Difference: MacOSXJava6SecurityProblem (1 vs. 5)

Revision 52013-02-14 - PaulBalm

Line: 1 to 1
 
META TOPICPARENT name="HipeKnownIssues"

Java 6 WebStart and Applet problem on Mac OS X

ALERT! DISCLAIMER: This page is currently in DRAFT and does not describe an actual current recommendation from the HSC.

Added:
>
>
If you're reading this, then in all likelihood, you have attempted to start the HSA User Interface from HIPE 10.0 on Mac OS X 10.7 or 10.8 and you were presented the following pop-up:

MacOSX_WebStartBlocked.png

For a quick bottom line, skip to the section for Lion and Mountain Lion users. An explanation follows below. Users of all versions of Mac OS X are affected by this problem, and all WebStart applications are affected, not only the HSA User Interface.

 A security problem was found in Java, which has led Apple to block Java WebStart and the Java browser plug-in (for Java applets) for the affected Java versions on Mac OS X. HIPE 10 runs on Java 6, and if you're using a version of Java 6 for which WebStart was blocked, then you will not be able to start the HSA User Interface, or any other WebStart application, from HIPE.

What's the security problem? Java WebStart applications and applets run inside a sandbox, which is a security feature. It means that these applications cannot access your local filesystem and they cannot access servers other than the one from which they were downloaded, unless the user allows this explicitly. The problem that has been found in certain versions of Java, is essentially a hole in this sandbox, so that these applications can potentially access the filesystem and send data anywhere on the internet. This bug is being exploited already. Apple has blocked the affect software on OS X 10.6 ("Snow Leopard") and later, so the security threat has been remedied on those systems. If you're using OS X 10.5, you are running a risk due to this issue.

Line: 15 to 21
 
10.6 ("Snow Leopard") Update 39 (problem fixed) Not supported The user will have to make sure to update to the latest version of Java 6 using the App Store to solve the problem (access it via the Apple icon in the menu bar and choosing "Software Update".
10.7 ("Lion") and 10.8 ("Mountain Lion") Update 37 (affected, WebStart and applets blocked) Update 13 (problem fixed) See "Information for users of OS X 10.7 (Lion) and 10.8 (Mountain Lion)" below.
Added:
>
>
 

Information for users of OS X 10.7 (Lion) and 10.8 (Mountain Lion)

There are two ways to regain access to the HSA User Interface: By accessing it via the browser using the latest update of Java 7, or by accessing it from HIPE, which you will have to install and run on Java 7 in this case.

Line: 24 to 31
 The other possibility is to uninstall Java 6, install Java 7 and re-install HIPE. This way, HIPE should run on Java 7. HIPE has not been validated to work correctly on Java 7, but we have no reason to believe that there are any issues. We plan to provide a more detailed procedure on how to go about this installation in the future.

-- PaulBalm - 11 Feb 2013 \ No newline at end of file

Added:
>
>
META FILEATTACHMENT attachment="MacOSX_WebStartBlocked.png" attr="" comment="" date="1360846320" name="MacOSX_WebStartBlocked.png" path="MacOSX_WebStartBlocked.png" size="24094" stream="MacOSX_WebStartBlocked.png" user="Main.PaulBalm" version="1"

Revision 42013-02-12 - PaulBalm

Line: 1 to 1
 
META TOPICPARENT name="HipeKnownIssues"

