Tag: Adobe Flash

Now you can have your Leopard-based Apple Macintosh secure from the current threats

Article

Apple issues Leopard update with Flashback removal tool – Engadget

Downloads

Apple

Java security update (targets Flashback Trojan)

Adobe Flash security update

Adobe

Latest Flash Player update

My Comments

Owning an older Macintosh computer that is running MacOS X Leopard but isn’t powerful enough to be upgraded to Snow Leopard or Lion? Or you haven’t upgraded your Mac to Snow Leopard or Lion due to keeping a LocalTalk peripheral in service using that link.

You may fear that this situation may make you vulnerable to the recent security scares involving Trojan-Horse programs written in cross-platform code that is targeting the Macintosh platform. Now Apple has remedied that problem by releasing two patches targeting this version of MacOS X.

The Java security update checks for and removes the Flashback Trojan from your Mac, but also disables Safari’s Java plug-in. If you need to use Java in Safari, you would need to visit the Preferences menu by going to Safari>Preferences or pressing [Command] and [,], then clicking the “Enable Java” option.

The Adobe Flash update will disable the out-of-date version of Adobe Flash Player end encourage you to visit Adobe’s Website in order to download the latest version of the software. Here, you make sure that you are downloading for MacOS X 10.4 – 10.5 to get the latest version for your MacOS X Leopard computer.

The newly-discovered security risk in all-platform runtime environments

Introduction

The recent security scare with the Apple Macintosh platform and its exposure to the Flashback malware was centered around the use of Java on this platform, rather than being targeted directly using native code. But there have been similar risks targeted at this platform but this time using the Adobe Flash runtime environment.

Previously the typical computer’s operating system, desktop-productivity software and default Web-browsing environment has been targeted by malware writers. This has been more so with software that is used by many people, like Microsoft’s Windows XP operating system and Internet Explorer Web browsers.

But Microsoft, Apple and the open-source community have been working lately on hardening their operating-system, desktop-productivity and Web-browsing software against malware. This has been done through releasing software patches that fix vulnerabilities as soon as they are discovered and having such patches delivered using automated software-maintenance systems like Windows Update.

So malware authors are now turning their arrows towards the multi-platform runtime environments like Oracle’s Java and Adobe’s Flash and Air environments. These typically have a runtime component that is user-installed on most computing platforms, or this component is rolled in to some computing platforms.

These runtime environments have appealed to mainstream software developers because they can create their software in a “write once, run anywhere” manner without needing to port the software to the different platforms they want to target. This situation also has appeal to malware authors due to the ability to target multiple platforms with little risk as well as finding that these runtime environments aren’t patched as rigorously as the operating systems.

One main problem – Java and how it is maintained on the Macintosh

The Java runtime environment used to be delivered with the Windows platform until 2004 due to a legal agreement between Sun and Microsoft regarding an anti-trust issue. Now Windows users pick up the runtime code from Oracle’s Java website now that Oracle have taken over the Java environment from Sun.

But Apple still delivers the Java runtime environment to their Macintosh users, either with the operating system until “Snow Leopard” or as a separate download from their Website for subsequent users.

For both platforms, the Java runtime survives operating-system updates, even major version upgrades. As well, it, like the Adobe Flash runtime, has to be updated separately.

Windows and Linux users still have the advantage of going to the Oracle Website to install and update the Java Website and they can set up the Java installer software to implement the latest version automatically or let them know of updated Java runtimes. But Apple don’t pass on new updates for the Java runtime to MacOS users as soon as Oracle release them.

What Apple should do is pass on the Java runtime updates as soon as Oracle releases these updates. This could be involving Apple ceding the management of the MacOS X Java runtime to Oracle and writing any necessary integration code to support co-ordinated maintenance of this runtime the the Macintosh platform.

What users can do with these runtime environments

Users can keep their runtime environments for Flash, Java, Adobe Air and other “write once, run-anywhere” platforms by looking for updates at the developer’s Website. They can also enable automatic deployment of critical updates to these environments through various options offered by the installer.

But do you need to keep any of these runtime environments on your regular computer? You could do without it but some vertical, enterprise and home software requires the use of these runtime environments. In some cases, some developers write parts of their software in native code for the platform the software is to run on while using “write once, run anywhere” code that works with these environments for other parts.

For example, YouTube,  most browser-hosted games or file-transfer interfaces for Websites implement Adobe Flash Player while programs like OpenOffice, Adobe’s Creative Suite and some enterprise / vertical software require Java.

If you are not likely to running any programs that depend on a runtime environment regularly or can avoid needing that particular environment, you could avoid installing the environment at all to keep your computer secure and stable.

What can the industry do

Use of computer security software to protect against runtime-environment attacks

A question that could be raised is whether it is feasible for a computer-security program to be written so that it can inspect the software that is intended to be run in these environments.

This is more so as these environments become ubiquitous for delivering software to multiple computing environments. In the case of Java, this environment is being implemented as a baseline for the Android platform and as the language for writing interactivity in to Blu-Ray Discs.

This could be achieved through the use of plug-in modules for current desktop and appliance-level security applications; or for modules that connect to the runtime environments, observing for abnormalities in the way they handle computer resources.

Development of enhanced runtime environments that work with the host operating system’s security logic

It can also be feasible for the runtime environments to work tightly with the operating-system’s user access management and prevent the programs that work behind them from using resources unless they are explicitly allowed to. This could involve use of sandboxes or privilege levels that mimic the operating system’s privilege levels thus working at the lowest level unless they have to work higher.

