The Java Exploit: How Dangerous Is It?

| Ted Landau's User Friendly View

The world of Mac Web sites lit up this week with news of a potentially dangerous Java exploit. Essentially, the situation is this:

Any Web site may include a Java applet. In most cases, the applet performs some useful and needed function for the Web site. So far, so good.

However, an unscrupulous developer could create a Java applet that executes some "evil" action, such as deleting files from your hard drive.

In Safari, the first time a Java applet attempts to launch, a message should pop up asking whether or not your "trust" the app. This is a security protection. If you are visiting an unfamiliar Web site and you're unsure how safe the applet is, you can decline to trust the applet, and it won't run. So far, still so good.

The ultimate problem is that it is possible to create Java applets that run without triggering the Safari warning message. Other browsers may offer more reliable early-warning systems (as covered in this Macworld article by Rob Griffiths), but all of them are subject to some degree of risk. This means that you could get in trouble simply by visiting a Web site that contains a exploitive Java applet. No other action would be required.

This risk exists because the root of the vulnerability is inherent in the Java implementation used by Mac OS X. People have known about this security hole for quite some time. Sun Microsytems provided a patch for it months ago. Unfortunately, Apple has still not updated Mac OS X to include the patched version.

Apple's lag in fixing the problem is what led Landon Fuller to post a "proof-of-concept" Java applet, showing just how potentially serious the vulnerability could be. This, in turn, is what led to the current round of news stories about the exploit (including the one you're now reading!).

Until Apple offers a fix, the only sure-fire way to prevent getting burned is to turn off the preferences setting in your browser that enables Java to run. For Safari, this means going to Safari > Preferences > Security > Web content and unchecking Enable Java. You should also go to General and uncheck "Open 'safe' files after downloading."

If you later go to a site that you trust and that requires Java, you can temporarily turn the preference settings back on.

Caveats. The preceding is the official advice and I'm agreeing with it. However, whenever these security topics come up, someone inevitably asks: "Just how real a threat is this? If I don't do anything to protect myself, how likely is it that something bad will happen to me?"

My answer is: The real world risk is very very low.

In order to be burned, someone would first have to put a dangerous Java applet out in the wild. To date, there are no known such applets.

Second, if such an applet did exist, there would be warnings about it all over the Web, as soon as it was discovered. If you are Web-savvy enough to be reading this column, chances are good you would see these warnings before there was even a remote chance of you being harmed.

Third, even if an exploitive Web site existed and you had not seen warnings about it, you would still have to be deceived into visiting the site. That means you'd have to receive some publicity about the site. Unless the exploiter is very good at generating phony publicity, this is not likely to happen.

Lastly, even if you did get some deceptive come-on, if you typically ignore invitations to go to unfamiliar Web sites and similarly trash all the spam email you receive, you would still be safe.

That's why the real world risk is very low.

The same logic applies to almost any security exploit you hear about. As a personal example, in the course of my work, I visit well above the average number of unfamiliar Web sites. And I sit in front of my computer for hours and hours every day. Yet I have never been a victim of any security exploit.

It's sort of like the warnings about how to avoid getting struck by lightning. You're not likely to ever be in danger even if you ignore the advice. But that doesn't mean you should cavalierly ignore the warnings. Especially if it doesn't otherwise cause any significant inconvenience, why take chances?

So, play it safe, and disable Java for now. Even though it probably won't matter whatever you do.

Comments

Fairly

I would simply add that the real world risk is even lower if you simply do what Ted suggests and turn Java off. And in general your real world risks will be infinitesimal if Apple can update their open source modules faster than half a year after their sources.

jbruni

Hi Ted,

The “malicious hosting site” has always been the tricky thing for hackers to develop since, as you point out, why would someone go there in the first place.

Social networking sites such as Facebook are probably the most ripe for exploitation here. Suppose you have a Windows-using friend whose PC is infected with a key-logger that manages to capture their Facebook password. The hacker then posts a link on your friend’s page saying, “Hey Ted, check this out!”.

You may or may not follow the link depending on how well you trust your friend, of course.

I don’t see this as becoming a Mac version of Conficker by any stretch, however. Now that attention is focusing on this, Apple should address it soon.

Tom Hughes

‘Third, even if an exploitive Web site existed ...’

“exploitative” is the word.

Mario

Come on, hackers do not need to convince people to visit a unfamiliar site. Hackers just inject exploits on famous sites to infect thousands of people at sime time - security news report such cases every day.

Ted Landau

?exploitative? is the word.

It appears that both are correct—at least in the several dictionaries that I checked.

vasic

Phishing would be the most effective method to exploit this java hole. You get a message from your bank; for example, your May statement is available for viewing. You click on the link, you’re hacked.

While most of us are aware of phishing, most of us also know that there are no exploits out there for the Mac, and most of us believe they can safely click on a phishing link, knowing that they’ll get to a phishing page. Oftentimes, we do it just out of curiosity, to see how convincing the phishing page looks. Besides, phishing still seems to be effective, at least judging by the volume of phishing spam. And usual anti-phishing controls that most current browsers already have (alerting you that the site isn’t actually genuine) wouldn’t work here. Once you click on the link in the e-mail, the browser opens, automatically launches the applet, which does its malicious thing, and by the time you realise you’re not at your bank’s site, the bad deed is done.

This really needs to be plugged right away.

Log-in to comment