Wednesday, April 4, 2012

Poisoned coffee

The Flashback trojan which is making the rounds can mount an attack through the vulnerable JVMs in 10.4 and 10.5 (and as we all know, Apple is no longer issuing security updates for PowerPC at all). I don't know if Flashback can penetrate PPC systems or merely crashes them, but there are enough cross-platform components within the attack that it seems at minimum possible. (Note to Classilla users: the JVM is too old in OS 9 and the cross-platform components require a Unix shell, so the most Flashback can make you do is bomb.)

UPDATE: Some people are linking to this post to try to warn PowerPC users that we are also vulnerable, but I have seen many people express disbelief because to date no one knows of any PPC systems that have actually been infected.

Well, let me disabuse you of the notion we are resistant to the attack: the CVE in question exploited by Flashback a/k/a Flashfake is CVE-2012-0507 and Oracle themselves say Java 2 Standard Edition 5.0 update 33 and before are vulnerable. J2SE 5.0 corresponds to Java VM 1.5, which is the JVM in use on 10.4 and 10.5 PowerPC, and no version of Apple Java for 10.4 or 10.5 is at update 33. So the hole exists. (There is an OpenJDK 7 available for 10.5 at least, but there is no browser plugin for it and the vulnerable JVM is still on your system, so you must take specific steps to disable the old system VM and also disable Java in your browser.)

But wait, it gets worse. The hole in question is a "sandbox violation" meaning it allows Java code that would normally run in an unprivileged environment to run with privileges. Read that sentence again: it allows Java code to do it, not merely native code. The malicious bootloader which Flashback/Flashfake uses to mount its attack will run on PowerPC because it is written in Java. When Flashback/Flashfake starts up, it initiates the sandbox exploit and, now possessing privileges, runs its bootloader which then grabs an actual native binary. The bootloader is crossplatform and works on Windows and Mac OS X. The binary the bootloader fetches and then executes is the true payload. MSDN has an excellent analysis.

The true (and as near as I can tell, the only) reason Power Macs are resistant so far is because the binary that is loaded is not compiled for PPC. That's it. The actual attack works. If the evil brains in a .jar behind Flashback were to compile their payload as a Universal binary and link it to an appropriate PPC SDK, the payload would also run, and the system would be exploited. So turn off Java now. It is no longer safe on Power Macs. Don't make your system's safety dependent on how lazy the Flashback authors are.

Back to the previous article ...



Java requires a (surprise!) plugin to run in TenFourFox, so by default we are not vulnerable, and even if you enable plugins "against medical advice" the Java plugin preference is specifically set to hide the Java plugin by default as well. You would have to turn on both preferences to actually get the exploit to occur (assuming that it can attack Power Macs), so we are safe from this attack in the vast majority of configurations.

Mozilla has started blocking old versions of the Java Plugin on Windows because of the BlackHole exploit kit which takes advantage of the same vulnerability, and they will extend this block to the Mac shortly. I don't know if we will take this code since it will block everyone from using Java, even those taking reasonable precautions, because there is no way to update the system JVM. It might be nice for someone in their copious spare time to look at porting one of the Java SDK clones to 10.4, you know, between saving the world and doing the dishes.

The CoreGraphics accelerated backend I talked about in the last post is now able to partially render text too. Still get crashes with gradients, so still not ready for primetime.

48 comments:

  1. Regarding Java, there might be false security I must mention: Hiding the Java Plugin in about:config is not reliable, I think it doesn't work at all anymore. See screenshot below – the fake LED thingy is a Java applet, while tenfourfox.layout.hide_java_plugin is set to True. I don't know when this started and I never investigated it because the configurations isn't supported anyway.

