Mac OS X Users Warned About Java Vulnerability - InformationWeek
Infrastructure // PC & Servers
04:57 PM
Connect Directly

Mac OS X Users Warned About Java Vulnerability

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Mac OS X users are being warned to disable Java applets in their Web browsers and to disable the "Open 'safe' files after downloading" preference in Safari because of a Java vulnerability.

The Java vulnerability (CVE-2008-5353) was publicly disclosed five months ago by Sun Microsystems and fixed. But Apple, which released Mac OS 10.5.7 with nearly 70 security fixes earlier this month, has not yet dealt with the issue.

"Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue," Mac security company Intego said in a security advisory Wednesday.

This isn't the first time Apple has been criticized for failing to respond to security concerns in a timely manner. Last September, someone using the name "Securfrog" published code to crash QuickTime after allegedly being ignored by Apple. And last August, security researchers said Apple didn't move fast enough to fix the DNS flaw identified by Dan Kaminsky.

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Intego says that it hasn't found any malware in the wild that's attempting to exploit this vulnerability.

But programmer Landon Fuller claims otherwise and on Tuesday released proof-of-concept exploit code to demonstrate that the Java hole needs to be patched.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said in a blog post. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."

Were a malicious Java applet that exploited this vulnerability loaded and run in Safari under Mac OS X, it could lead to file access, file deletion, or, in conjunction with a privilege escalation vulnerability, access to system-level processes and complete system control.

Intego predicts just such an applet will appear shortly. "[T]he publicity around this vulnerability will mean that hackers are likely to attempt to exploit it quickly, before Apple issues a security update," the company said in the note that it posted to generate publicity around this vulnerability.

Attend a virtual event on budget-minded security for small and midsize businesses. The event is available on demand. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll