Skip to main content

I Am Secure

Posted by editor on April 23, 2007 at 6:43 AM PDT

...well I thought I was

I grant that I have a pretty cavalier attitude about security, but frankly, I feel entitled to: I develop Java applications on Macs, and both Java and Mac OS X have well-thought-out, highly-regarded security schemes, particularly in comparison to the never-ending fiasco that is security on Windows.

So imagine my surprise when security researchers finally found a security exploit to hit a Mac through a hostile web page, and to do it by means of Java!

Truthfully, we don't know all the details yet, and more than a little speculation is involved, but the salient facts are these: Dino Dai Zovi and Shane Macaulay have won a security challenge (and a $10,000 prize) at the CanSecWest conference by gaining shell-level access to an up-to-date MacBook through use of a malicious web page. According to the Matasano Chargen blog page tracking the story, the current work-around to the security hole is to turn off Java in the browser, implying that the exploit uses Java in some way. Matasano also reports the attack affects Firefox as well. Specifics about the exploit are being publicly withheld, perhaps to give Apple a chance to fix them.

A MacCentral write has a few more details, such as nobody cracking the MacBook with no apps running in the contest's first few days, which led organizers to change the rules and allow "attackers" to send URL's to the target machine by e-mail.

This isn't the first time that a Mac OS X security issue has had a Java angle to it. A late 2006 security update addressed a combination of Quartz Composer and QuickTime for Java that could allow a malicious web page to gain access to the user's webcam without their permission (here's a full explanation, with code). The trick there was very orthoganal to Java -- QTJ ordinarily disallowed webcam access to unsigned applets, but approved Quartz Composer code without security checks, and while QC's access to the webcam usually consisted of rendering the image only, running it in QTJ allowed an untrusted applet to get to the rendered pixels and do whatever it wanted.

So it will be interesting to see what the Java angle ends up being in this case: whether it's an issue of applet security or some weird unanticipated side-effect that creates the security hole.

Also in Java Today,
Issue 118 of the JavaTools Community Newsletter is out, with news from around the web, including the release of version 1.1 of HDIV (the HTTP data integrity validator), announcements of new projects in the community and a graduation from the incubator (Rmic-Eclipse-plugin), and a Tool Tip on enabling GZIP compression on Tomcat.

Extending OpenSSO (Sun's open Web access management project based on Sun Java System Access Manager) with Windows CardSpace delivers a more secure authentication model than the traditional user name-password model. The SDN article Securing Site Access With CardSpace and OpenSSO: An Overview describes the benefits, basic architecture, and process flow of a lightweight implementation developed by ICSynergy International, by making use of the OpenSSO.