    If you can't live without plugins (which mostly means „Flash“), I would advise to disable the Java Plugin and everything else you don't need (Shockwave Director, Real… anyone remember those?) in the Addons manager. This works reliably. This way you can cure your plugin addiction step by step (I'm making good progress myself), instead of making the hard cut.

    http://s13.postimage.org/epbgqvp2f/Picture_2.png

    ReplyDelete
  2. Well, damn. That'll need to be fixed. Issue 141.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. There is a ppc port of OpenJDK 7, but only for 10.5.x and X11 toolkit. No Cocoa.

    http://javaevangelist.blogspot.com/2012/02/openjdk-7-on-apple-g5-powerpc-on-mac-os.html

    ReplyDelete
  5. We have to be reasonable: there are security holes in 10.4 and 10.5 which Apple isn't fixing anymore. The only saving grace is that as PowerPC becomes rarer and rarer, we become a smaller and smaller target. Ironically Apple is helping us here by making current versions of Xcode unable to build PowerPC binaries, so anyone who wants to build a cross-platform exploit has to work harder and the payoff is getting smaller.

    If security were my only concern, yeah, I'd run Lubuntu or something (or, more likely, get a samflex and run AmigaOS 4). But security through obscurity, though lousy security, is not zero security. That said, there's no excuse for holes in TenFourFox, and I'll close the one Chris discovered in 10.0.4 and 12.

    Unknown, I think I've seen that before, but TTBOMK there's no plugin that can go in a browser (it only runs standalone apps). Still, that's a good solution for people who have to use it.

    Got axial ("linear") gradients working last night in the graphics toolkit and it no longer crashes on radials. Still having trouble with text though. Progress, progress.

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Chris, can you set dom.ipc.plugins.java.enabled to false and make sure that disables the plugin? If so, then I'll fix issue 141 by just defaulting that to false and deprecating the tenfourfox.* specific preference in 10/removing it in 12.

    ReplyDelete
  8. Hm, this is weird. I looked into it: dom.ipc.plugins.java.enabled already *is* defaulted to false in a fresh profile. This switch, true or false, also has no effect. The plugin just loads. Also, toggling dom.ipc.plugins.enabled.i386.javaappletplugin.plugin and dom.ipc.plugins.enabled.i386.javaplugin2_npapi.plugin has no effect. The only way right now to switch Java off is in the Add-ons manager, or disabling plugins altogether.

    ReplyDelete
  9. Just verifying: so if you use the tenfourfox.plugins.YOU_KNOW setting to completely disable plugins, Java doesn't start, right?

    If so, we can hook into that. However, I'll use the tenfourfox java plugin setting there since that is already disabled by default.

    ReplyDelete
  10. Exactly. With plugins completely disabled, Java doesn't appear to start. If the applet would draw on the screen, I get a white space in its place, and http://keepvid.com, which doesn't draw but needs Java under the hood, tells me to install Java.

    ReplyDelete
  11. Clever you :) Instead of going OpenGL 2.0 way, you are going for a CoreGraphics :) I'm happy, we will get hardware acceleration for both 10.4 and 10.5 :)
    Congrats and thanks for all the work.

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. @paraflow, yes, Azure is definitely the way to go and it lets the operating system do most of the work. Blitting and scaling is now a lot quicker in canvas -- I am looking forward to when they start using Azure in more things such as video playback. You can tell the 3D card is involved because scaling up a canvas object is now much less pixelated.

    @commenter, yes, I'm a POWER bigot and I'm glad to see that it's still eating other architectures' lunch in gaming, servers and high-end embedded, though I am sad that the only new general purpose computer with a Power CPU is the AmigaOne X1000. Which I've already signed up for, although the G5 runs rings around the PA6T-168M for most workloads.

    @Chris, thanks. I was able to duplicate the flaw on my 10.4 system and then patched in a fix. The applet no longer loads. I also fixed up the plugin settings a bit, so this will go in both 10.0.4 and 12.

    ReplyDelete
  14. (I should also add that the 10.4 Azure CoreGraphics backend is now fully operational. The only glitch left is a bit of weird dark fringing with radial gradients varying alpha, which I think is an edge case in the shading function, and I may or may not have this fixed for 12 though I do have a test case. Text works and so do all other operations, even with pdf.js, so Azure will be enabled by default after all.)

    ReplyDelete
  15. I've recently noticed an annoying minor problem. I'm not sure if it's a Firefox problem or TenFourFox problem, but I thought I'd just mention it.

