Fixing OSX's Java 1.5.0 Vulnerability
It's been known for some time now that OSX has a pretty bad Java bug that could allow an applet to run commands as the user. This issue is also known as CVE-2008-5353 and puts Mac users at serious risk of getting owned simply by visiting a website. Sun fixed this issue in a patch released in early December 2008-- that's more than six months ago as of this writing. I was almost starting to think up a conspiracy theory that Apple needed the vulnerability for something, but then I found that Brian Krebs of the Washington Post reported on the gaps between Sun's fixes and Apple's updates: an average of 166 days.
This big Java never-fix hole got a lot of press around May 19-22. It even motivated me to dig around Apple's feedback site and ask them to please fix it asap. Nearly a month later, nothing. Even with the release of the impressive and sleek Safari 4, the issue persists.
Remediating the Issue
Note: As of 6/16/2009, Apple released a Java update that addressed the purpose of this article.
The steps below are being left for posterity, but to fix, simply choose "Software Update" from your Apple menu.
One can do the widely publicized work-around: Turn off Java in your browser. In your browser Preferences there will be a checkbox "Enable Java" which we are told to simply un-check. I find this to be somewhat ridiculous. If we were asked to turn off Flash, there would be an Internet revolt. Disabling an entire application platform, to me, is not a suitable interim solution. This would be especially true for people who use services like Wuala, Hushmail's java-based authentication, or products like MindTerm's ssh applet.
So I went for a surgical method.
All credit for this one goes to Marc Schoenefeld of illegalaccess.org. I'd just stop at linking the site from here but I think there are a few other details worth mentioning about his published solution. Basically, the goal is to create some classpath trickery by compiling your own Calendar class and putting it before the bad one included in OSX's java library.
Let me go through illegalaccess.org's steps:
- Find a non-OSX version of JDK 1.5.0_19, like the linux version.
- This was surprisingly difficult on java.sun.com. Apparently Sun doesn't want you to use it anymore. License agreements, End-of-Life notices, and finally a .bin file that I couldn't open in OSX, and had to bother my friend with an Ubuntu laptop to run and extract for me.
- Open a Terminal. Locate and extract src.zip and find
java/util/Calendar.java
- Be sure to stay in that "root" source directory where you can see:
java/
- Compile the class via command-line using:
javac java/util/Calendar.java
- Several compilation warnings, but they can be ignored.
- Create a new jar using:
zip /chosen/path/FixedCalendar.jar java/util/Calendar*.class
- I decided to use
/Users/username/lib/FixedCalendar.jar
as the place where this patch jar file would reside. - Edit ~/Library/Caches/Java/deployment.properties
- Set:
deployment.javapi.jre.1.5.0.args=-Xbootclasspath/p:/chosen/path/FixedCalendar.jar
- Yes, keep the
p:
in there. That threw me off, but it should be there.
After that, you can re-check "Enable Java" in your browser(s), and safely (for now, as far as we know) surf the web. Follow the rest of Marc Schoenefeld's testing recommendations to verify it works correctly.
So while it's not the most simple solution, it definitely works. I verified that the Landon Fuller proof-of-concept now fails with a "Bootstrap Failure" error. A better result than the applet telling you you've just been exploited.
Patch that Mac! Use Java. Mmmm, web-based Java.
Posted by Jerry Cheung on June 16, 2009 at 02:26 PM PDT #
Posted by Dennis on June 16, 2009 at 03:39 PM PDT #