Mac OS X Users Warned About Java Vulnerability

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Thomas Claburn, Editor at Large, Enterprise Mobility

May 20, 2009

2 Min Read

Mac OS X users are being warned to disable Java applets in their Web browsers and to disable the "Open 'safe' files after downloading" preference in Safari because of a Java vulnerability.

The Java vulnerability (CVE-2008-5353) was publicly disclosed five months ago by Sun Microsystems and fixed. But Apple, which released Mac OS 10.5.7 with nearly 70 security fixes earlier this month, has not yet dealt with the issue.

"Apple has been aware of this vulnerability for at least five months, since it was made public, but has neglected to issue a security update to protect against this issue," Mac security company Intego said in a security advisory Wednesday.

This isn't the first time Apple has been criticized for failing to respond to security concerns in a timely manner. Last September, someone using the name "Securfrog" published code to crash QuickTime after allegedly being ignored by Apple. And last August, security researchers said Apple didn't move fast enough to fix the DNS flaw identified by Dan Kaminsky.

SoyLatte, an X11-based port of the FreeBSD Java 1.6 "patchset" to Mac OS X Intel machines, is also reportedly vulnerable.

Intego says that it hasn't found any malware in the wild that's attempting to exploit this vulnerability.

But programmer Landon Fuller claims otherwise and on Tuesday released proof-of-concept exploit code to demonstrate that the Java hole needs to be patched.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller said in a blog post. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept to demonstrate the issue."

Were a malicious Java applet that exploited this vulnerability loaded and run in Safari under Mac OS X, it could lead to file access, file deletion, or, in conjunction with a privilege escalation vulnerability, access to system-level processes and complete system control.

Intego predicts just such an applet will appear shortly. "[T]he publicity around this vulnerability will mean that hackers are likely to attempt to exploit it quickly, before Apple issues a security update," the company said in the note that it posted to generate publicity around this vulnerability.

Attend a virtual event on budget-minded security for small and midsize businesses. The event is available on demand. Find out more and register.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights