hackademix.net

An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple’s, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, evading the Java applet sandbox on Mac OS X.

Here’s the Slashdot’s routine Apple+Java bashing with linked source articles.

At this moment, the easiest way to protect your Mac web browser is either turning off Java globally or… you know what ;)

Update Jun 15th

Three weeks later, Apple finally patched..

A Firefox 3.0.8 “high-priority fire drill security update” is on its way, likely to be released by the middle of next week (April the 1^st at most, jokes aside). The reason is an emergency patch for a critical vulnerability irresponsibly disclosed by Guido Landi. I feel a bit guilty about it because Mr. Landi is Italian like me — not that here in Italy we lack reasons for being ashamed…

Beware the PoC: it will crash Firefox on Windows, Linux and Mac OS X even if you’ve got NoScript. However this crashing bug, like the vast majority of them, is not exploitable if you’ve got JavaScript and other active content disabled on the attacker site, because reliable exploitation requires scripting to “spray the heap”, i.e. to inject the malicious payload at the right places of your memory for execution.
Therefore you can easily survive until the automatic update kicks in, if you don’t mind the possibility of an annoying but not dangerous crash (thanks, session restore!) ;)

On a side note, it’s time to update Java as well: yet another bunch of critical vulnerabilities, several of them exploitable in your browser. Business as usual…

Important updates here.

Did you know crossdomain.xml, introduced by Adobe Flash to allow cross-domain requests, is now supported by Java?

A similar mechanism is being standardized for XMLHttpRequest, and had been implemented in an early Firefox 3 beta (some extra work for your friendly neighborhood NS-Man), but ultimately dropped later in the development cycle…

Even if I’m the NoScript guy, I write a lot of JavaScript all the day. As you probably know, even the JavaScript Annihilator is mostly written in JavaScript. Like Crock, I love the language, despite its current browser-bound shortcomings.

So far, my favourite editor for JS coding has been JEdit with its JavaScript plugin, providing syntax highlighting (of course!), on the fly syntax checking via Rhino and optional code completion with configurable scopes, including Mozilla “chrome window” and XPCOM.

But today I’ve watched a presentation of the new NetBeans 6.1 JavaScript capabilities, and I’m impressed.
Dynamic type guessing, browser-specific contextual help and DOM-aware AJAX library support (John, guess which they show in their demo?) may be really worth the switch.

So we’ve got the juicy details now.
On the 2^nd day of the the Pwn2Own contest, Vista has been owned by an unholy trinity of browser technologies:

1. Java has been used to inject the native payload in a known executable memory area, effectively bypassing Vista’s DEP.
2. A Flash vulnerability (an unhandled exceeding function argument, maybe due to a bug in the Visual Studio compiler or linker) has been exploited for jumping to the prefilled location.
3. JavaScript joined the party too, and my educated guess is that it just bridged the pointer location from the Java applet to the Flash object, since both are scriptable.

The full interview with Shane Macaulay (the Flash vulnerability finder) and Alexander Sotirov (of JavaScript Feng Shui fame), who helped with the Java memory preparation trick, is here.
By the way, they say JavaScript Feng Shui had been used to mount the Safari attack which brought down Mac OS X on 1^st day.
Just more confirmations of who the real winner is :)