
e-DEPLOY Rocks.
"I spent yesterday visiting e-DEPLOY, a small JavaME developer in Brazil. What I discovered was a vibrant new company with some innovative approaches to management. There software wasn't bad either."


In today's Forums, dpatriarche is concerned about the state of
TrayIcon support for alpha channel on Windows
"I have observed that the new Java 6 TrayIcon class does not seem to properly support the 8-bit alpha channel on Windows images. It seems that if the pixel's alpha value is > 0 then it treats the pixel as opaque. On Linux and Mac the alpha channel seems to be treated properly. After much Googling the only real discussion I found about the problem was this open bug report from a year ago, complete with suggested fix."

The thread
Re: [JDIC] [dev] How to get a HICON from an awt image? discussed a means of tying into native code to get an HICON, but Markus KARG finds that lacking. "I cannot believe that I really have to copy all the bits from my AWT image into a HBITMAP on my own... That's not very nice. I have seen that a VolatileImage is a subclass to AWT Image. VolatileImage lives inside of the graphics device itself (not in normal RAM), and that means, the OS must know about that image already. So maybe there is a means to get a HBITMAP from a VolatileImage easier than doing a complete copy?"

areplogle thinks the docs are out of date, quoting them in
Re: how to obtain a TransactionManager in a servlet?
"If java:appserver/TransactionManager is not the correct interface for developers to use to get the transaction manager, the documentation should probably be updated to reflect that. From the SJAS 9.1 Developer Guide linked off the Glassfish documentation page: [...] 'You can access the Application Server transaction manager, a javax.transaction.TransactionManager implementation, using the JNDI subcontext java:comp/TransactionManager or java:appserver/TransactionManager.'"


Current and upcoming Java
Events
:

Registered users can submit event listings for the href="http://www.java.net/events">java.net Events Page using our href="http://today.java.net/cs/user/create/e">events submission form.
All submissions go through an editorial review before being posted to the
site.


Archives and Subscriptions: This blog is delivered weekdays as
the Java
Today RSS feed
. Also, once this page is no longer featured as the
front page of java.net it will be
archived along with other past issues in the href="http://today.java.net/today/archive/">java.net Archive.

...well I thought I was