    I've always set TenFourFox/FireFox to spell check with Canadian English, but it now keeps defaulting back to US English. I have Canadian English as my top language preference, but in text fields, I keep having to right-click and switch from US to Canada every time. I'm unsure which version of TFF this started in, but I think I've only seen this in the last few weeks.

    (Is this some kind of conspiracy to turn Canadians into Americans?? ;))

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. @commenter: Hang on, let's not get ahead of ourselves. Azure helps with pushing pixels, which does help performance, but is not a codec and by itself doesn't do anything for H.264 or anything else. "All" it does is reduce the overhead of drawing operations, which right now is unnecessarily large compared to, say, Safari. I'm hoping Mozilla will use this for video blitting but it doesn't look like this is on their radar right now.

    TenFourFox is Mac OS X-specific in terms of scope as the name suggests. On those other platforms (I presume you mean MorphOS, Linux PPC, NetBSD?), I think it would be more useful to incorporate the AltiVec and JS JIT work as foreign patches towards the end of a generic PPC-accelerated Firefox. TenFourFox exists because Mozilla doesn't support 10.4/10.5 PPC and necessarily we must fork the project, but there's no reason not to use mainline Firefox other places with these patches unless Mozilla for some reason declines to accept them into their tree. I doubt they would say no, particularly for Linux.

    @mr_a500, there are a number of similar bugs, such as 717433, 727723, 728069, 741298, etc., just on a cursory look, so I think that this is probably a Mozilla cross-platform issue. It seems to affect T-bird as well.

    ReplyDelete
  18. This comment has been removed by the author.

    ReplyDelete
  19. This comment has been removed by the author.

    ReplyDelete
  20. @ClassicHasClass, thank you again for your efforts on TFF :)
    Azure is cool, as is your work guys.

    @commenter - there is a way to get full H264 hardware acceleration in the GPU with OpenGL shading language:
    Here is the project board:
    http://wiki.xbmc.org/?title=GSoC_-_GPU_Assisted_Video_Decoding

    The forum about it:
    http://forum.xbmc.org/showthread.php?tid=33802

    And the best progress of the idea so far (thanks to Kaspar Bumke )
    https://github.com/kasbah/gsoc

    unfortunately, the project has never been completed. But flawless 1080p on Powerbook is possible. Good luck

    ReplyDelete
  21. @ClassicHasClass, mPlayer OSX with CoreVideo(I think it is using the same output layer as your CoreGraphics and Azure) output is doing 12-18 fps on 1080i MPEG2 and mkv :)
    So there is a room for even more, never had luck with OpenGL output in 10.5 for mPlayer OSX.

    ReplyDelete
  22. Apropos Java: Can we play RuneScape in TFF11?

    ReplyDelete
  23. Not by default. If you enable plugins and Java, maybe (and at your own risk), but I've never tried it; I don't know what JVM version it requires.

    ReplyDelete
  24. Minimum requirement for RuneScape is Java runtime 1.6 update 10. Meaning you're out of luck on PPC with any browser since the last Java version for PPC Mac OS X seems to be 1.5.0.

    ReplyDelete
  25. Waiting for signoffs still. There's a couple major bugs that got fixed in the beta process. Similarly, we don't have signoffs for 10.0.4, so I'm just watching akeybl's calendar and for the build tags on hg.

    ReplyDelete
  26. About the Java warning: disabling Java plugin is easy, but what is the best way to remove/disable Java from the OS? Is there a quick way to determine if any of my installed software requires Java and will become crippled if I disable it?

    (I know this is unrelated to TenFourFox, but since we're talking about Java...)

    ReplyDelete
  27. In light of the recent hoopla surrounding Ubuntu 12 LTS, I gave it a brief spin this weekend on an x86 I have around (the new PPC). The good news is TenFourFox has nothing to worry about from end-user Linux. Interestingly enough, the aurora theme, transparent dock and familiar menu bar have all made the conversion but that's where the similarities end. I gratefully returned to Windows 8 after successive performance disapointments by LMDE Cinnamon and Ubuntu left me unwilling to attempt Fedora the same day.

    ReplyDelete
    Replies
    1. But if someone ported Chromium OS that would be re-open the debate.

