OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Java falls three times at Pwn2Own

Published March 7th, 2013 at 5:12 PM EST , modified March 7th, 2013 at 5:12 PM EST

Every year, at the CanSecWest security conference, an infamous competition is held, called Pwn2Own. The basic idea of the contest is to “pwn,” or hack, different web browsers or technologies. Hacks must involve previously unknown vulnerabilities, and winners not only get a sizable cash prize, but they also win the computer that they hacked (thus the “Pwn2Own” name).

Yesterday, on the first day of the competition, Java itself was on the list of targets, and it found itself skewered not once, not twice, but a total of three times. No big surprise for those of us who have been covering Java vulnerabilities for a while, but it does mean we’re likely to see another round of Java updates and Apple disabling the vulnerable versions of Java. Worse, Oracle has threatened that the last version of Java 6 was the last one, so those reliant on Java may find that Apple washes their hands of Java 6 for good.

As always, quit using Java if you can, and if you can’t, you’re going to need to start taking some fairly extreme precautions. See Java is vulnerable… Again?!

Tags: ,

9 Comments

  • Someone says:

    This honestly is getting ridiculous. I mean, how obvious do we have to make it that Java is unsafe?

  • aalien says:

    “Java itself was on the list of targets” — ahahahahahahahahahahahahah

    I’m laughing so much, really! ahahahahahahahah

  • aalien says:

    “so those reliant on Java may find that Apple washes their hands of Java 6 for good” — Didn’t Apple already discarded Java?
    My 10.8.2 didn’t come with Java…

    What do you mean with that statement? Will Apple completely disable Java even if the user wants to install it manually?

    • Thomas says:

      Apple doesn’t have Java installed by default anymore, but the capacity to automatically install Java 6 as needed still exists in Mac OS X 10.8.2. If Java 6 stops getting updated, however, I could see Apple eliminating their support for Java 6 entirely, and requiring that anyone who wants Java gets Java 7 from Oracle. Of course, I have no special knowledge of Apple’s plans, so this is just speculation.

      • aalien says:

        Yes… That makes sense for me!
        Maybe they should made that some time ago. Possibly we will se that in next OS update…

      • Someone says:

        Well, that idea makes sense. It logically follows the progression of Apple’s Flashback-induced distancing from Oracle.

  • Colstan says:

    On an optimistic note, I would point out that Mac OS X was not compromised at Pwn2Own. None of the researchers attempted to compromise the MacBook Pro that was offered, that came along with a substantial cash prize, not to mention the prestige that comes with compromising a Mac. This is a good sign that Apple has locked down OS X reasonably well with Mountain Lion; apparently nobody had a ready exploit available. This is particularly interesting, in that Mountain Lion itself hasn’t had a major security patch since September, and Safari hasn’t had a patch since November 1st. Many of the software vendors patched their software before the contest, Apple did not. 10.8.3 should be out soon, but if they were concerned with the contest, then perhaps they would have released it earlier. They have done so before past competitions.

    So, I’m not saying we should be complacent, but the days of OS X itself being a ripe target for security researchers are perhaps over. Sandboxing, Gatekeeper, and other security measures have gotten some criticism, but they work. It’s now about securing Java, Flash, Adobe Reader, Office and other third-party applications. Apple has responded quickly in blocking vulnerable versions of Flash and Java, but they still remain exploit targets on all platforms.

This post is more than 90 days old and has been locked. No further comments are allowed.