August 23rd, 2007

Mac users waiting months for 'critical' Java runtime update

Posted by Ryan Naraine @ 9:38 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Metasploit, Microsoft, Open source, Passwords, Patch Watch, Pen testing, Responsible disclosure, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Security, Apple Macintosh, JDK, Java, Sun Microsystems Inc., Apple Inc., Apple Mac OS X, Ryan Naraine

Ten months ago (October 2006), a member of Google’s security team discovered and reported two code execution vulnerabilities in Sun’s Java ICC (image) profile parsing code.

Seven months later (May 2007), Sun issued an update (JDK 1.5.0_11-b03) that was available for Window, Solaris, and Linux.

One big problem. It’s August 2007 and Apple’s Java runtime has not yet been updated, meaning that millions of Mac OS X users are at risk of remote code execution attacks.

An alert from IBM’s ISS X-Force spells out the danger:

Integer overflow in the embedded ICC profile image parser in Sun Java Development Kit (JDK) before 1.5.0_11-b03, and 1.6.x before 1.6.0_01-b06, allows remote attackers to execute arbitrary code or cause a denial of service (JVM crash) via a crafted JPEG or BMP file.

Chris Evans, the Google engineer credited with finding/reporting this issue, told me he only dealt with Sun’s security response team during the disclosure process.

“I reported the issue just to Sun. My personal understanding is that Sun itself coordinates the heads-up with all affected consumers. You might want to contact Sun directly to see if they included Apple,” Evans said in an e-mail exhange.

Apple’s security team does not answer questions on specific patches (my queries routinely get a non-response about taking security seriously) so it’s anyone’s guess when a Mac OS X update will ship.

[ SEE: Mac Developer mulling OS X equivalent of ZERT ]

Tired of waiting for Apple, developer Landon Fuller has taken matters into his own hands, creating a third-party patch with full source code.

Fuller, a former engineer in Apple’s BSD Technology Group and one of the primary faces behind the “Month of Apple Fixes” project earlier this year, released a proof-of-concept exploit alongside the patch to show how a rigged image file can be used to crash a fully patched browser.

“It may be difficult to exploit, but it’s a fairly long time to be sitting on a public issue,” Fuller said in an instant messaging exchange. “Admittedly it’s time consuming to push out a new Java release, especially if you need to merge in local JRE/JDK changes and run the full TCK validation suite, but it shouldn’t take this long,” he added.

Fuller’s patch requires the use of Unsanity’s Application Enhancer. Alternatively, Mac OS X users can disable Java in your browser to close the most likely vector.