Java 8 Update 40 Installer App Fun!

So perhaps you saw my previous post: Java 8 without the Adware (aka Java8Unjunker)?

Java 8 U40 App

Good stuff eh? There was something in there that got me thinking: If they didn’t sign the package, is the app doing any integrity checks on the package inside either? Hmmm let’s see…

Voice over: We’ve secretly replaced the JavaAppletPlugin.pkg package with QuickTime 7 let’s see if it can tell the difference!
Not Java

Here we go!
Sure let me authenticate right when you run before any confirmation of action – why not!? (Ugh, bad form already.)

Java8 Auth

Safe and Easy

Oh OK, “safe and easy” – I love it! But just to clarify…
By “easy” you mean: Checking lots of trust boxes and clicking “Run” buttons a lot to get a Java apps working (plus crossing your fingers)?
By “safe” you mean: a steady stream of high scored CVEs with low complexity? Or even running in Unsafe Mode when needed?

OK what’s next?

Ask

Oh dear God no! No Ask.com. UncheckNext.

Oh, right, away we go, I gave you my password at the door. Installing Java are we?
Java8 InstallingInstalled

OK I’ve successfully installed Java then if you say so… I guess I that’s proof alright!
It then takes you to the Verify Java page — but who cares about that!

What does /var/log/install.log say about what was installed?

QT7 install Java8

 

Yep it installed the QuickTime7 package we put in there and Java Updater 40.app was none the wiser.

So in conclusion… That’s a really nifty “Ask Toolbar installer” with arbitrary package installer Oracle. It’s also a great delivery vehicle for malware by nefarious folks. Heck, bundle Java along with your Trojan and the “Verify Java” page would open too! Sheesh. Is the Ask contract that lucrative? Oracle made $38 billion in revenue last year, IAC the parent of Ask.com pulled in $3 billion. I guess IAC have got money to spend and Oracle will take it (but not invest in more secure installers?)

Notes: The first attempt used a QuickTimePlayer7.6.6_SnowLeopard.pkg with an expired certificate, that halted the install. The 2nd attempt I stripped out the expired certificate. It worked. The 3rd time I downloaded a newly signed version from Apple, that too worked.

Parting note for Oracle:
Sign your critical packages! If you insist on using your glorified “Ask Toolbar installer app” to do this, then require that it verify the package integrity in some way, Orable! (heh, that was a typo but I like it: Orable, ha!)

Open JavaAppletPluginJava8 No Lock

 

Update: Oracle is now signing the package within and the installer can no longer be duped into running an arbitrary package. The version when this article was written was 1.8.40.25, it is now 1.8.40.27.

Java 8 Signed

It’s signed now!

 

Damaged Java 8

Attempted JavaAppletPlugin.pkg Replacement

 

Java 8 without the Adware (aka Java8Unjunker)

So you’ve heard the Ask toolbar is now bundled with Java 8 Update 40 for the Mac?
Yep, apparently it is.

Ask

Fortunately there’s a simple workaround! Let’s take control of our Macs and do a little spelunking into this new installer app.

Right or Control-Click the Java 8 Update xx.app and choose Show Package Contents

Show Package Contents

Navigate into Contents then Resources folder
Eureka we’ve found it: JavaAppletPlugin.pkg
JavaAppletPlugin_LocationLet’s run it!

Gatekeeper_Java8

Aw snap. It seems the package isn’t signed and Gatekeeper is not happy about that. I’m flabbergasted that they’d sign the installer app but not the package inside? (Update: I’m really flabbergasted!)

Control or right-click on JavaAppletPlugin.pkg and choose Open

Java 8 PKG Open

Click Open

Open JavaAppletPlugin

Here we are. Your unsigned Java installer awaits.

Installer

Alternately… Java8Unjunker.command

script I just made to do the same thing plus some other nice things like: name the package and un-quarantine it. Of course being a script it’s not signable! Gatekeeper will balk if it’s on. You’ll need to right-click and choose Open as before.

Shell

Drag in your Java 8 Updater xx.app

Unjunker1

Press Enter.
Voilà! A folder with your package ready to double-click and go.

