Infrastructure // PC & Servers
News
5/20/2009
04:57 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Mac OS X Users Warned About Java Vulnerability

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Mac OS X users are being warned to disable Java applets in their Web browsers and to disable the "Open 'safe' files after downloading" preference in Safari because of a Java vulnerability.

The Java vulnerability (CVE-2008-5353) was publicly disclosed five months ago by Sun Microsystems and fixed. But Apple, which released Mac OS 10.5.7 with nearly 70 security fixes earlier this month, has not yet dealt with the issue.

"Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue," Mac security company Intego said in a security advisory Wednesday.

This isn't the first time Apple has been criticized for failing to respond to security concerns in a timely manner. Last September, someone using the name "Securfrog" published code to crash QuickTime after allegedly being ignored by Apple. And last August, security researchers said Apple didn't move fast enough to fix the DNS flaw identified by Dan Kaminsky.

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Intego says that it hasn't found any malware in the wild that's attempting to exploit this vulnerability.

But programmer Landon Fuller claims otherwise and on Tuesday released proof-of-concept exploit code to demonstrate that the Java hole needs to be patched.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said in a blog post. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."

Were a malicious Java applet that exploited this vulnerability loaded and run in Safari under Mac OS X, it could lead to file access, file deletion, or, in conjunction with a privilege escalation vulnerability, access to system-level processes and complete system control.

Intego predicts just such an applet will appear shortly. "[T]he publicity around this vulnerability will mean that hackers are likely to attempt to exploit it quickly, before Apple issues a security update," the company said in the note that it posted to generate publicity around this vulnerability.


Attend a virtual event on budget-minded security for small and midsize businesses. The event is available on demand. Find out more and register.

Comment  | 
Print  | 
More Insights
Server Market Splitsville
Server Market Splitsville
Just because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.