Consistent and responsive updating of the runtime environment across all platforms

Adobe, Oracle and others who develop “write-once, run-anywhere” platforms could implement a consistent and responsive update policy for these platforms in response to any discovered bug or exploitable software weakness. The developers of these platforms have to be sure that the updates are delivered as soon as possible and across all platforms that the runtime environment is targeted at.

This includes development of a strategy so that access to the targeted platforms is guaranteed by the runtime-environment developer. For example, it may include immediate propagation of firmware updates for devices or the use of the developer’s own installation routines for all regular computing environments.

Allow design-time native-binary compiling for desktop Java

Another improvement that I would like to see is for software that is written in the Java language to be able to be compiled to native binary (.EXE) code during development. Here, this could allow a desktop-software project that has routines written in Java as well as routines written in other languages like C++ and targeted to one platform to be able to run quickly and securely on that platform.

It will then avoid the need to require the installation of the Java runtime when a program like Adobe’s Creative Suite software is deployed to the end user. It can also allow the developer to deliver the software to many platforms in a binary form that is native to each target platform, thus allowing for efficient use of system resources.

Conclusion

Once we adopt proper standards concerning the management and maintenance of “write-once, run-anywhere” software-development platforms and make them to the same standard as regular-computer operating systems, this can reduce the chance of these platforms being exploited by malware authors.

The HTML5 vs Flash debate

The computer press have been running articles regarding the use of Flash or HTML5 in highly-interactive Web sites such as video sites.

It has started off with Apple wanting to move iPhone and iPad towards HTML5 / H264 video by proscribing Flash runtime engines from these platforms and forcing developers to move to the HTML5 / H264 platform. This caused Google to write YouTube client-side apps for these platforms and develop an HTML5 site. Then Microsoft and others worked towards implementing HTML5 in their next browser issue, with some browsers being equipped with HTML5 interpreters.

The debate about HTML5 vs Flash has been more “video-centric” because Adobe Flash was mainly used by YouTube to display the many videos hosted on that site.

It is worth noting that the FLV files used in YouTube and similar Flash applications are container files with the video and audio encoded using the H.263 video codec. The HTML5-based video applications will use FLV, MOV or AVI container files with H.264 video codecs which are becoming the standard for high-resolution video.

Applications beyond video

Adobe Flash has been used for applications beyond video. Primarily it has been used for high-interactivity applications like games such as Farmville on Facebook or the casual games on MiniClip because it offers a quick-response user interface and easy development that these applications needed. Here, it has offered a “write-once run-anywhere” platform for these Web-centric applications with plenty of “rapid-application-development” tools.

It is also worth knowing that most of these games refer to back-end databases and / or “client-local” cookie files to persistently store game-state and other user-generated data. These programs will then have to work with the different data stores as they are used.

Web-based runtime environments for partially-linked programs

HTML5 has a variety of inherent elements that allow for vector-graphics and interactivity for highly-interactive applications. It also may be of benefit to open-source software developers and Linux advocates/

But there are some developers, most notably games developers, who want to keep their source-code closed in order to control reuse of that code. These developers also want to provide programs in a manner where the target machine doesn’t have to interpret or compile code before it is of use, which will benefit high-interactivity applications where quick response is desired.

These developers typically want to provide these programs as either an executable file or a “p-code” (partially-linked) program file which is run by an interpreter or just-in-time compiler program, known as a runtime module, that works with these files on the target platform. At the moment, there isn’t a mechanism for delivering a compiled HTML5 file in a “write once, run anywhere” manner.

Java

An interactive-applications developer could work with the latest version of Java to develop these kind of applications in a “write-once run-anywhere” platform. This platform is natively supported by the Blu-Ray Disc system as part of providing interactive video from discs and/or the Internet through that system. It could then lead to someone writing a games disc that runs classic games types on any old Blu-Ray Disc player without the player being a games console.

The main issue with this is that not all platforms, especially tablet and handheld platforms, support Java natively. As well, desktop support for Java may require the Java runtime software to be downloaded separately from Sun.

Microsoft Silverlight

As well, Microsoft is wanting to advance their Silverlight runtime platform for client-executed Web applications but this platform has not yet been ported for anything outside general-purpose computers running the Windows operating-system family. Again, this is another platform for Web-based highly-interactive content that requires the client machine to work with a “runtime module”.

Apple’s control over what runs on their platforms

One of the main cornerstones in this debate is what Apple wants out of the iPhone, iPad and iPod Touch platforms. They want to maintain control over programs and highly-interactive content that runs on this platform and preserve the requirement that all such content is obtained through the iTunes App Store. The practice of supplying a “runtime module” for pre-compiled “p-code” software available elsewhere, such as what happens with Java and Flash, works against this ideal because Apple can’t see the program’s code before it runs on an iPod or iPhone. Therefore Apple have proscribed the creation of such modules for this platform.

Some Apple skeptics may also have a fear that Apple may change their desktop platform away from the Macintosh (MacOS X) platform where their is a “free-for-all” for software development towards a platform not dissimilar to the iPhone or iPad platform with a controlled development environment. This is like how they retired the Apple II platform in the early 90s in order to focus on the Macintosh platform.

The open question

Therefore, there is an “open question” concerning Web-based software development. It is whether the likes of Farmville or Bejewelled should be developed using HTML5 and in a vulnerably-open manner or whether they should be packaged as “p-code” and delivered to a runtime environment? It also includes whether Apple should expect developers to create a separate client-side app for their iPhone / iPod / iPad devices for each game or highly-interactive site that they work on.