Friday, January 11, 2013

Apple Disables Java 7
In Response To New Malware

--
GO Apple! I like it... EXCEPT! There's a problem.

First the good news:

What a day. Check out this article at MacRumors:

As noted by ZDNet, a major security vulnerability in Java 7 has been discovered, with the vulnerability currently being exploited in the wild by malicious parties. In response to threat, the U.S. Department of Homeland Security has recommended that users disable the Java 7 browser plug-in entirely until a patch is made available by Oracle.
So Apple, paying attention to the situation, did THIS:

Apple used its built-in XProtect system to disable ALL versions of Java 7. No versions of Java 7 will be allowed to run until Oracle provides an update. MacRumors lists the XProtect XML code that blacklists the Java 7 Internet plug-in.

XProtect will NOT allow a Java 7 plug-in to work until Oracle update past the current version, Java 1.7 update 10 beta 18 (AKA 7u10b18).

How to verify you have the updated Xprotect.plist file:

Navigate in the Finder to here:

/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/

There you will find the file "XProtect.plist". Do a Get Info on the file to discover its 'Created' date. You'll want to see either today's date (Friday, January 11, 2012...) or later. If you see a date circa "December 13, 2012..." you do NOT have the update. You are looking at the previous version of the .plist file, NOT the updated version.

NOT what you want.
A NOT updated XProtect.plist file.


How to force an update of your XProtect.plist file:

Navigate in the Finder (using the menu command Go/Go to Folder...) to here:

/usr/libexec/

There you will find the file "XProtectUpdater". If you have Administrator privileges on your Mac, you can simply double-click this file to run it. You'll see the Terminal app open. It will then perform the UNIX process built into XProtectUpdater.


Now for the PROBLEM:

At the moment, I can't get XProtectUpdater to update my XProtect.plist file on a Mac running 10.7.5. That's not good.

(We're into the realm of super geeky, nasty CLI, character line interface, hell here. I despise CLIs and the associated geekiness that goes with them. That's MY problem. YOUR results will no doubt vary).

Here is what I am consistently seeing in the Terminal after I invoke XProtectUpdater:
2013-01-11 15:29:30.053 XProtectUpdater[91712:707] Unable to verify signature: Error Domain=com.apple.security Code=-20044 "The operation couldn’t be completed. (com.apple.security error -20044.)" UserInfo=0x7ff2ba606f60 {FailingMethod=SecManifestVerifySignature}
I get these same results if I:

A) Double-click XProtectUpdater
-OR-
B) Drop XProtectUpdater on the Terminal window and invoke it
-OR-
C) Use 'sudo', space, then invoke XProtectUpdater

This is apparently a security problem over at Apple.com, NOT on my machine UNLESS Apple has only provided the XProtect.plist update for OS X 10.8, which is a distinct possibility.

If other folks have further insights into this problem, please post a comment.

Today's Java BS has burned me out. But tomorrow I will be checking for new information as well as testing XProtectUpdater on my 10.8.x systems. If you run into this same problem updating your XProtect.plist file, stick to the mantra:

Just Turn Java OFF.

If you don't know how, travel on down the blog to my previous articles about Java 7.

:-Derek


6 comments:

  1. > Apple used its built-in XProtect system to disable ALL versions of Java 7.

    Actually, they established the minimum version as 1.7.10.19, so what version is Java 7 update 10?

    > UNLESS Apple has only provided the XProtect.plist update for OS X 10.8, which is a distinct possibility.

    All three posted updates have the same limitation for Snow Leopard (#53), Lion (#1037) and Mountain Lion (#2027) at this time, so updates should all work.

    ReplyDelete
  2. Found the answer .
    Current Java 7 version is 1.7.010-b18.

    ReplyDelete
  3. > 2013-01-11 15:29:30.053 XProtectUpdater[91712:707] Unable to verify signature: Error Domain=com.apple.security Code=-20044 "The operation couldn’t be completed. (com.apple.security error -20044.)" UserInfo=0x7ff2ba606f60 {FailingMethod=SecManifestVerifySignature}

    So here's how it works. Each update includes a signature block at the top of the text file. I have never figured out exactly how to use it for verification. I'm sure it uses one of the Apple Certificates to do so. It also contains the date/time of the update which is then stored in /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist along with the version number. Evidently something is wrong with the signature in the Lion version. If they don't fix it by tomorrow I recommend sending the security folks a feedback note.

    The other thing that I find interesting is that I'm almost positive this is the first time they have included blacklist information in the Snow Leopard update. I always assumed that was because Snow Leopard's XProtect code was unable to interpret it. It would probably be worthwhile for somebody still running Snow Leopard to verify that XProtect does, in fact, disable use of the Java plugin before we accept the fact that Apple has protected those users.

    ReplyDelete
  4. BTW: My XProtect.plist file DID update itself at about 5:15 pm Friday, just after my eyes had crusted over from reading and writing about the Java lunacy. Figures! Anyway, the automatic update worked. (^_^)/

    ReplyDelete
  5. I am running 10.8.2 and had to manually "sudo ./XProtectUpdater" today Jan13th to get the update. Running the mac app store update did nothing.

    ReplyDelete