      Delete
    2. @commenter
      I'm using myself Macbuntu (ubuntu 11.04 based) and Firefox 11.0 on Core 2 Duo - 1.83GHz and I must admit, my Powerbook G4 1.67Ghz will go to my sister for ever :)
      I'm very happy with the wine and all the linux alternative software. I'm supporting TFF :) and of course, this will be installed as default on the reinstalled OSX 10.5 Powerbook for my sister. Thanks again TFF guys.

      Delete
  28. mr_a500, I think it's sufficient to disable the Java plugin(s). You can just move it out of Library > Internet Plugins (or create a folder „Disabled Plugins“ and move it in there), and no browser will be able to use Java anymore, meaning you're safe. Java itself, I would dare to say, cannot be uninstalled from Mac OS X 10.4 or 10.5 by mere mortals without destroying or severely crippling the system, and it's also unnecessary.

    ReplyDelete
  29. Chris, thanks for the reply. I removed Java plugin from Library > Internet Plugins a while ago. (last year, for some reason... must be psychic ;))

    ReplyDelete
  30. @Tobias, not sure what's changed but the latest lepkit loads GV perfectly.

    ReplyDelete
  31. This comment has been removed by the author.

    ReplyDelete
  32. @Tobias, you've resurrected Safari, now if only ClickToPlugin could enable fullscreen HTML5...

    ReplyDelete
    Replies
    1. Just uploaded a new build that has enabled fullscreen support for video content played by QuickTime. It was disabled in the WebCore sources on 10.5, obviously because some controls don't render correctly (the button to enter fullscreen and the Play/Pause button while in fullscreen), which seems to be a QuickTime issue Apple didn't fix anymore.
      So far it works on youtube for me. That's what we're able to get in 10.5.

      Aren't we a bit off topic here?

      Delete
  33. http://blog.mozilla.org/addons/2012/04/16/java-plugin-blocked-for-os-x-10-5-and-older/

    This is already visible in the Ad-ons manager. I can't tell if they can disable the plugin remotely (the blog post sound like they can) because I already had it disabled. Certainly you'll get this warning from now on: http://s16.postimage.org/sxys0zvkl/Picture_1.png

    ReplyDelete
  34. Well, what do people think? You can disable the blacklist with a pref, but it ships on right now.

    The reason I think we should disable it by default in ESR is because it may end up hitting other plugins we can't upgrade and frankly if you turn on plugins you already acknowledge they are insecure (if you have any brains at all). For unstable I'd like us actually to start maintaining our own blacklist, but opinions solicited from the usual suspects as to what they would prefer. We still have some time because Mozilla has not tagged any builds yet, so I'm just twiddling my thumbs here.

    Btw, Azure may be preffed off by Mozilla for 12-final due to a crash bug, but I think the risk is pretty low. We'll see.

    ReplyDelete
  35. Oh, they *can* disable the Java plugin via the blacklist, ok, I didn't know that. And the pref is called blOcklist, that's why I never found it :-) Blocklist.xml was indeed updated today in my profile folder.

    I think if TFF has plugins disabled by default anyway, the blocklist can as well be disabled. A TFF custom blocklist in the future is probably a good idea.

    ReplyDelete
  36. @Tobias, Nicely done. There is the possibility of an Aurora if not 10.4 port when H.264 arrives. Also a WebKit-7450 build, possibly with built-in AB & CTP, would be very interesting at this point.

    @ClassicHasClass + Chris, I concur. Until Chromium OS, when Apple is forced to decide between resuming security updates or gradually losing their antiques to Google, security should be the order of the day.

    ReplyDelete
  37. @commenter
    Does your comment mean, that there will be Chrome OS for PowerPC?

    ReplyDelete
  38. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. Extending the functionality of WebKit is not part of the goal of leopard-webkit - and I don't even have the time to look into implementing the new JavaScript interpreter (LLInt) for the PowerPC architecture, so I'll much less think of beginning to add and functionality.

      Delete
    2. This comment has been removed by the author.

      Delete
    3. @commenter do you plan any work based on XBMC OpenGL video decoding solution for PowerPC architecture?

      Delete

Due to an increased frequency of spam, comments are now subject to moderation.