Unjunker2

Enjoy.

TMI…

#!/bin/bash

#Java 8 Unjunker - Joel Bruner
#Simply moves the JavaAppletPlugin.pkg package out of the installer app (which installs the Ask Toolbar) to the Desktop, renames and Un-Quarantines it

#touch file for debugging
[ -f /tmp/debug ] && set -x

#take command line argument too
sourceApp="$1"

#check to see if path provided is present and valid
#otherwise get the path
while [ -z "$sourceApp" -o ! -d "$sourceApp" ]; do
echo -n "Drag in Java 8 Update xx.app and press enter: "
read sourceApp
done

#get the version from the app
sourcePKGVersion=$(defaults read "$sourceApp"/Contents/Info CFBundleVersion)

#make Desktop folder and copy pkg to it, renamed
echo "Creating Directory ~/Desktop/Java $sourcePKGVersion"
mkdir ~/Desktop/"Java $sourcePKGVersion"
echo "Copying JavaAppletPlugin.pkg to ~/Desktop/Java $sourcePKGVersion/JavaAppletPlugin_${sourcePKGVersion}.pkg"
cp "$sourceApp"/Contents/Resources/JavaAppletPlugin.pkg ~/Desktop/"Java $sourcePKGVersion"/JavaAppletPlugin_${sourcePKGVersion}.pkg

#since Oracle doesn't sign the pkg just the .app we need to strip the quarantine xa off to suppress the warning
xattr -d com.apple.quarantine ~/Desktop/"Java $sourcePKGVersion"/JavaAppletPlugin_${sourcePKGVersion}.pkg

echo "Java Unjunked. Opening Folder."
open ~/Desktop/"Java $sourcePKGVersion"

 

 

 

RecoveryHD Updater now with PKG building

** Update: Recovery HD updaters packages for 10.11 will only work when run in OS X 10.11, previous packages could run in different OSesnot so for 10.11

Updated April 6, 2015: createRecoveryHDUpdater 15.4.6.command – built PKG now is targetable to volumes other than /

Released Feb 28, 2015: createRecoveryHDUpdater 15.2.28.command

Recovery15.2.28

Building off the previous work the updated script will now create a nicely named dmg

recoverydmg_icon

Containing both an interactive script for updating disks and a new script to create a .pkg!

recoverydmg_2scripts

 

The fruits of RecoveryHD PKG Maker.command:

recoverypkg_iconCustom Bundle ID is interactively provided, the PackageVersion is matched to the OS release. Signing identity is asked for in the script but not tested (my cert might be broken, YMMV). The target of the package is always / – an exercise for the reader to change the postinstall script to use Installer’s variables to affect the target The exercise to make the .pkg targetable has been exercised by me… Enjoy!

 

BASH parameter fun

Some exercises in handling parameters in a script:

Using BASH_ARGV to loop through all arguments

#!/bin/bash
#debugging output
[ -f /tmp/debug ] && set -x

#Loop Though the arguments provided
#BASH places arguments in reverse order in BASH_ARGV array
#Start at end of array (ARGC – 1)
for (( i=$(( $BASH_ARGC – 1 )); i>=0; i– )); do
item=”${BASH_ARGV[$i]}”
echo “\$$(( $BASH_ARGC – $i )): $item”
done

Loop through all arguments with special handling of first and last only

#!/bin/bash
[ -f /tmp/debug ] && set -x
##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC - 1 )); i>=0; i--, loopNumber++ )); do
#do something special for first and last
if [ $i -eq $(( $BASH_ARGC - 1 )) ]; then
conditionalString="(I am the first one!)"
elif [ $i -eq 0 ]; then
conditionalString="(I am the last one!)"
else
unset conditionalString
fi
echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done

Loop through all arguments with special handling of first and everything else

#!/bin/bash
[ -f /tmp/debug ] && set -x

##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC – 1 )); i>=0; i–, loopNumber++ )); do

