Alex headshot

AlBlue’s Blog

Macs, Modularity and More

Write once, pwn everywhere

2009, crap, mac, security

Virtual machines, used widely by Java and before by Smalltalk, are a great idea when it comes to code that can execute everywhere without needing to have processor-specific (or operating-system-specific) code in an end application. And the main advantage of a virtual machine is that as long as the vm is security bug free, then applications running on top of it generally can't break the security of the system.

Unfortunately, it's not always like this. The Java VM has had, in its life, a few security related bugs (but usually in the 1.3 timeframes). More recently, there were some security bugs in 1.5 which Apple took ages to fix (in fact, over a month to even acknowledge it). It doesn't help that Mac OS X has shipped with old versions of Java installed - even the end-of-life ones. (1.5 is coming up on end of life soon; and since there's no 1.6 on the PPC, I wonder if there will be any further security updates there? Still, Apple has already killed Java)

But the recent VM related problem isn't with Java - it's with ActionScript, otherwise known as ECMAScript or JavaScript, and this time, in Adobe products rather than Firefox. This one is rather serious, as the Adobe security APSA09-03 lists, in that it can enable transparent remote code execution at the Adobe VM layer, which can be triggered by multiple entry points. These entry points include Flash, Reader and Acrobat, but potentially more applications that embed Flash content as well, principally web browsers that execute Flash content in web pages.

Using good security practices, like using FireFox with the NoScript and AdBlock extensions, can help to a certain extent, but trusted websites can be (and have been) hacked so even this isn't a complete security solution. The best bet is to disable Flash completely from the browser, and to un-install Adobe Reader from your systems until such time (end of the week) as a fix is found.

Mac users are also vulnerable to this security problem, because of the VM nature of this attack. It seems that the heap spray is specific to x86 systems (so PPC users may not be affected) but even so, removing this is of critical importance.

Please note that the BBC iPlayer uses Adobe technology so it would be wise to uninstall that, as well as the AIR Player that BBC iPlayer needs to be able to run.

Everyone should disable flash in the browser immediately.