MacOSXJava6SecurityProblem < Public

Public Web>HipeKnownIssues>MacOSXJava6SecurityProblem (2013-02-14, PaulBalm) (raw view)
---+ Java 6 !WebStart and Applet problem on Mac OS X

%X% *DISCLAIMER: This page is currently in DRAFT and does not describe an actual current recommendation from the HSC.*

If you're reading this, then in all likelihood, you have attempted to start the HSA User Interface from HIPE 10.0 on Mac OS X 10.7 or 10.8 and you were presented the following pop-up:

%ATTACHURL%/MacOSX_WebStartBlocked.png

For a quick bottom line, skip to the section [[#bottomline][for Lion and Mountain Lion users]]. An explanation follows below. Users of all versions of Mac OS X are affected by this problem, and all WebStart applications are affected, not only the HSA User Interface.

A [[http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html][security problem]] was found in Java, which has led Apple to block Java !WebStart and the Java browser plug-in (for Java applets) for the affected Java versions on Mac OS X. HIPE 10 runs on Java 6, and if you're using a version of Java 6 for which !WebStart was blocked, then you will not be able to start the HSA User Interface, or any other !WebStart application, from HIPE.

*What's the security problem?* Java !WebStart applications and applets run inside a sandbox, which is a security feature. It means that these applications cannot access your local filesystem and they cannot access servers other than the one from which they were downloaded, unless the user allows this explicitly. The problem that has been found in certain versions of Java, is essentially a hole in this sandbox, so that these applications can potentially access the filesystem and send data anywhere on the internet. This bug is being exploited already. Apple has blocked the affect software on OS X 10.6 ("Snow Leopard") and later, so the security threat has been remedied on those systems. If you're using OS X 10.5, you are running a risk due to this issue.

*Do I need to do anything?* This depends on the version of Mac OS X that you're running. The table below explains the situation, for all versions of OS X that are supported for HIPE 10, as well as 10.8 ("Mountain Lion"), which is not formally supported for HIPE 10.

| *OS X Version* | *Latest Java 6 update* | *Latest Java 7 update* | *How you're affected* |
| 10.5 ("Leopard") | Update 37 (affected) | Not supported | The blocking mechanism was introduced in OS X 10.6, so the software is not blocked on this platform and you will not encounter problems working with HIPE or the HSA User Interface. But you are exposed to a serious security problem, and we recommend that you upgrade the OS.  |
| 10.6 ("Snow Leopard")  | Update 39 (problem fixed) | Not supported | The user will have to make sure to update to the latest version of Java 6 using the App Store to solve the problem (access it via the Apple icon in the menu bar and choosing "Software Update". |
| 10.7 ("Lion") and 10.8 ("Mountain Lion") | Update 37 (affected, !WebStart and applets blocked) | Update 13 (problem fixed) | See "Information for users of OS X 10.7 (Lion) and 10.8 (Mountain Lion)" below. |

<a name="bottomline">
---++ Information for users of OS X 10.7 (Lion) and 10.8 (Mountain Lion)

There are two ways to regain access to the HSA User Interface: By accessing it via the browser using the latest update of Java 7, or by accessing it from HIPE, which you will have to install and run on Java 7 in this case.

In order to start the HSA User Interface from the browser, make sure to update to the latest version of Java 7 by visiting http://www.java.com. If you have a HIPE installation using Java 6, installing or updating Java 7 will not affect it. After installing or updating Java in the browser, !WebStart applications can be started from there. In the case of the HSA UI by going to http://archives.esac.esa.int/hsa/ui/hui.jnlp.

The other possibility is to uninstall Java 6, install Java 7 and re-install HIPE. This way, HIPE should run on Java 7. HIPE has not been validated to work correctly on Java 7, but we have no reason to believe that there are any issues. We plan to provide a  more detailed procedure on how to go about this installation in the future.

-- Main.PaulBalm - 11 Feb 2013
Attachments
Topic attachments
I	Attachment	History	Action	Size	Date	Who	Comment
png	MacOSX_WebStartBlocked.png	r1	manage	23.5 K	2013-02-14 - 12:52	PaulBalm
Topic revision: r5 - 2013-02-14 - PaulBalm
Public
Webs
Public
TWiki