#if not the last don’t restart dock
if [ $i -eq $(( $BASH_ARGC – 1 )) ]; then
unset conditionalString
conditionalString=”(I am the first)”
else
conditionalString=”(I am not the first)”
fi

echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done

Loop through all arguments with special handling of the last and everything else

#!/bin/bash
[ -f /tmp/debug ] && set -x

##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC – 1 )); i>=0; i–, loopNumber++ )); do

#if not the last don’t restart dock
if [ ! $i -eq 0 ]; then
conditionalString=”(I am not the last)”
else
unset conditionalString
#conditionalString=”(I am the last)”
fi

echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done

(WordPress is bugging the heck out of me with the code tags breaking when their are line breaks… sorry, that’s an exercise for the Googler)

Apple Remote Desktop 3.7.1

Apple has release Remote Desktop Admin 3.7.1

The release notes are sparse, as usual:

This update improves the overall stability and reliability of the Remote Desktop application. It includes the following specific improvements.

  • Prevents an issue that could cause the OS X Firewall to block Remote Desktop connections. See Additional Information below.
  • Improves reliability of the kickstart command.
  • Fixes the “Display full screen” option in Control & Observe preferences.

Hmmm, I didn’t see a bullet point titled: “Fixed insane memory and CPU usage issues”

ARD Ridiculous Memory Usage

Just installed the update. Fingers crossed.

Update: The answer is no… they didn’t fix runaway memory usage.

ARD371 Cray Cray Mem Usage Remote Desktop Screen Usage

Naming Conventions! Please, Apple?

Apple, there was a time when your updates had naming conventions for the various platforms there were targeted for. Suffixes like Tiger, Leopard, Snow, etc. made it easy to identify for what platform an update package was intended.

SnowSecurityUpdates

Names used to be useful, who did you hire between April and September of 2012?

But then something happened. Somewhere after Snow Leopard 2012-002 and the first appearance of the 10.7/10.8 Java updates: form trumped function and all useful naming conventions were removed.

Which Java

Elegantly named and informational useless packages. Beautiful.

In the case of Java not just the platform name, but even what release number was removed too! Oh sure, someone took the time to change the disk image volume name, thanks, but once it was copied out of there, good luck in keeping things straight! Since these are flat packages now, Finder can’t tell you the version number in column view anymore, either.

WhichSecurityUpdate

What platform are you for? Should I just chuck all these at a machine and see what sticks?

How about the latest security updates? They all named the same! What a mess! Note that now even the disk image names are all the same too and the system has to resort to appending numbers on the volume name to avoid naming conflicts.

So Apple, if you are going to keep putting out security updates for older platforms then let’s stop pretending there is only one OS X release out there and start naming updates appropriately! Please? Thanks!

P.S. I’ve submitted a bug and mirrored it at Open Radar, if you are a systems administrator who is also irked by this trend of needless naming minimalism I encourage you to file a bug report and see if we can turn this around!

XProtect Plugin Checker

Are you a system administrator or power user who needs a quick way to check if your Flash or Java plugins have been blocked by Apple? Like so:XProtectPluginChecker Menu 2

Then XProtectPluginChecker is the status menu app for you!

XProtect Plugin Checker iconClick to download.

Written in BASH, sprinkled with PlistBuddy/awk/sed-Fu with a dash of mdfind magic, and wrapped with Platypus, the aim is for XProtect Plugin Checker to be able to dynamically accommodate any additions Apple might make to the Plugin Blacklist, although only Flash and Java seem to be in their crosshairs right now, who knows? Silverlight might be next, given its lack of updates (going on 10 months).

A bonus idea for making this more useful is to make a launchd script that watches the XProtect plist file(s) then fires off the XProtectPluginChecker script when they change, emailing the results to you, because knowing is half the battle!

If you find this useful or if you have some hiccups with it, let me know. UPDATE: Now with comments enabled! :]

Also related, myXProtectStatus is a similar style menu status script that lists the malware threats Apple is blocking.

