SANS ISC: Breakfast: Java, Serial, and an Apple

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

According to Julien Tinnes in the CR0 Blog, it appears that Apple's recent security update failed to fix a Java flaw that was reported to Sun back in August 2008 and patched by Sun way back in December 2008.  The upshot: according to the blog (and I've yet to be able to independently confirm it) any browser on OSX that uses the Apple-supplied version of Java is vulnerable to remote exploitation against a class of flaws known as Java deserialization vulnerabilities.

Deserialization is the process of retrieving stored data that an application previously "persisted."  Deserialization attacks take advantage of the fact that the deserialization process trusts that the data being pulled from storage is correctly formatted-- i.e. it contains only the types of data expected.

It's all rather complicated, but suffice to say, both Firefox and Safari appear to be exploitable, so until we hear something definitive from Apple on the subject, we would recommend running with Java disabled in your browser on OSX.

Speaking of hearing something definitive from AAPL, I'll be happy to print whatever they send us in an update to this diary.

Tom Liston - InGuardians, Inc.
ISC - Handler On Duty