Java 6 WebStart and Applet problem on Mac OS X

Line: 13 to 13
 
OS X Version Latest Java 6 update Latest Java 7 update How you're affected
10.5 ("Leopard") Update 37 (affected) Not supported The blocking mechanism was introduced in OS X 10.6, so the software is not blocked on this platform and you will not encounter problems working with HIPE or the HSA User Interface. But you are exposed to a serious security problem, and we recommend that you upgrade the OS.
10.6 ("Snow Leopard") Update 39 (problem fixed) Not supported The user will have to make sure to update to the latest version of Java 6 using the App Store to solve the problem (access it via the Apple icon in the menu bar and choosing "Software Update".
Changed:
<
<
10.7 ("Lion") and 10.8 ("Mountain Lion") Update 37 (affected, WebStart and applets blocked) Update 13 (problem fixed) The user will have to make sure to update to the latest version of Java 7 by visiting http://www.java.com. Installing or updating Java 7 will not affect HIPE, which runs on Java 6. WebStart applications can be started from the browser using Java 7. For WebStart applications to start from HIPE correctly, the user has to remove the block manually (explanation below).
>
>
10.7 ("Lion") and 10.8 ("Mountain Lion") Update 37 (affected, WebStart and applets blocked) Update 13 (problem fixed) See "Information for users of OS X 10.7 (Lion) and 10.8 (Mountain Lion)" below.
 
Changed:
<
<

Manually removing the block applied by Apple

>
>

Information for users of OS X 10.7 (Lion) and 10.8 (Mountain Lion)

 
Changed:
<
<
This step is only required in some cases, for some versions of OS X. See the table above.
>
>
There are two ways to regain access to the HSA User Interface: By accessing it via the browser using the latest update of Java 7, or by accessing it from HIPE, which you will have to install and run on Java 7 in this case.
 
Changed:
<
<
Apple blocked WebStart and Java applets in certain versions of Java. It is possible to remove this block, but: It is very important to realize the security threat that removing the block poses. If you use Java 6 in your browser, you will be open to the security problem explained above, and we advise strongly against removing the block in this case. Therefore our recommendation is to start by installing Java 7 for use in the browser.

Install Java 7 in the browser: Go to http://www.java.com and click the button "Free Java Download". You can check the Java version that your browser uses by visiting http://www.javatester.org/version.html. "Java 7 update 13" is reported as "1.7_13".

After this step, Java 6 should only be used to run HIPE and to start WebStart applications from HIPE. Because we trust that the applications started by HIPE do not contain malware, we can then remove the block on Java WebStart and Java browser plug-in for this version. We will not use the Java browser plug-in, but both are considered under the nomer "Java plug-in", so we can only enable or disable both.

Remove the block on Java 1.6 update 37:

sudo /usr/libexec/PlistBuddy -c "Set :JavaWebComponentVersionMinimum 1.6.0_37-b06-434" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

Unfortunately, just as Apple has initially silently applied this block, they can come back and re-apply it, even though it's been manually removed. This has been reported to happen after reboots. If it happens, one can simply execute the above command again. You can also execute the command below, which updates the "last modified" date in the relevant file, which has been said to stop Apple from updating the file on your behalf:

sudo /usr/libexec/PlistBuddy -c "Set :LastModification Fri,\ 08\ Feb\ 2014\ 00:54:09\ GMT" XProtect.meta.plist
>
>
In order to start the HSA User Interface from the browser, make sure to update to the latest version of Java 7 by visiting http://www.java.com. If you have a HIPE installation using Java 6, installing or updating Java 7 will not affect it. After installing or updating Java in the browser, WebStart applications can be started from there. In the case of the HSA UI by going to http://archives.esac.esa.int/hsa/ui/hui.jnlp.
 
Added:
>
>
The other possibility is to uninstall Java 6, install Java 7 and re-install HIPE. This way, HIPE should run on Java 7. HIPE has not been validated to work correctly on Java 7, but we have no reason to believe that there are any issues. We plan to provide a more detailed procedure on how to go about this installation in the future.
  -- PaulBalm - 11 Feb 2013 \ No newline at end of file

Revision 32013-02-12 - PaulBalm

Line: 1 to 1
 
META TOPICPARENT name="HipeKnownIssues"