10.7.4: Return of partial volume and brightness shortcuts

Yes folks, the shorcuts for partial volume and brightness are back in 10.7.4! After users had grown to love and know Option-Shift-Volume Key and Option-Shift Brightness Key in previous versions  of OS X (10.4, 10.5, and 10.6), Apple yanked the rug out from under users with 10.7. Well, now 9 1/2 months later they are finally back. Rejoice.

Now start filing those bug reports for the insane amounts of inactive memory being used and not released to Free… :/

Apple’s New Epoch Time for WebComponentsLastUsed

The latest Java update for Lion 2012-003 ( which after 3 revisions is still called JavaForOSX-1.0 in Software Update – oh, Apple! But I digress…) will turn off Java if it hasn’t been used in 30 days (or so I hear). It accomplishes this by writing a value to the WebComponentsLastUsed in ~/Library/Preferences/ByHost/com.apple.java.JavaPreferences.UUID.plist.

It used to be enough to have WebComponentsEnabled set to True, but now WebComponentsLastUsed is required or the unclickable “Plugin-Disabled” button will be shown in Safari’s lower right corner (it totally looks clickable yeah?)

If you work at a company that requires Java web components to be on for things like timesheets, making sure Java stays on helps to avoid getting help desk calls.

So I needed to figure out how this value was computed, it was too small to be the Unix epoch (seconds since January 1, 1970), so I did some sleuthing, some comparitive analysis (just to sound fancy), and figured out it is the number of seconds since January 1, 2001. To get this value you just need to get the Unix epoch and subtract the number of seconds since Jan 1, 2001.

Here’s the way to get this value in a BASH Terminal:

echo $(( $(date "+%s") - 978307200 ))

Toggling the check box in /Applications/Utilities/Java Preferences will reset the WebComponentsLastUsed value and you will find it very close to the value from Terminal.

Wasn’t that fun? The Der Flounder blog has a script using this method to turn on Java. He was a good sport to incorporate my code, too. He enlightened me with his UUID scripting code, so share and share alike, I say.

Bonus link for Apple’s other epoch time, for iTunes’ XML Play Date field: January 1, 1904 – that’s the first year of the last century with a leap year, so says Filemaker! ;)

OpenDNS does not prevent infection of Flashback

While reading the froth around Flashback I came upon this shameless bit of self promotion from OpenDNS: Worried about Mac malware? Just set up OpenDNS.

What, Me Worried?

It’s got some amazing claims:

"All Mac users should switch to OpenDNS now to prevent infection"

A lot of people have commented:
19 pingbacks from various regurgitators: FairerPlatform, Tech 3K, chicagogeek, News4iPhone, ZBlog!, Free Nulled Apps, Tech News, Tutto App, When’s the next Iphone out?, MostOfMyMac.com, iphone 4S issues, Apple Related, keepiphone.com, IT Blogger Blog, Apple Stocks, iHelpBoard, and The Apple Lounge

One very enthusiastic supporter:

"We should change the world for better"

And then my comment:

Just asking...

It’s still awaiting moderation?! Whaaaaa?!

[sarcasm]Why you no like me Allison? Is my English no too good? Do I NOT WRITE IN ENOUGH CAPS?!?! Why you no want make world for better?! Why no share my important tip?[/sarcasm]

Update Java folks. Relying on a DNS company to block DNS queries is just dumb. How do they know what all the Command and Control domains are? Those things can change at whim and I wouldn’t make DNS lookups my first line of defense, it certainly isn’t preventative. If you don’t have your computer updated you can get compromised. Even if you do update, until Apple gets things patched quicker, even that’s not good enough, you need some protection, Sophos makes a good free product. Get it.

Also, if you think “I only go to good clean sites”. I’ll tell you, that you can never know. This site got hacked because of combination of a Dreamhost database compromise and  Wordpress vulnerabilities. That’s been taken care (otherwise you’d be redirected to femalebodyinspector.ru or something like that — gawd, of all the hacks… — and the domain didn’t even work! ). But all it takes is some PHP/Wordpress compromise and your site could be serving up malware. So be safe, be vigilant, and don’t think that someone else is going to protect you because they don’t let your computer talk to strangers (yes, OpenDNS I’m talking to you.)