The Java vulnerability (CVE-2008-5353) was publicly disclosed five months ago by Sun Microsystems and fixed. But Apple, which released Mac OS 10.5.7 with nearly 70 security fixes earlier this month, has not yet dealt with the issue.
"Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue," Mac security company Intego said in a security advisory Wednesday.
This isn't the first time Apple has been criticized for failing to respond to security concerns in a timely manner. Last September, someone using the name "Securfrog" published code to crash QuickTime after allegedly being ignored by Apple. And last August, security researchers said Apple didn't move fast enough to fix the DNS flaw identified by Dan Kaminsky.
SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.
Intego says that it hasn't found any malware in the wild that's attempting to exploit this vulnerability.
But programmer Landon Fuller claims otherwise and on Tuesday released proof-of-concept exploit code to demonstrate that the Java hole needs to be patched.
"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said in a blog post. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."
Were a malicious Java applet that exploited this vulnerability loaded and run in Safari under Mac OS X, it could lead to file access, file deletion, or, in conjunction with a privilege escalation vulnerability, access to system-level processes and complete system control.
Intego predicts just such an applet will appear shortly. "[T]he publicity around this vulnerability will mean that hackers are likely to attempt to exploit it quickly, before Apple issues a security update," the company said in the note that it posted to generate publicity around this vulnerability.
Attend a virtual event on budget-minded security for small and midsize businesses. The event is available on demand. Find out more and register.