Hardening OSX against CVE-2008-5353 (aka java-apple-wontfix)
This has been fixed, no longer need for action!
In the following paragraphs you learn about a DIY approach to fix the JDK on OSX against CVE-2008-5353
For Tiger (this allows to use the GUI for the classpath setting, otherwise same as Leopard)
- Get the src.zip of a recent non-OSX java distribution (like Sun Java 5/JDK 1.5.0_19 for Linux)
- unzip src.zip java/util/Calendar.java
- javac java/util/Calendar.java
- zip /somepath/FixedCalendar.jar java/util/Calendar*.class
- Inside Finder goto Utilities / Java / J2SE 5.0 / Java Preferences
- Set Java-Applet-Runtime-Parameter to -Xbootclasspath/p:/somepath/FixedCalendar.jar
- Start up a browser, browse to http://www.java.com/en/download/help/testvm.xml, see the dancing duke, open Java Console, press s, you should now see FixedCalendar.jar in the sun.boot.class.path
- If you are brave, try the PoC exploit on http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html , it should give you a bootstrap failure now
For Leopold
- Get the src.zip of a recent non-OSX java distribution (like Sun Java 5/JDK 1.5.0_19 for Linux)
- unzip src.zip java/util/Calendar.java
- javac java/util/Calendar.java
- zip /somepath/FixedCalendar.jar java/util/Calendar*.class
- In ~/Library/Caches/Java/deployment.properties set option deployment.javapi.jre.1.5.0.args=-Xbootclasspath/p:/somepath/FixedCalendar.jar
- Start up a browser, browse to http://www.java.com/en/download/help/testvm.xml, see the dancing duke, open Java Console, press s, you should now see FixedCalendar.jar in the sun.boot.class.path
- If you are brave, try the PoC exploit on http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html , it should give you a bootstrap failure now
- Note 1: Your JDK is not original anymore, but it is a bit more secure now