Java 6 WebStart and Applet problem on Mac OS X

Line: 6 to 6
  A security problem was found in Java, which has led Apple to block Java WebStart and the Java browser plug-in (for Java applets) for the affected Java versions on Mac OS X. HIPE 10 runs on Java 6, and if you're using a version of Java 6 for which WebStart was blocked, then you will not be able to start the HSA User Interface, or any other WebStart application, from HIPE.
Changed:
<
<
What's the security problem? Java WebStart applications and applets run inside a sandbox, which is a security feature. It means that these applications cannot access your local filesystem and they cannot access servers other than the one from which they were downloaded, unless the user allows this explicitly. The problem that has been found in certain versions of Java, is essentially a hole in this sandbox, so that these applications can potentially access the filesystem and send data anywhere on the internet. This bug is being exploited already, but Apple has blocked all affected software, so the security threat has been remedied.
>
>
What's the security problem? Java WebStart applications and applets run inside a sandbox, which is a security feature. It means that these applications cannot access your local filesystem and they cannot access servers other than the one from which they were downloaded, unless the user allows this explicitly. The problem that has been found in certain versions of Java, is essentially a hole in this sandbox, so that these applications can potentially access the filesystem and send data anywhere on the internet. This bug is being exploited already. Apple has blocked the affect software on OS X 10.6 ("Snow Leopard") and later, so the security threat has been remedied on those systems. If you're using OS X 10.5, you are running a risk due to this issue.
  Do I need to do anything? This depends on the version of Mac OS X that you're running. The table below explains the situation, for all versions of OS X that are supported for HIPE 10, as well as 10.8 ("Mountain Lion"), which is not formally supported for HIPE 10.

OS X Version Latest Java 6 update Latest Java 7 update How you're affected
Changed:
<
<
10.5 ("Leopard") Update 37 (affected, WebStart and applets blocked) Not supported The user will have to remove the block manually (explanation below). Apple does not support this version of OS X anymore, and recommends an upgrade.
>
>
10.5 ("Leopard") Update 37 (affected) Not supported The blocking mechanism was introduced in OS X 10.6, so the software is not blocked on this platform and you will not encounter problems working with HIPE or the HSA User Interface. But you are exposed to a serious security problem, and we recommend that you upgrade the OS.
 
10.6 ("Snow Leopard") Update 39 (problem fixed) Not supported The user will have to make sure to update to the latest version of Java 6 using the App Store to solve the problem (access it via the Apple icon in the menu bar and choosing "Software Update".
10.7 ("Lion") and 10.8 ("Mountain Lion") Update 37 (affected, WebStart and applets blocked) Update 13 (problem fixed) The user will have to make sure to update to the latest version of Java 7 by visiting http://www.java.com. Installing or updating Java 7 will not affect HIPE, which runs on Java 6. WebStart applications can be started from the browser using Java 7. For WebStart applications to start from HIPE correctly, the user has to remove the block manually (explanation below).

Revision 22013-02-12 - PaulBalm

Line: 1 to 1
 
META TOPICPARENT name="HipeKnownIssues"

Java 6 WebStart and Applet problem on Mac OS X

Line: 12 to 12
 
OS X Version Latest Java 6 update Latest Java 7 update How you're affected
10.5 ("Leopard") Update 37 (affected, WebStart and applets blocked) Not supported The user will have to remove the block manually (explanation below). Apple does not support this version of OS X anymore, and recommends an upgrade.
Changed:
<
<
10.6 ("Snow Leopard") Update 39 (problem fixed) Not supported The user will have to make sure to update to the latest version of Java 6 using the App Store to solve the problem.
>
>
10.6 ("Snow Leopard") Update 39 (problem fixed) Not supported The user will have to make sure to update to the latest version of Java 6 using the App Store to solve the problem (access it via the Apple icon in the menu bar and choosing "Software Update".
 
10.7 ("Lion") and 10.8 ("Mountain Lion") Update 37 (affected, WebStart and applets blocked) Update 13 (problem fixed) The user will have to make sure to update to the latest version of Java 7 by visiting http://www.java.com. Installing or updating Java 7 will not affect HIPE, which runs on Java 6. WebStart applications can be started from the browser using Java 7. For WebStart applications to start from HIPE correctly, the user has to remove the block manually (explanation below).

Manually removing the block applied by Apple

Revision 12013-02-11 - PaulBalm

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="HipeKnownIssues"

Java 6 WebStart and Applet problem on Mac OS X

ALERT! DISCLAIMER: This page is currently in DRAFT and does not describe an actual current recommendation from the HSC.

A security problem was found in Java, which has led Apple to block Java WebStart and the Java browser plug-in (for Java applets) for the affected Java versions on Mac OS X. HIPE 10 runs on Java 6, and if you're using a version of Java 6 for which WebStart was blocked, then you will not be able to start the HSA User Interface, or any other WebStart application, from HIPE.

What's the security problem? Java WebStart applications and applets run inside a sandbox, which is a security feature. It means that these applications cannot access your local filesystem and they cannot access servers other than the one from which they were downloaded, unless the user allows this explicitly. The problem that has been found in certain versions of Java, is essentially a hole in this sandbox, so that these applications can potentially access the filesystem and send data anywhere on the internet. This bug is being exploited already, but Apple has blocked all affected software, so the security threat has been remedied.

Do I need to do anything? This depends on the version of Mac OS X that you're running. The table below explains the situation, for all versions of OS X that are supported for HIPE 10, as well as 10.8 ("Mountain Lion"), which is not formally supported for HIPE 10.

OS X Version Latest Java 6 update Latest Java 7 update How you're affected
10.5 ("Leopard") Update 37 (affected, WebStart and applets blocked) Not supported The user will have to remove the block manually (explanation below). Apple does not support this version of OS X anymore, and recommends an upgrade.
10.6 ("Snow Leopard") Update 39 (problem fixed) Not supported The user will have to make sure to update to the latest version of Java 6 using the App Store to solve the problem.
10.7 ("Lion") and 10.8 ("Mountain Lion") Update 37 (affected, WebStart and applets blocked) Update 13 (problem fixed) The user will have to make sure to update to the latest version of Java 7 by visiting http://www.java.com. Installing or updating Java 7 will not affect HIPE, which runs on Java 6. WebStart applications can be started from the browser using Java 7. For WebStart applications to start from HIPE correctly, the user has to remove the block manually (explanation below).

Manually removing the block applied by Apple

This step is only required in some cases, for some versions of OS X. See the table above.

Apple blocked WebStart and Java applets in certain versions of Java. It is possible to remove this block, but: It is very important to realize the security threat that removing the block poses. If you use Java 6 in your browser, you will be open to the security problem explained above, and we advise strongly against removing the block in this case. Therefore our recommendation is to start by installing Java 7 for use in the browser.

Install Java 7 in the browser: Go to http://www.java.com and click the button "Free Java Download". You can check the Java version that your browser uses by visiting http://www.javatester.org/version.html. "Java 7 update 13" is reported as "1.7_13".

After this step, Java 6 should only be used to run HIPE and to start WebStart applications from HIPE. Because we trust that the applications started by HIPE do not contain malware, we can then remove the block on Java WebStart and Java browser plug-in for this version. We will not use the Java browser plug-in, but both are considered under the nomer "Java plug-in", so we can only enable or disable both.

Remove the block on Java 1.6 update 37:

sudo /usr/libexec/PlistBuddy -c "Set :JavaWebComponentVersionMinimum 1.6.0_37-b06-434" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

Unfortunately, just as Apple has initially silently applied this block, they can come back and re-apply it, even though it's been manually removed. This has been reported to happen after reboots. If it happens, one can simply execute the above command again. You can also execute the command below, which updates the "last modified" date in the relevant file, which has been said to stop Apple from updating the file on your behalf:

sudo /usr/libexec/PlistBuddy -c "Set :LastModification Fri,\ 08\ Feb\ 2014\ 00:54:09\ GMT" XProtect.meta.plist

-- PaulBalm - 11 Feb 2013

 
This site is powered by the TWiki collaboration platform Powered by Perl